Feel more secure yet?
- 05 May, 2002 22:00
So I've travelled to corporate headquarters in Redmond to find out on your behalf what progress the software giant has made so far.
I have no doubt that Gates is sincere in wanting to stop the headlines about how wide open his company's products are to malicious hackers. Persuading people to entrust their data to Passport, .Net and Microsoft's many other offerings is hard enough. It's no help to see front pages reporting, say, that Passport had to be shut down for two days because people's credit cards could be acquired just by sending the victims a short email message.
It isn't like Microsoft isn't trying. When security flaws are found, the company does strive to inform Windows users about free, corrective patches.
But this creates its own headaches. Since Windows XP shipped in October 2001, Microsoft has posted at least seven patches for the operating system, three of them rated "critical". (Some of these patches also apply to earlier versions of Windows.)
According to the company's security bulletin service, 60 patches were released for all Microsoft products in 2001 alone. That's more than one a week. Merely keeping track of the changes can be a full-time job, and in some cases, applying a patch has caused other problems.
I personally hope Microsoft gets this situation under control, so I can write about more interesting things than the latest threat.
I'm glad to report, therefore, that Gates' email has so far produced at least one tool to cope with the flood of patches. It's called MBSA (Microsoft Baseline Security Analyser), available here. This program, released a month ago, runs on Windows XP or 2000 and searches a network of XP, 2000, and NT 4.0 SP4 machines for missing patches, insecure configurations and weak passwords.
Some glitches, unfortunately, have already arisen. It was reported last week that MBSA gives erroneous warnings even after some hotfixes have been applied.
Alternatives to MBSA include commercial programs that not only discover missing patches, but apply fixes remotely to the vulnerable machines.
What has your experience been? I'll send a gift certificate for a free book, CD or DVD of your choice to readers whose comments I print. Watch this space in coming weeks for more about your options.
Send tips to firstname.lastname@example.org. He regrets that he cannot answer individual questions.