Brave New World of Security Vulnerabilities and Public Relations Responses to a Crisis

There is a new and significant security problem in the wild with Microsoft Internet explorer.  I am not writing about the security of it, rather the timeline and the public relations and crisis communications response

The first indication was NOT from someone in the Microsoft communications group, rather it was their well known blogger scoble.  From his blog on December 28, 2005

Scoblesecuritywarning Microsoft customer warning: Bad exploit in Windows

It’s interesting, I was just talking with Hitachi’s blogger and CTO about what to do in a crisis. Here’s one thing. Warn your customers. That’s what I’m doing here. We’re seeing a bad exploit being reported on blogs and other places.

and

Update: the Security Response Center is working on this. They have a blog, but haven’t posted about this issue yet.

So late last night, December 28th, I get my SANS email security alert.  (SANS is a must in the security community – your government does some things that really do help)

—–Original Message—–
From: US-CERT Technical Alerts [mailto:technical-alerts@us-cert.gov]
Sent: Wednesday, December 28, 2005 7:38 PM
To: technical-alerts@us-cert.gov
Subject: US-CERT Technical Cyber Security Alert TA05-362A — Microsoft Windows Metafile Handling Buffer Overflow

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

Microsoft Windows Metafile Handling Buffer Overflow
http://www.us-cert.gov/cas/techalerts/TA05-362A.html

Just to check, I went to what I consider to be the logical place for a security update which is http://windowsupdate.microsoft.com/ and there is no update (OK, they are still working on it I guess) but most surprising is there is NO MENTION OF THE SECURITY PROBLEM.

WindowsupdatenoupdatesThe BAD news.  The main corporation is not reacting quickly or logically enough, the government was slower than a blogger issuing a relevant security alert.  Note the screen shot doesn’t just say "nothing found" it doesn’t even hint at impending doom if I don’t come back soon.

The GOOD news, the GREAT news is that Scoble works for Microsoft.  He didn’t have to ask permission, he just did the right thing and notified thousands of a potential security problem with his company’s products.  He acted with good crisis communication skills and he did it as part of the Internet conversation.  No big brother required.  This is a net positive for Microsoft in my book from a PR perspective, assuming they fix it in a timely manner.