Trustworthy systems myth

Patches to W2K overshadow the imminent arrival of the next generation of Microsoft OS.

Patches to W2K overshadow the imminent arrival of the next generation of Microsoft OS

Fresh Microsoft milestones are in sight. In less than a month the software giant will launch two momentous new releases to a fanfare of publicity. Windows 2003 will be its most important new operating system in three years. Visual Studio .net 2003 will, the company hopes, elevate web services on to the user community's agenda for good.

With so much at stake in the coming weeks Microsoft must have cursed the timing of last week's problems with a vulnerability in Internet Information Server on Windows 2000.

Much was made of Bill Gates' launch of the Trustworthy Computing Initiative in January 2002, when he vowed to make security a top priority in software development. One year on, the patch problem shows little sign of subsiding. Judging by its past track record, can we expect Microsoft to produce trustworthy software? And, if not, where is the incentive to commit more time and money to Microsoft upgrades in the future?

Security vulnerabilities are a fact of life. In Microsoft's defence, it took a proactive approach in dealing with this latest threat, working hard to combat it and alerting key users to it. It should also be said that, if Microsoft seems to hog the security spotlight, it is only reflective of the great contribution that its software has made to the personal and business computing revolution. Good, ubiquitous software is bound to draw unwelcome attention.

But the fact remains that regular Microsoft alerts, patches and service packs continue to blight IT managers' working days, so much so that they are beginning to ignore available fixes and take their chances.

The Slammer worm proved that IT users were disinclined to devote time to loading patches, until it was too late. Perhaps in response to this shift in attitude, Microsoft last week telephoned hundreds of UK users to warn them of the IIS flaw. How embarrassing it must have been, that the patch turned out to have some unforeseen systems side-effects, and in some instances did not work.

Even a patch that eventually does its job first needs to be tested on non-critical systems, and requires servers to be shut down and rebooted before it can be released in the wild. In contrast, workarounds, which do not require servers to be rebooted, and whose impact on business can be predicted, will often suffice.

Microsoft needs to rethink the approach it takes to plugging vulnerabilities, and to reassess its reliance on patches. Meanwhile, IT managers face the dilemma of whether to ignore fixes or to implement them and risk further disrupting business. It is a dilemma that leaves us a long way from secure computing.

With luck, the release of Windows 2003 will go some way towards resolving issues of security. Business communities around the globe will be joining Microsoft in keeping their fingers crossed.

Microsoft patch gaffe sparks policy U-turn >>

Read more on IT strategy