Microsoft Draws User Ire With Its Latest Release of Patches

Computerworld - Microsoft Corp.'s release last week of three critical patches to fix 20 flaws in various Windows products drew flak from users who expressed frustration at the company's continuing problems with security.
In one of its biggest monthly patch releases to date, Microsoft issued updates aimed at closing several major holes in products ranging from Windows NT 4.0 to the 64-bit edition of Windows Server 2003. Also affected were several versions of its Outlook Express e-mail program.
One of the patches fixed 14 separate vulnerabilities; another fixed four.
"We are extremely concerned by the high amount of vulnerabilities and patches from Microsoft. This goes against the credibility of what they have been saying," said Michael Kamens, global security director at Thermo Electron Corp.
The fact that even a new product such as Windows Server 2003 has problems "brings no great joy to our hearts," said Kamens, who had to patch more than 4,000 Windows systems last week at the Waltham, Mass.-based scientific equipment manufacturer.
Among the flaws considered particularly dangerous was a buffer overrun vulnerability in a user authentication function called the Local Security Authority Subsystem. Hackers who successfully exploit the flaw could take complete control of compromised systems.
A buffer overrun flaw related to a component used to secure communications between servers and clients on public networks was also deemed a critical risk, for the same reason.
Both flaws present "high-value targets" for hackers because they involve security and authentication components in Windows, said Neel Mehta, a research engineer at Internet Security Systems Inc. in Atlanta. "I expect [the flaws] to be exploited in a very short time," Mehta said.
Southern Regional Health System in Riverdale, Ga., had to patch nearly 100 Windows NT and Windows 2000 servers last week.
"These announcements are becoming more like the Chicken Little [story]," said Reid Burch, the health care organization's network services manager. "I'm not saying that we're ignoring the patches. But it has become comical that these patches are released so frequently."
Since the hospital has to run patient care applications around the clock, the task of patching systems is very difficult, Burch added.
Fenwick & West LLP had to allocate three IT workers to patching duties last week, and by Thursday, all three were working overtime, said Matt Kesner, the Mountain View, Calif.-based law firm's chief technology officer.
Even so, the firm was having problems getting the patches installed, with some machines requiring multiple attempts and 12 PCs needing to be completely reformatted to accept the patches.
"Despite the fact that