Latest Microsoft patches draw user ire
Computerworld - Microsoft Corp.'s release Tuesday of three critical patches to fix 20 flaws in various Windows products (see story) drew flak from users who expressed frustration at the company's continuing problems with security.
In one of its biggest monthly patch releases to date, Microsoft issued updates aimed at closing several major holes in products ranging from Windows NT 4.0 to the 64-bit edition of Windows Server 2003. Also affected were several versions of its Outlook Express e-mail program.
One of the patches fixed 14 separate vulnerabilities; another fixed four.
"We are extremely concerned by the high amount of vulnerabilities and patches from Microsoft. This goes against the credibility of what they have been saying," said Michael Kamens, global security director at Thermo Electron Corp., a $2 billion manufacturer of scientific equipment in Waltham, Mass.
The fact that even a new product such as Windows Server 2003 has problems "brings no great joy to our hearts," said Kamens, who had to patch over 4,000 Windows systems this week.
Among the flaws considered particularly dangerous was a buffer-overrun vulnerability in a user-authentication function called Local Security Authority Subsystem Service. Hackers who successfully exploited the flaw could take complete control of compromised systems.
A buffer-overrun flaw relating to a component used to secure communications between servers and clients on public networks was another critical risk for the same reason.
What do you think? Post your opinion in our discussion forum on this story.
Both flaws present "high-value targets" for hackers because they involve security and authentication components in Windows, said Neel Mehta, a research engineer at Internet Security Systems Inc. in Atlanta.
"I expect [the flaws] to be exploited in a very short time," Mehta said.
Southern Regional Health System in Riverdale, Ga., had to patch nearly 100 Windows NT and Windows 2000 servers this week.
"These announcements are becoming more like the Chicken Little [story]" said Reid Burch, the health care organization's network services manager. "I'm not saying that we're ignoring the patches. But it has become comical that these patches are released so frequently," he said. Since the hospital has to run patient care applications 24 hours a day, seven days a week, the task of patching systems is very difficult, Burch added.
Fenwick & West LLP had to allocate three IT workers to patching duties this week, and by yesterday, all three were working overtime, said Matt Kesner, the Mountain View, Calif.-based law firm's chief technology officer.
Even so, the law firm was having problems getting the patches installed, with some machines requiring multiple attempts and 12 PCs needing to be completely reformatted to accept the patches.
"Despite the fact that Microsoft has made this huge commitment to security, they are not saying why these vulnerabilities are showing up and what exactly they are doing to research and patch them," Kesner said. There are also questions about how long Microsoft might have known about these vulnerabilities before patches became available, he said.
"There are more questions asked than answered when such a large update is released," said Robert Bagamery, a systems support specialist at a large Canadian utility that he asked not be named.
"I wonder what they've broken with the fix," Bagamery said. "I wonder how many more there are, and how many they know about but aren't talking [about]."
Microsoft didn't respond to specific user complaints. But Stephen Toulouse, security program manager at Microsoft's Security Response Center, said the company's decision to address so many flaws with a few large patches was driven by practical considerations.
"When we see the opportunity to ship one set of files that contain multiple fixes, we really attempt to do that" instead of shipping separate fixes, he said.
The approach makes it easier for users to apply the patches, Toulouse added. "It was the best solution for our customers," he said.
Read more about Security in Computerworld's Security Topic Center.
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!