Microsoft’s patch management policy, which has seen the company release monthly fixes for security vulnerabilities, has come under attack following the release of the latest update.
The April update was the largest patch Microsoft has released to date. But in spite of its complexity, users and third-party security specialists were denied the opportunity to beta test the patch.
Microsoft maintained that disclosing the patches through a beta programme could alert hackers to the vulnerabilities and put users at risk. But its security disclosure policy appears to be inconsistent.
Russ Cooper, chief scientist at consultancy TruSecure, said, "I have had the SP2 [service pack] beta for Windows XP for four months, which contains undisclosed fixes." Yet Microsoft was unwilling to run a beta programme for the April patch, because of security concerns.
"If you cannot beta test, you cannot do quality assurance [of the patch]," he said.
By bundling 14 patches into a single monthly update, Cooper said Microsoft was increasing the complexity of patch management for users.
"If Microsoft did not bundle [so many hot fixes into a single patch] users could test and apply individual patches," he said, adding that the complexity of this latest patch meant Microsoft was creating a scenario where beta testing would be required. "I would prefer to see much simpler patching."
Stuart Okin, chief security officer at Microsoft, questioned the wisdom of running beta tests on a patch as any such test could tip off hackers to possible vulnerabilities. He said a beta programme would expose users to security risks.
Okin said that before to the introduction of the much-anticipated SP2 for Windows XP, Microsoft would be rolling up the latest patches into the release.
This raises a question over the quality of hot fixes within the SP2 release. Although Microsoft insisted the patches will be tested, users may end up with patches that they have been unable to beta test.
SP2, due out by June, is an important milestone for Microsoft as the company pushes forward its Trustworthy Computing initiative for secure computing on the Windows platform. About 80% of the code is security related and Microsoft is aiming to switch security features on by default.
It is the first service pack to be put through a full beta programme, as the tighter security could conflict with users’ own applications. Because of this, Microsoft has urged people to test the SP2 release candidate software in their IT environments. It has prepared a 156-page document which gives details about how SP2’s security could affect applications.
Users who are running applications using Remote Procedure Calls and the Distributed Component Object Model have been urged by Microsoft to check for possible incompatibilities because of the tighter security in SP2. The same is true of Windows Firewall (previously called Internet Connection Firewall), which is now switched on by default.