The Blaster School of Hard Knocks

The Blaster School of Hard Knocks

Mary Jo Foley

Microsoft learned a lot from the Blaster worm that blasted onto the scene last month. But it could have learned more.

Thanks to Blaster, the Redmond software giant has come to realize:

It needed to make its emergency communications with its customers simpler and quicker. The recently rolled-out 1-2-3 Protect Your PC campaign shows Microsoft learned this lesson quite well — and quickly, to boot.

Security is a customer-satisfaction issue. Microsoft understands its current and future users might be less-than-thrilled to be approached if their Blaster pain isn’t thoroughly acknowledged. The company has cautioned its sales force and partners to lead with an acknowledgement that Blaster has wreaked havoc on customers’ businesses before pitching them on new business.

There’s nothing wrong with saying you are sorry (even if you don’t really believe something is your fault). Right after the Blaster attack, Redmond held a series of conference calls with key customers. (It even published the transcript of one of them.) The key message: We are sorry that Blaster blasted you. And we are pulling out all the stops to make sure this doesn’t happen again.

Making Windows and other key infrastructure software more secure is Priority No. 1. No exceptions. It matters more to users than getting their hands on a Longhorn beta, receiving a sneak peek of a Motorola Smartphone, or being granted another round of Software Assurance licensing concessions. Accordingly, Redmond seems to be accelerating its schedule for patching its software-patching mechanisms as a key first step.

But school’s not out for Microsoft on Blaster. There are a few lessons that Redmond seemingly hasn’t taken to heart.

For one, PSS needs a better emergency plan. Microsoft Product Support Services (PSS) officials have devised an emergency security plan for virulent viruses, worms and other kinds of attacks. And, at least publicly, the PSS execs are claiming it worked well in the case of Blaster.

But our sources tell us that during the first two days that Blaster hit, XP support queues had more than 800 calls waiting at any one time. Based on the queue backlog, more than 40,000 calls for help were placed to PSS the first two days Blaster hit, our sources estimate. (Microsoft won’t comment on these figures.)

On the toll-free support line during the first week Blaster hit, users were waiting an average of an hour-and-a-half to reach a PSS rep. There were such long wait times and backlogs that the Windows client group had to seek out volunteers among the Windows development and test teams to help offload the PSS folks.

Secondly, Microsoft needs to take its own patching medicine. I have it on pretty good authority that even though Microsoft made the security patch that could have headed off Blaster available weeks before the worm hit, it didn’t patch all of its own servers inside the company. I’ve heard 47 servers running Microsoft’s Passport Internet-authentication software had to be taken down on August 12 (day two of Blaster) for “emergency maintenance.”

You may recall that Microsoft failed to patch a number of its own servers against the SQL Server Slammer worm back in January, exacerbating the effects of the attack. Wasn’t once enough?

What’s your take? Is Redmond finally on the right course, in terms of getting its patching story in order? Or are there other lessons Microsoft needs to learn before it can do right by its customers on the security front?

Write me at mswatch@ziffdavis.com and let me know what you think.

Copyright © 2004 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in Microsoft Watch.