Microsoft is facing criticism about the size and lack of
testing of the monthly security update it released last week, which
contained 14 patches.
Russ Cooper, chief scientist at consultancy TruSecure, said, "By
supplying patches to 14 different components of Windows in a single
patch, declaring many of them to be critical, Microsoft has forced
administrators to adopt patches to all components."
This will prolong the testing users need to undertake. He also
suggested that the lack of beta testing puts a question mark over
the quality of the Windows XP Service Pack 2, which is due to be
released before the end of June.
Stuart Okin, chief security officer at Microsoft, rebuffed the
criticism about lack of testing. Most security breaches occur after
the patches have been released, so a beta programme would expose
users to the risk of attack, he said.
"Patches do not go through a beta programme but do go through a
testing [process], the length of which depends on what is being
fixed."
This month's patches will be rolled up into SP2, which is currently
going through a beta test programme. It will be the first service
pack in Microsoft's history to receive this treatment.
Microsoft intends to use SP2 to set the standard on operating
system security, as it drives forward its Trustworthy Computing
initiative.
According to Microsoft, 80% of the code in SP2 is security related,
and the remaining 20% adds new functionality such as better support
for Bluetooth-enabled devices and a new version of the Tablet PC
operating system.
Because of the number of security changes planned in SP2, Microsoft
has compiled a 156-page Word document detailing how users could be
affected.
Paul Randle, Windows client product manager at Microsoft, said,
"Our design goal is to make SP2 work with existing applications."
Significantly, he said users should not need to buy new versions of
their anti-virus software, which is often required when a new
version of the operating system is released.
Richard Edwards, research analyst at Butler Group, urged users to
start assessing the impact of SP2 by downloading the release
candidate version.
"For some users, a month may be more than enough time to test a
couple of applications," he said. But when users had a large number
of applications to check, he warned that testing could take far
longer. "Download the software and start testing," he
advised.
Microsoft has already released the first release candidate of SP2.
In mid-May it is due to introduce the second release candidate.
SP2 focus delays Longhorn release
The focus on Service Pack 2 has led to Microsoft pushing back
Longhorn, the next release of Windows.
The first beta version, which was expected during 2004, will now
not be available until the first half of 2005.
A Microsoft spokeswoman said Microsoft would also be making
"some minor scaling back of Longhorn".
However, she said that the key components of Longhorn, such as
the WinFS file system based on SQL Server, Indigo and the Avalon
user interface have not been scaled back.