Latest Vulnerability Includes Windows Server 2003

Computerworld - Users last week reacted with a mixture of concern and resignation to the discovery of a critical flaw in almost all versions of Microsoft Corp.'s Windows software, including the Windows Server 2003 operating system.

The vulnerability exists in a communication protocol that deals with message exchange over TCP/IP. It allows attackers to take over a victim's system and install malicious code; view, modify or delete data; or create new user accounts.

"It is probably the most serious vulnerability that we have seen from Microsoft in the past 12 to 18 months," said Chris Rouland, director of Internet Security Systems Inc. in Atlanta.

The flaw—word of which followed the announcement of another major Windows vulnerability only a week before —highlights the continuing challenge that users face in securing Microsoft software, said Scott Loach, senior information security engineer at Raymond James Financial Inc., a financial services firm in St. Petersburg, Fla.

Raymond James had just completed patching 500 Windows servers against the previous flaw and is now scrambling to protect its systems against the new vulnerability.

The frequency with which such patching is needed has prompted the company to consider automated patching technology, Loach said.

"We've had endless meetings with Microsoft about the state of their security and the way these patches come out and the trouble it causes us," Loach said. "It's just what you have to live with" when dealing with Microsoft, he added.

The flaw discovered last week "is the latest in a seemingly never-ending stream of issues that afflict [Microsoft] products," said Bruce Azuma, corporate director of information technologies at Wilbert Inc., a Broadview, Ill.-based company in the funeral services and industrial plastics businesses. "As a medium-size business user of Microsoft, I am growing more and more concerned with Microsoft's ability to release stable, secure products."

Such flaws also raise questions about the efficacy of Microsoft's Trustworthy Computing initiative, said John Cowan, corporate IT director at Caldwell Industries Inc., a Louisville, Ky.-based injection molding manufacturer.

"On a scale of 1 to 10, I would give [Trustworthy Computing] a 3," Cowan said. "I don't know what the problem is, but it doesn't look like they have been able to lock down their software like they said they would."

Discovery of the flaw "cracked the bubble" around Windows Server 2003 security and will force Microsoft to redouble its efforts to find out what went wrong, said Pete Lindstrom, an analyst at The Spire Group, a consultancy in Malvern, Pa.. But it would be premature to see it as a sign of broader security problems in Windows Server 2003, he cautioned. "I would be embarrassed for anyone who jumps to that conclusion," he said.