Microsoft’s patch management policy, which has seen the
company release monthly fixes for security vulnerabilities, has
come under attack following the release of the latest
update.
The April update was the largest patch Microsoft has released to
date. But in spite of its complexity, users and third-party
security specialists were denied the opportunity to beta test the
patch.
Microsoft maintained that disclosing the patches through a beta
programme could alert hackers to the vulnerabilities and put users
at risk. But its security disclosure policy appears to be
inconsistent.
Russ Cooper, chief scientist at consultancy TruSecure, said, "I
have had the SP2 [service pack] beta for Windows XP for four
months, which contains undisclosed fixes." Yet Microsoft was
unwilling to run a beta programme for the April patch, because
of security concerns.
"If you cannot beta test, you cannot do quality assurance [of
the patch]," he said.
By bundling 14 patches into a single monthly update, Cooper said
Microsoft was increasing the complexity of patch management for
users.
"If Microsoft did not bundle [so many hot fixes into a single
patch] users could test and apply individual patches," he said,
adding that the complexity of this latest patch meant Microsoft was
creating a scenario where beta testing would be required. "I would
prefer to see much simpler patching."
Stuart Okin, chief security officer at Microsoft, questioned the
wisdom of running beta tests on a patch as any such test could tip
off hackers to possible vulnerabilities. He said a beta programme
would expose users to security risks.
Okin said that before to the introduction of the
much-anticipated SP2 for Windows XP, Microsoft would be rolling up
the latest patches into the release.
This raises a question over the quality of hot fixes within the
SP2 release. Although Microsoft insisted the patches will be
tested, users may end up with patches that they have been unable to
beta test.
SP2, due out by June, is an important milestone for Microsoft as
the company pushes forward its Trustworthy Computing initiative for
secure computing on the Windows platform. About 80% of the code is
security related and Microsoft is aiming to switch security
features on by default.
It is the first service pack to be put through a full beta
programme, as the tighter security could conflict with users’ own
applications. Because of this, Microsoft has urged people to test
the SP2 release candidate software in their IT environments. It has
prepared a 156-page document which gives details about how SP2’s
security could affect applications.
Users who are running applications using Remote Procedure Calls
and the Distributed Component Object Model have been urged by
Microsoft to check for possible incompatibilities because of the
tighter security in SP2. The same is true of Windows Firewall
(previously called Internet Connection Firewall), which is now
switched on by default.