This rant from Tom Liston at SANS is disgraceful to see on a serious security site. You got problems with Microsoft’s decision? Make your case. Give your readers some evidence. Get angry if you want. But juvenile satire that ignores the business realities of the situation is just stupid, and it’s double-plus-stupid when the rant is completely free of facts or analysis.
My collective opinion of SANS has dropped severely.
Ed Bott 
While the Tom Liston rant may be dripping with satire, many security professionals believe that Microsoft was asleep at the wheel with this vulnerability. With zero-day exploits out there, one would expect someone with the resources of Microsoft might be able to give a better answer than removing one vector of attack while the underlying cause of the problem GDI32.dll is still vulnerable. If you read Steve Gibson’s site today (www.grc.com), Microsoft may already have a patch available (and hopefully have tested) that solves the underlying issue (like the 3rd party patch of Ilfak Guilfanov) on December 28. Can they not publish an out of cycle patch to resolve this issue, or should they continue to string us on about only fixing the vector disclosed (irresponsibly in my opinion) at the end of December?
Microsoft has to improve their security track record if they want us to believe that they are taking it seriously.
while his style was certainly sarcastic his point was made. Microsoft can’t sit on its thumbs while their customers are risk. Security should come before PR. hmmmm, wonder how many days after CES the official patch will be released.
Bear in mind that when popular open source (such as Firefox) vulnerabilities have been exposed, there were patches available in about 48 to 72 hours. It’s been more than a week since the WMF vulnerability was exposed. The problem is pretty well known by now, and it’s telling that users themselves have managed to generate a fix before Microsoft has.
Yet, Microsoft has not yet issued a patch. Given that this was a Zero-Day exploit, I can’t expect them to be instantaneous about this. Yet, every day they spend on this is another day for yet another creative attack by virus writers. They ought to release an emergency patch right now while the threat is light. Waiting until the next patch cycle is irresponsible.
Tom Liston didn’t sugarcoat this. Neither would I. And in my not so humble opinion, neither should you.
AB3A,
I addressed your comment in a new post.
As for Liston’s remarks, my complaint is that there was no substance. It was pure vitriol and lame satire, completely free of content. Satire is much more effective as a spice than as a main course.