Security isn't convinient..
I
Right now, the update is on schedule testing wise to be released (meeting the quality goals customers have asked for) as part of the April security updates on April 11, 2006. But as I said, we're actively keeping an eye on any attempts to utilize this in an attack. We'll release it sooner if warranted.
Ok, they are actively "keeping an eye" out for attacks.. which basically means that they are looking for automated attacks. What about the targeted? Do they not understand how easy it would be to use this vulnerability in a targeted scam? Just send a carefully crafted e-mail with an link to an external homepage - Anyone would go for it, it's just a matter of how much effort is put into crafting the mail (research about the receiver to find out what a relevant mail looks like for the person). By not releasing patches, and claiming that it isn't necessary due to the lack of active attacks, is like claiming that there are no need for laws against murdering, as there aren't currently alot of massmurdering going on. They counter this by saying:
I want to caution everyone that they should take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code.
Do they understand what a difficult task this is for a network containing 100 - 10 000 hosts and users? Impossible..
Microsoft patching procedures is a result of administrators wanting an easier job. Few things with "patch tuesday" benefits security. It's created towards countering the attacks that are "convinient" to counter. The only way to counter a wide range of attacks is to release patches, alternatively releasing detailed information about the vulnerability so that for instance IPS can be used to prevent the attacks when they are going through the networks. But of course, this is not Microsofts "way to do it" either..
Jesus..