Latest Microsoft patches draw user ire
Computerworld - Microsoft Corp.'s release Tuesday of three critical patches to fix 20 flaws in various Windows products (see story) drew flak from users who expressed frustration at the company's continuing problems with security.
In one of its biggest monthly patch releases to date, Microsoft issued updates aimed at closing several major holes in products ranging from Windows NT 4.0 to the 64-bit edition of Windows Server 2003. Also affected were several versions of its Outlook Express e-mail program.
One of the patches fixed 14 separate vulnerabilities; another fixed four.
"We are extremely concerned by the high amount of vulnerabilities and patches from Microsoft. This goes against the credibility of what they have been saying," said Michael Kamens, global security director at Thermo Electron Corp., a $2 billion manufacturer of scientific equipment in Waltham, Mass.
The fact that even a new product such as Windows Server 2003 has problems "brings no great joy to our hearts," said Kamens, who had to patch over 4,000 Windows systems this week.
Among the flaws considered particularly dangerous was a buffer-overrun vulnerability in a user-authentication function called Local Security Authority Subsystem Service. Hackers who successfully exploited the flaw could take complete control of compromised systems.
A buffer-overrun flaw relating to a component used to secure communications between servers and clients on public networks was another critical risk for the same reason.
What do you think? Post your opinion in our discussion forum on this story.
Both flaws present "high-value targets" for hackers because they involve security and authentication components in Windows, said Neel Mehta, a research engineer at Internet Security Systems Inc. in Atlanta.
"I expect [the flaws] to be exploited in a very short time," Mehta said.
Southern Regional Health System in Riverdale, Ga., had to patch nearly 100 Windows NT and Windows 2000 servers this week.
"These announcements are becoming more like the Chicken Little [story]" said Reid Burch, the health care organization's network services manager. "I'm not saying that we're ignoring the patches. But it has become comical that these patches are released so frequently," he said. Since the hospital has to run patient care applications 24 hours a day, seven days a week, the task of patching systems is very difficult, Burch added.
Fenwick & West LLP had to allocate three IT workers to patching duties this week, and by yesterday, all three were working overtime, said Matt Kesner, the Mountain View, Calif.-based law firm's chief technology officer.
Even so, the law firm was having problems getting the patches installed, with some machines requiring multiple attempts and 12 PCs needing to be completely reformatted to accept the patches.
"Despite the fact that Microsoft has made this huge commitment to security, they are not saying why these vulnerabilities are showing up and what exactly they are doing to research and patch them," Kesner said. There are also questions about how long Microsoft might have known about these vulnerabilities before patches became available, he said.
"There are more questions asked than answered when such a large update is released," said Robert Bagamery, a systems support specialist at a large Canadian utility that he asked not be named.
"I wonder what they've broken with the fix," Bagamery said. "I wonder how many more there are, and how many they know about but aren't talking [about]."
Microsoft didn't respond to specific user complaints. But Stephen Toulouse, security program manager at Microsoft's Security Response Center, said the company's decision to address so many flaws with a few large patches was driven by practical considerations.
"When we see the opportunity to ship one set of files that contain multiple fixes, we really attempt to do that" instead of shipping separate fixes, he said.
The approach makes it easier for users to apply the patches, Toulouse added. "It was the best solution for our customers," he said.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts