MESSAGE
| DATE | 2004-04-16 |
| FROM | From: "Inker, Evan"
|
| SUBJECT | Subject: [hangout] Latest Microsoft patches draw user ire
|
Latest Microsoft patches draw user ire
News Story by Jaikumar Vijayan
APRIL 16, 2004 (COMPUTERWORLD) - Microsoft Corp.'s release Tuesday of three
critical patches to fix 20 flaws in various Windows products (see story)
drew flak from users who expressed frustration at the company's continuing
problems with security.
In one of its biggest monthly patch releases to date, Microsoft issued
updates aimed at closing several major holes in products ranging from
Windows NT 4.0 to the 64-bit edition of Windows Server 2003. Also affected
were several versions of its Outlook Express e-mail program.
One of the patches fixed 14 separate vulnerabilities; another fixed four.
"We are extremely concerned by the high amount of vulnerabilities and
patches from Microsoft. This goes against the credibility of what they have
been saying," said Michael Kamens, global security director at Thermo
Electron Corp., a $2 billion manufacturer of scientific equipment in
Waltham, Mass.
The fact that even a new product such as Windows Server 2003 has problems
"brings no great joy to our hearts," said Kamens, who had to patch over
4,000 Windows systems this week.
Among the flaws considered particularly dangerous was a buffer-overrun
vulnerability in a user-authentication function called Local Security
Authority Subsystem Service. Hackers who successfully exploited the flaw
could take complete control of compromised systems.
A buffer-overrun flaw relating to a component used to secure communications
between servers and clients on public networks was another critical risk for
the same reason
Both flaws present "high-value targets" for hackers because they involve
security and authentication components in Windows, said Neel Mehta, a
research engineer at Internet Security Systems Inc. in Atlanta.
"I expect [the flaws] to be exploited in a very short time," Mehta said.
Southern Regional Health System in Riverdale, Ga., had to patch nearly 100
Windows NT and Windows 2000 servers this week.
"These announcements are becoming more like the Chicken Little [story]" said
Reid Burch, the health care organization's network services manager. "I'm
not saying that we're ignoring the patches. But it has become comical that
these patches are released so frequently," he said. Since the hospital has
to run patient care applications 24 hours a day, seven days a week, the task
of patching systems is very difficult, Burch added.
Fenwick & West LLP had to allocate three IT workers to patching duties this
week, and by yesterday, all three were working overtime, said Matt Kesner,
the Mountain View, Calif.-based law firm's chief technology officer.
Even so, the law firm was having problems getting the patches installed,
with some machines requiring multiple attempts and 12 PCs needing to be
completely reformatted to accept the patches.
"Despite the fact that Microsoft has made this huge commitment to security,
they are not saying why these vulnerabilities are showing up and what
exactly they are doing to research and patch them," Kesner said. There are
also questions about how long Microsoft might have known about these
vulnerabilities before patches became available, he said.
"There are more questions asked than answered when such a large update is
released," said Robert Bagamery, a systems support specialist at a large
Canadian utility that he asked not be named.
"I wonder what they've broken with the fix," Bagamery said. "I wonder how
many more there are, and how many they know about but aren't talking
[about]."
Microsoft didn't respond to specific user complaints. But Stephen Toulouse,
security program manager at Microsoft's Security Response Center, said the
company's decision to address so many flaws with a few large patches was
driven by practical considerations.
"When we see the opportunity to ship one set of files that contain multiple
fixes, we really attempt to do that" instead of shipping separate fixes, he
said.
The approach makes it easier for users to apply the patches, Toulouse added.
"It was the best solution for our customers," he said.
****************************************************************************
This message contains confidential information and is intended only
for the individual or entity named. If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is
regulated or licensed in those jurisdictions as required.
****************************************************************************
____________________________
NYLXS: New Yorker Free Software Users Scene
Fair Use -
because it's either fair use or useless....
NYLXS is a trademark of NYLXS, Inc
|
|
