There is a new and significant security problem in the wild with Microsoft Internet explorer. I am not writing about the security of it, rather the timeline and the public relations and crisis communications response.
It’s interesting, I was just talking with Hitachi’s blogger and CTO about what to do in a crisis. Here’s one thing. Warn your customers. That’s what I’m doing here. We’re seeing a bad exploit being reported on blogs and other places.
Update: the Security Response Center is working on this. They have a blog, but haven’t posted about this issue yet.
So late last night, December 28th, I get my SANS email security alert. (SANS is a must in the security community – your government does some things that really do help)
From: US-CERT Technical Alerts [mailto:firstname.lastname@example.org]
Sent: Wednesday, December 28, 2005 7:38 PM
Subject: US-CERT Technical Cyber Security Alert TA05-362A — Microsoft Windows Metafile Handling Buffer Overflow
—–BEGIN PGP SIGNED MESSAGE—–
Just to check, I went to what I consider to be the logical place for a security update which is http://windowsupdate.microsoft.com/ and there is no update (OK, they are still working on it I guess) but most surprising is there is NO MENTION OF THE SECURITY PROBLEM.
The BAD news. The main corporation is not reacting quickly or logically enough, the government was slower than a blogger issuing a relevant security alert. Note the screen shot doesn’t just say "nothing found" it doesn’t even hint at impending doom if I don’t come back soon.
The GOOD news, the GREAT news is that Scoble works for Microsoft. He didn’t have to ask permission, he just did the right thing and notified thousands of a potential security problem with his company’s products. He acted with good crisis communication skills and he did it as part of the Internet conversation. No big brother required. This is a net positive for Microsoft in my book from a PR perspective, assuming they fix it in a timely manner.