updated 11:05 am EDT, Fri May 15, 2009
Mac PowerPoint fix delay
Microsoft has drawn criticism over the timing of a new security patch, targeting the company's PowerPoint presentation software. Windows users can now download update MS09-017, which addresses a zero-day vulnerability known to have been used in real-world attacks. The patch is moreover said to reduce the vulnerability of Office and PowerPoint in general, by removing a mostly irrelevant PowerPoint 4 converter. The creation of PowerPoint 4 files has not been supported since Office XP.
Complaints stem from a Microsoft announcement that even though the Mac version of PowerPoint contains the same vulnerability as the Windows software, the company will not be providing an equivalent update until June, as a result of ongoing testing. The decision to release the Windows update early was made as a result of the larger affected audience, and the current absence of Mac compatibility in public exploits, Microsoft explains.
Some security analysts argue that by exposing the Mac vulnerability without fixing it, the company has violated its own policy of "responsible disclosure," which calls for security holes to be kept hidden indefinitely until a patch is released. Hackers could reverse-engineer the Windows update to attack Macs, claims SANS Institute's Swa Frantzen. Support for Microsoft has come from the likes of nCircle security director Andrew Storms, however, who notes that sample exploit code has been available for a month, and yet has not been used in spite of being a simpler means of writing Mac malware.