Home > Uncategorized > A New Milestone for Microsoft

A New Milestone for Microsoft

We all know what “Patch Tuesday” is. Every month on the second Tuesday, Microsoft releases a bulletin describing vulnerabilities and hot fixes or descriptions of workarounds in its products. Interestingly, six years have now gone by between the time of the first Patch Tuesday and the one two days ago. Over these six years, Microsoft has distributed nearly 400 bulletins that have described nearly 750 vulnerabilities. Most of these vulnerabilities have not been trivial, either; Microsoft has in fact rated over half of these vulnerabilities as “critical.” And if you look at the trends, you’ll discover that during each year since October 2003 there have been more announced vulnerabilities than in the previous year.

Having worked for a software company for over three years, in a way I pity Microsoft. Simply keeping up with patches for a single product was a bigger task than I ever envisioned, and Microsoft makes many products. At the same time, however, there is something rotten in the state of Denmark, so to speak. Not only is the number of vulnerabilities in Microsoft products increasing every year, but as I have mentioned before, years ago Microsoft told the world that its Trusted Computing Initiative (TCI) was going to substantially raise the quality of Microsoft code. Microsoft programmers were not only going to get training related to secure code development, but they also were going to be held responsible for the quality of the code they produced. It would be very difficult to fault Microsoft for coming up with and implementing its TCI, but if this initiative were truly successful, we would see the number of vulnerabilities in Microsoft decreasing year-by-year, Yet the opposite has happened. Additionally, the same vulnerabilities should not keep resurfacing from one version of product to the next. The good news is that many vulnerabilities are unique to a particular release of a particular Microsoft product. Unfortunately, however, there are numerous, serious exceptions, the most recent (described in Microsoft bulletin MS09-056) of which is a critical, remotely exploitable vulnerability in Microsoft’s Server Message Block (SMB) protocol that could allow unauthorized execution of remote code that runs with elevated privileges. All, and I repeat, all, Windows operating systems from Windows 2000 to Windows 2008 R2 have this vulnerability. I must lamentably thus conclude that although the TCI was a brilliant idea, there is a significant gap between what this initiative promises to deliver and what it has actually delivered.

As an aside, I need to tell you just how much I hate Patch Tuesdays. I use Windows Automated Updates In my Windows workstations, so hot fixes for these workstations are automatically downloaded. Half the patching battle is thus won from the start. I do not allow Windows Automatic Updates to automatically install the hot fixes, however. I was once badly burned when I had this function set to automatically install hot fixes. Something was wrong with a particular IE fix; after it was installed and I tried to reboot the system in question, that system never rebooted. I had to reinstall the system, something that really irked me because I was unusually busy at that time. To Microsoft’s credit, this vendor fixed whatever was wrong with the patch within a few days and released the corrected version to its customers. But the damage to my primary Windows system had already been done. This terrible incident created within me a healthy paranoia about Microsoft hot fixes. Now I normally wait at least ten days to a few weeks, time that I use.to find out if network postings show that people have experienced trouble with new hot fixes, before I ever consider installing them.

Microsoft has reached a huge milestone at the sixth year of Patch Tuesday. But I suspect that there was no celebration for the occasion in Redmond, Washington. Hopefully, higher-level management within Microsoft instead came to a deeper realization that although security in Windows products is not for the most part bad, there is surely a lot of room for improvement.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.