Sometimes it’s better if software patches don’t come out too quickly

When Microsoft issued its regular round of Patch Tuesday updates earlier this month, not everybody was happy.

Some PowerPoint users, for instance, found that a fix designed to make PowerPoint 2013 more stable was actually causing more problems than it aimed to solve - with PowerPoint failing to open after the update was installed.

Ppt error

Affected users were greeted with the following fatal message:

POWERPNT.EXE – Bad Image
C:\Program Files\Microsoft Office\Office15\1033\PPINTL.DLL is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Error status 0xc0000428.

By the end of last week, Microsoft had withdrawn the KB2920732 patch and advised users to wait for a fixed version to be released while the problem was investigated.

Shortly after the release of KB2920732, Microsoft became aware of an issue affecting users of PowerPoint 2013 on Windows RT devices. We have removed KB2920732 from the Microsoft Download Center and Microsoft Update and will provide a new update as soon as a fix is available.”

Fortunately, Microsoft worked hard to push out a fixed version of the update (KB2956149), which saw the light of day earlier this week.

This, and other buggy updates in the last nine months or so, have raised concerns about the quality of patches coming out of Redmond.

But rather than beat up Microsoft over the PowerPoint crash (which must surely have inconvenienced some users desperate to fiddle with their presentation slides), we should ask ourselves if we are adding to the pain of problematical patches by demanding too much from our software vendors. Are we expecting them to fix flaws too quickly, without fully accepting the risks that a rushed patch might bring.

After all, the PowerPoint patch was originally intended to make slide animations more stable. Surely we could have coped without smoothly dancing paperclips crossing our screen for a few weeks longer, if it meant that the next version of PowerPoint would at least start up.

And it’s not just users who are applying pressure on software manufacturers to rush out fixes speedily. Technology competitors and the media are also putting weight on the likes of Microsoft to come out with patches, without necessarily understanding the complexity of fixing an issue, or the myriad of ways that a patch could go wrong if there isn’t time to thoroughly test it.

An obvious example, recently discussed on the Optimal Security blog, is Google - which has been making headlines for itself by discovering Microsoft software flaws and threatening to make them public for anybody to exploit within 90 days.

Of course, it is Microsoft’s responsibility to put out patches which work. And it clearly failed in the case of the initial PowerPoint patch this month.

But it’s also the responsibility of the rest of us to realise that patching complex software products is, by its very nature, complicated. It’s not something that can be rushed, and testing can be a gruelling, arduous and time-consuming process.

If we want more secure, better-working software we need to understand that the software vendors need to be given the time, space and resources to make them to that high standard. If we create an environment where there are hard limits on how long a software house needs to fix a bug, we only end up with weaker, poorer-tested software. And it will be the fault of all of us.

This article originally appeared on the Optimal Security blog.

Tags: , , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.