In a move to assist system administrators, Microsoft is working on
a revision of its Windows Update service that will include software
patches to fix security holes in its server products.
"We've become increasingly aware that the ease of managing security
fixes is a critical issue for administrators in small and
medium-sized businesses. In fact, for many of these administrators,
manageability is even more critical than configuration control,"
said Scott Culp, a security program manager at Microsoft's security
response centre.
Windows Update is an online service that scans systems, suggests
updates, and installs them on request. In the past, corporate IT
professionals told Microsoft they had no interest in a service that
installs patches onto the server, Culp said. As a result Windows
Update was oriented to the home user and did not include fixes for
many server products.
"We're in the process of changing Windows Update so that it will
serve both home and corporate users. We've been working with the
Windows Update team to ensure that security fixes for IIS and other
server products are available on the site," said Culp.
Windows Update won't be pulled back and re-launched. The fixes for
server software will be added to the site in the coming weeks and
months, said a Microsoft spokeswoman. In the meantime, server
administrators are advised to use Windows Update in tandem with
Microsoft's TechNet Security Notification Service, a free e-mail
alert service.
TechNet is Microsoft's Web site for IT professionals. Microsoft
does not push the mailing list or the site as much as it does
Windows Update, to which every Windows user has a shortcut in the
Start menu.
The new Windows Update will be welcomed by at least one Windows
2000 server user, who said he trusted Windows Update to serve up
the latest patches, until he found himself victim of a malicious
Internet worm. He now feels he was given a false sense of security
by Windows Update.
Casey Weaver administers a Windows 2000 server at a small
consultancy firm in Austin, Texas. He was convinced that he had
fully secured the system, but got hit by the "sadmind/IIS" Internet
worm anyway. The worm, which takes advantage of a seven-month old
hole in Microsoft's server software, placed an anti-American rant
on Web sites Weaver maintains for his customers.
The sadmind/IIS worm was discovered last week by the Computer
Emergency Response Team (CERT) and is said to have compromised
thousands of servers.
"I installed all of the critical updates that the Windows Update
utility presented on Sunday 6 May. We got hit by the worm on
Thursday 10 May," Weaver said in an e-mail. "I'm thinking that I
might not be alone in my pickle barrel of assumptions that
Microsoft's Windows Update would notify me of all critical updates
that need to be applied," Weaver said.
Dutch Web site hosting company XS4ALL Internet BV, which runs
Windows 2000 servers for customers, said Windows Update can confuse
novice server administrators.
"Windows Update is somewhat deceptive, it looks like you get all
the updates, but in fact you don't. For server patches you need to
go to Microsoft's site for IT professionals," said XS4ALL
spokeswoman Sjoera Nas. "After receiving the e-mail you have to
manually download the patch and install it."
To help ensure that customers are not confused, Microsoft said it
would soon add information to the Windows Update site that tells
the users where the latest IIS patches can be found.