New Windows flaw raises fresh doubts about Microsoft security
The latest vulnerability affects Windows Server 2003
July 18, 2003 12:00 PM ETComputerworld -
Users this week reacted with a mixture of concern and resignation to the discovery of a critical flaw in almost all versions of Microsoft Corp.'s Windows software, including the Windows Server 2003 operating system.
The vulnerability exists in a communication protocol that deals with message exchange over TCP/IP (see story). It allows attackers to take over a victim's system and install malicious code; view, modify or delete data; or create new user accounts.
"It is probably the most serious vulnerability that we have seen from Microsoft in the past 12 to 18 months," said Chris Rouland, director of Internet Security Systems Inc. in Atlanta.
The flaw -- word of which followed the announcement of another major Windows vulnerability only a week before (see story) -- highlights the continuing challenge that users face in securing Microsoft software, said Scott Loach, senior information security engineer at Raymond James Financial Inc., a financial services firm in St. Petersburg, Fla.
Raymond James had just completed patching 500 Windows servers against the previous flaw and is now scrambling to protect its systems against the new vulnerability. The frequency with which such patching is needed has prompted the company to consider automated patching technology, Loach said.
"We've had endless meetings with Microsoft about the state of their security and the way these patches come out and the trouble it causes us," Loach said. "It's just what you have to live with" when dealing with Microsoft, he added.
The flaw discovered this week "is the latest in a seemingly never-ending stream of issues that afflict [Microsoft] products," said Bruce Azuma, corporate director of information technologies at Wilbert Inc., a Broadview, Ill.-based company in the funeral services and industrial plastics businesses. "As a medium-sized business user of Microsoft, I am growing more and more concerned with Microsoft's ability to release stable, secure products."
Such flaws also raise questions about the efficacy of Microsoft's Trustworthy Computing initiative, said John Cowan, corporate IT director at Caldwell Industries Inc., a Louisville, Ky.-based injection molding manufacturer.
"On a scale of 1 to 10, I would give [the initiative] a 3," Cowan said. "I don't know what the problem is, but it doesn't look like they have been able to lock down their software like they said they would."
Discovery of the flaw "cracked the bubble" around Windows Server 2003 security and will force Microsoft to redouble its efforts to find out what went wrong, said Pete Lindstrom, an analyst at Spire Group, a consultancy in Malvern, Pa. But it would be premature
Security
Additional Resources



White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
