I wish I could justifiably write that headline, but things are not always what they seem. Let me explain:

We're used to vendors copping a royal spanking when they dawdle when preparing patches. So when I interviewed Paul Craig of Security-Assessment.com for my weekly podcast and this story in the Sydney Morning Herald and Age newspapers, I was somewhat surprised that he remained as cool as a cucumber despite Microsoft taking nine months to produce a fix for a raft of .NET vulnerabilities he uncovered in October last year.

It is an odd set of circumstances. Craig had discovered logic flaws in the framework itself which required remediation, and that takes time. The gang at Redmond slaved away for nine months, making sure their changes wouldn't break APIs, apps and ISV code.

That didn't stop a few people having a go. Take this from Computerworld:

Steps have finally been taken by Microsoft to protect millions of exposed networks vulnerable to a .Net exploit that was first discovered nine months ago.

During that time many customers were not only left in the dark, but left dangerously exposed by the vulnerability which was a null byte exploit.

The company has tried to patch the exploit since its discovery by analyst group Security-Assessment.com last October, and has kept mum on the flaw which was uncovered in the US this week as a result of Patch Tuesday.

You can't blame CW for taking the shot -- Microsoft is an easy target, and I'll let you in on a little secret: The big bad media doesn't mind tickling the outrage bone every now and then. It's good for business.

Despite Microsoft taking nine months to patch this thing, there were problems reported with the security fix in online forums like Slashdot.org over the weekend. So even after the wait, there were still hassles. There didn't seem to be any direct reports of blue/black screen of death type dramas, but nonetheless it wasn't a perfect fix.

So do we bash MS now the patch was found to be buggy? Or do we recognise that no other major software vendor takes security as seriously as the Redmondites and cut them some slack?

Well, the people I interviewed for the SMAGE piece cut them some slack, as did others I spoke to, so I guess they're off the hook this time. There seems to be a recognition in the nerdosphere that patching core OS security issues -- not just simple buffer overflows -- is a monumental task worth spending some time on, even if you can't get it 100% right. If they had spent nine months patching up a buffer overflow in Internet Explorer, that would have been a different matter entirely.

I miss the days when you could take endless cheap shots at MS for its appalling approach to security -- it was an easy source of popular stories.

That said, it could still drop the ball in a spectacular way some time soon, but sadly for the controversy-craving media tits like me, it didn't happen last week. I guess we just have to wait for a worm that exploits five 0day bugs before MS gets a well-deserved spanking.