Why Microsoft's patch process needs patching - TechUpdate

Tech Update Security

David Berlind's Reality Check

Why Microsoft's patch process needs patching

By David Berlind
July 2, 2004

Add your opinion

Forward in

Format for

On the heels of the Download.Ject attack, Microsoft on Friday released a "configuration change" it wants users to apply to installations of the Windows XP, Windows Server 2003 and Windows 2000 operating systems. Microsoft announced the move in a bid to shut down any additional exploitation of a vulnerability that affects Windows-based desktop and notebook PCs.

Microsoft says that users who have beta versions of its forthcoming Service Pack 2 for Windows XP installed are already protected. (The company posted its statement regarding the configuration change on its Web site.)

But the latest episode also points at the time constraints of dealing with malicious code. Crucial days--if not hours--can elapse between the moment vulnerabilities surface on the Internet and the time vendors get around to releasing patches and configuration changes.



		Related Coverage Microsoft posts work-around for IE flaw Robert Vamosi: Is IE emptying your bank account? Microsoft putting final touches on Windows update Microsoft easing into antivirus efforts Why Windows Update desperately needs an update

In this case, Microsoft said the configuration change is "currently available" on the company's Web site and would be made available later in the day on Windows Update. Windows Update is the Microsoft-run service that can manually or automatically update Windows systems, depending on how users have it configured (I have it configured for automatic updates, but still do manual checks for new updates quite regularly).

Microsoft is trying to limit the length of time authors of malicious code have to inspect software fixes, to write and distribute malware that exploits the vulnerabilities, and to attack still-unprotected systems. But the process reveals a lack of attention to detail--and that's the bigger problem because it represents a glaring shortcoming in the company's Trustworthy Computing Initiative.

The notice, which was posted on Microsoft's site by noon East Coast time on July 2, 2004, says the Windows Update service will be distributing the fix later in the day. Users who want to move more quickly are directed to download the code from Microsoft's Download Center.

But clicking on the link leads one to a page that offers not a clue about where to find the fix that Microsoft says is there. The site lists popular downloads and even featured downloads. But nowhere is something that says, "If you've come here for the download that protects you against Download.Ject, click here!"

The only hope of finding it is in a link that expands the list of most popular downloads to one that's more comprehensive. I clicked on that. A scan of the list offers no clues as to whether one of the downloads might be the one I'm looking for. At the very least, a list of dates should be shown here.

So, in exasperation, I entered "Download.Ject" into the keywords search field. Presumably, when I hit go, this will take me to the download I'm looking for. But still nothing.

Though Microsoft had no comment at the time this story was published about why the statement refers to a download that can't be found, it did offer a link that leads directly to the download. Following this link reveals yet another problem. Instead of mentioning "Download.Ject" or "keystroke logging" (some keywords that users wil want to see in order to know that they've reached the right place), the heading on the page appeals to software developers instead. It says "Critical Update for Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer (KB870669)." The more recognizable keywords aren't mentioned in the description of the update either.

This snafu in Microsoft's process doesn't speak well of the Trustworthy Computing Initiative or the attention to detail that Microsoft must apply to the most dangerous of transgressions. In order to breed confidence in businesses and consumers, Microsoft must go to great lengths to not only make sure that its updates for securing systems are ready to go before announcing them, it must also post prominent and easy to understand road signs in a way that leads all users and administrators of Windows systems to the highest priority updates as quickly as possible. This isn't the first time I've complained about this problem. Today's broken process and poorly worded road signs reveal that developing the fixes is just part of the problem. Designing them to be found and applied is the other.

Editor's note, July 6, 2004: Since this column was first published, Microsoft has made the download in question available from its Download Center. However, the link to the download still contains text that only a developer would understand instead of something recognizable such as "Protects against Download.Ject" or "Prevents keystroke logging vulnerability." Also, a user who clicks on the link will find no clues on the subsequent page that the download addresses either of those issues.

You can write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.

Talkback
Most Recent of 56 Talkback(s)

Thread View
Flat View

A 64 bit processor is twice as powerful as 32 bit processor with same clock: You spoke with a sales person didn't you. Wish people would stop doing that.

KNWahl
www.geocities.com/knwahl... (Read the rest); Posted by: knwahl Posted on: 05/19/05 You are currently: Logged In | Log out