Sometimes it’s better if software patches don’t come out too quickly

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

When Microsoft issued its regular round of Patch Tuesday updates earlier this month, not everybody was happy.

Some PowerPoint users, for instance, found that a fix designed to make PowerPoint 2013 more stable was actually causing more problems than it aimed to solve – with PowerPoint failing to open after the update was installed.

Ppt error

Affected users were greeted with the following fatal message:

Sign up to our free newsletter.
Security news, advice, and tips.

POWERPNT.EXE – Bad Image
C:Program FilesMicrosoft OfficeOffice151033PPINTL.DLL is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Error status 0xc0000428.

By the end of last week, Microsoft had withdrawn the KB2920732 patch and advised users to wait for a fixed version to be released while the problem was investigated.

“Shortly after the release of KB2920732, Microsoft became aware of an issue affecting users of PowerPoint 2013 on Windows RT devices. We have removed KB2920732 from the Microsoft Download Center and Microsoft Update and will provide a new update as soon as a fix is available.”

Fortunately, Microsoft worked hard to push out a fixed version of the update (KB2956149), which saw the light of day earlier this week.

This, and other buggy updates in the last nine months or so, have raised concerns about the quality of patches coming out of Redmond.

But rather than beat up Microsoft over the PowerPoint crash (which must surely have inconvenienced some users desperate to fiddle with their presentation slides), we should ask ourselves if we are adding to the pain of problematical patches by demanding too much from our software vendors. Are we expecting them to fix flaws too quickly, without fully accepting the risks that a rushed patch might bring.

After all, the PowerPoint patch was originally intended to make slide animations more stable. Surely we could have coped without smoothly dancing paperclips crossing our screen for a few weeks longer, if it meant that the next version of PowerPoint would at least start up.

And it’s not just users who are applying pressure on software manufacturers to rush out fixes speedily. Technology competitors and the media are also putting weight on the likes of Microsoft to come out with patches, without necessarily understanding the complexity of fixing an issue, or the myriad of ways that a patch could go wrong if there isn’t time to thoroughly test it.

An obvious example, recently discussed on the Optimal Security blog, is Google – which has been making headlines for itself by discovering Microsoft software flaws and threatening to make them public for anybody to exploit within 90 days.

Of course, it is Microsoft’s responsibility to put out patches which work. And it clearly failed in the case of the initial PowerPoint patch this month.

But it’s also the responsibility of the rest of us to realise that patching complex software products is, by its very nature, complicated. It’s not something that can be rushed, and testing can be a gruelling, arduous and time-consuming process.

If we want more secure, better-working software we need to understand that the software vendors need to be given the time, space and resources to make them to that high standard. If we create an environment where there are hard limits on how long a software house needs to fix a bug, we only end up with weaker, poorer-tested software. And it will be the fault of all of us.

This article originally appeared on the Optimal Security blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.