Latest Microsoft patches draw user ire
Computerworld - Microsoft Corp.'s release Tuesday of three critical patches to fix 20 flaws in various Windows products (see story) drew flak from users who expressed frustration at the company's continuing problems with security.
In one of its biggest monthly patch releases to date, Microsoft issued updates aimed at closing several major holes in products ranging from Windows NT 4.0 to the 64-bit edition of Windows Server 2003. Also affected were several versions of its Outlook Express e-mail program.
One of the patches fixed 14 separate vulnerabilities; another fixed four.
"We are extremely concerned by the high amount of vulnerabilities and patches from Microsoft. This goes against the credibility of what they have been saying," said Michael Kamens, global security director at Thermo Electron Corp., a $2 billion manufacturer of scientific equipment in Waltham, Mass.
The fact that even a new product such as Windows Server 2003 has problems "brings no great joy to our hearts," said Kamens, who had to patch over 4,000 Windows systems this week.
Among the flaws considered particularly dangerous was a buffer-overrun vulnerability in a user-authentication function called Local Security Authority Subsystem Service. Hackers who successfully exploited the flaw could take complete control of compromised systems.
A buffer-overrun flaw relating to a component used to secure communications between servers and clients on public networks was another critical risk for the same reason.
What do you think? Post your opinion in our discussion forum on this story.
Both flaws present "high-value targets" for hackers because they involve security and authentication components in Windows, said Neel Mehta, a research engineer at Internet Security Systems Inc. in Atlanta.
"I expect [the flaws] to be exploited in a very short time," Mehta said.
Southern Regional Health System in Riverdale, Ga., had to patch nearly 100 Windows NT and Windows 2000 servers this week.
"These announcements are becoming more like the Chicken Little [story]" said Reid Burch, the health care organization's network services manager. "I'm not saying that we're ignoring the patches. But it has become comical that these patches are released so frequently," he said. Since the hospital has to run patient care applications 24 hours a day, seven days a week, the task of patching systems is very difficult, Burch added.
Fenwick & West LLP had to allocate three IT workers to patching duties this week, and by yesterday, all three were working overtime, said Matt Kesner, the Mountain View, Calif.-based law firm's chief technology officer.
Even so, the law firm was having problems getting the patches installed, with some machines requiring multiple attempts and 12 PCs needing to be completely reformatted to accept the patches.
"Despite the fact that Microsoft has made this huge commitment to security, they are not saying why these vulnerabilities are showing up and what exactly they are doing to research and patch them," Kesner said. There are also questions about how long Microsoft might have known about these vulnerabilities before patches became available, he said.
"There are more questions asked than answered when such a large update is released," said Robert Bagamery, a systems support specialist at a large Canadian utility that he asked not be named.
"I wonder what they've broken with the fix," Bagamery said. "I wonder how many more there are, and how many they know about but aren't talking [about]."
Microsoft didn't respond to specific user complaints. But Stephen Toulouse, security program manager at Microsoft's Security Response Center, said the company's decision to address so many flaws with a few large patches was driven by practical considerations.
"When we see the opportunity to ship one set of files that contain multiple fixes, we really attempt to do that" instead of shipping separate fixes, he said.
The approach makes it easier for users to apply the patches, Toulouse added. "It was the best solution for our customers," he said.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts