User sees some result from Microsoft security focus

WELLINGTON (01/15/2004) - Users appear resigned to patching software ad nauseam, though one large user welcomes Microsoft Corp.'s latest attempts to ease the pain of implementing fixes.

Microsoft is rationalizing its distribution of software patches for Windows and its applications and scheduling major non-critical patch releases less often.

The number of ways Microsoft distributed patches kept increasing -- to eight, the company says. Microsoft aims to bring it down to two by May -- one for operating systems and one for applications.

As well as the sheer number of fixes, issues with side-effects of patches had arisen, particularly shortcomings in backward compatibility, Microsoft New Zealand director, enterprise sales and partner group, Terry Allen acknowledges.

Channa Jayasinha, CIO at the Department of Conservation (Doc), however, says these problems appear to have lessened recently.

"Patches are a lot more reliable than they were," he says. "It appears Microsoft has more tightly integrated its testing regime for backward compatibility."

Timing of Windows patches is not onerous for Doc staff, Jayasinha says.

"Patch deployment is built into our monthly and thirdly (four-monthly) cycles. The security-related ones we deploy as soon as they come out, but we leave the others for the next regular update."

Microsoft is working to relieve common errors such as buffer overrun, by ensuring that any data written past the end of a buffer is "quarantined", Allen says.

For those who say there are still too many bugs, particularly security holes, Allen contends that Microsoft is not a particularly bad performer in this respect. In four months at the end of last year, Red Hat Linux clocked up 43 security releases, a larger number than Windows, he says.

Jayasinha says all widely used software will have a continued flow of necessary amendments as hackers get smarter.

"I can't see that decreasing."

Microsoft will in future be patching down to line level, rather than replacing whole blocks of code. Hence the size of patches, which users have also criticized, is decreasing. Allen says an average reduction of 30 percent has already been achieved, and the aim is 80 percent reduction -- patches a fifth of the size -- by the middle of this year.

Jayasinha says Doc does not see patch size as a problem.

Allen says Microsoft will make increased use of PC lockdown, and vulnerable applications like its IIS Internet server will no longer be loaded by default.

Servers will have an "inspection capability", so that if a user attaches a PC with unpatched software to the network the server will have the right to refuse connection.

"The user will get the message 'go to Room 13 to connect (to a separated part of the network) and we will update you'." Education is another important part of the equation. Microsoft is trying a number of approaches, through industry trainers such as Auldhouse, schools and the Internet Safety Group.

Allen suggests ISPs or retailers like Harvey Norman and Dick Smith could run courses or even charge users a small sum to secure their PC.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Harvey Norman HoldingsMicrosoftNormanRed Hat

Show Comments