Microsoft's release last Tuesday of three critical patches to fix 20 flaws in various Windows products drew flak from users who expressed frustration at the company's continuing problems with security.
In one of its biggest monthly patch releases to date, Microsoft issued updates aimed at closing several major holes in products ranging from Windows NT 4.0 to the 64-bit edition of Windows Server 2003. Also affected were several versions of its Outlook Express e-mail program.
One of the patches fixed 14 separate vulnerabilities; another fixed four.
"We are extremely concerned by the high amount of vulnerabilities and patches from Microsoft. This goes against the credibility of what they have been saying," said Michael Kamens, global security director at Thermo Electron Corp., a US$2 billion manufacturer of scientific equipment in Waltham, Mass.
The fact that even a new product such as Windows Server 2003 has problems "brings no great joy to our hearts," said Kamens, who had to patch over 4,000 Windows systems this week.
Among the flaws considered particularly dangerous was a buffer-overrun vulnerability in a user-authentication function called Local Security Authority Subsystem Service. Hackers who successfully exploited the flaw could take complete control of compromised systems.
A buffer-overrun flaw relating to a component used to secure communications between servers and clients on public networks was another critical risk for the same reason
Both flaws present "high-value targets" for hackers because they involve security and authentication components in Windows, said Neel Mehta, a research engineer at Internet Security Systems Inc. in Atlanta.
"I expect (the flaws) to be exploited in a very short time," Mehta said.
Southern Regional Health System in Riverdale, Ga., had to patch nearly 100 Windows NT and Windows 2000 servers this week.
"These announcements are becoming more like the Chicken Little (story)" said Reid Burch, the health care organization's network services manager. "I'm not saying that we're ignoring the patches. But it has become comical that these patches are released so frequently," he said. Since the hospital has to run patient care applications 24 hours a day, seven days a week, the task of patching systems is very difficult, Burch added.
Fenwick & West LLP had to allocate three IT workers to patching duties this week, and by yesterday, all three were working overtime, said Matt Kesner, the Mountain View, Calif.-based law firm's chief technology officer.
Even so, the law firm was having problems getting the patches installed, with some machines requiring multiple attempts and 12 PCs needing to be completely reformatted to accept the patches.
"Despite the fact that Microsoft has made this huge commitment to security, they are not saying why these vulnerabilities are showing up and what exactly they are doing to research and patch them," Kesner said. There are also questions about how long Microsoft might have known about these vulnerabilities before patches became available, he said.
"There are more questions asked than answered when such a large update is released," said Robert Bagamery, a systems support specialist at a large Canadian utility that he asked not be named.
"I wonder what they've broken with the fix," Bagamery said. "I wonder how many more there are, and how many they know about but aren't talking (about)."
Microsoft didn't respond to specific user complaints. But Stephen Toulouse, security program manager at Microsoft's Security Response Center, said the company's decision to address so many flaws with a few large patches was driven by practical considerations.
"When we see the opportunity to ship one set of files that contain multiple fixes, we really attempt to do that" instead of shipping separate fixes, he said.
The approach makes it easier for users to apply the patches, Toulouse added. "It was the best solution for our customers," he said.