TORONTO (03/11/2004) - Frustration over the latest Microsoft Corp. vulnerability announced last month is failing to wane as IT departments face the ongoing and daunting task of patching millions of machines worldwide.
The ASN.1 library vulnerability, rated as critical by Microsoft and one which requires a machine reboot, is causing headaches for thousands of IT workers who are pressed to find time to patch the machines during the limited windows of opportunity available to them.
Scott Collins has to deal with about 200 system machines and over 2,500 desktops. "The hardest part is the communications ... between the departments," said the manager of technology and infrastructure with Canaccord Capital, a Vancouver-based independent investment dealer. "These people have to be communicated to, we can't apply the patch, reboot and say 'thank you very much.'"
"It is like a domino effect," he said. Each business unit has to tell Collins's group when they can afford their machines to be shut down to patch and reboot. Because may of Canaccord's operations are 24/7 this is no easy task, he said. "If it requires a reboot it is always way more difficult."
Robert Lyall, who heads up the IT department at London-based Investor Relations magazine expressed his frustration recently at the day of patch work that lay ahead.
"The end user doesn't want to be bothered with this kind of thing every couple of days, and one guy applying patches to 40 machines takes a bit of time!" Lyall said.
Lyall also looks after the magazine's design department and said that he sees people "looking at the Macs enviously, since they don't have these problems."
For Collins and Lyall patching is only the endgame, one which started with testing to make sure the patch, designed to plug a hole, does not open up more holes or create unforeseen conflicts.
And unlike many previous vulnerabilities, ASN.1 has no work around. The only solution is to patch machines. This is the second critical vulnerability that has affected all Microsoft operating systems. MS03-023 was the first non-IE bulletin that affected all Windows platforms. It caused a buffer overrun in the HTML converter, according to Microsoft.
For IT departments already overrun with critical flaws in Internet Explorer, this is just one more job on their to do lists.
"These are both rated critical, they both need attention," was how Carol Terentiak, the security, strategy and response manager for Microsoft Canada Ltd., responded when asked which which flaw should be dealt with first.
Collins has chosen to go after the ASN.1 vulnerability first. Though he is confident of Canaccord's multi-layered security approach, he said patching internal machines will help shore up defences in the unlikely event of a compromised external machine accessing its network.