Microsoft patch download site said to be faulty

Problems with the consumer version of an online extension to Windows aimed at making patch installation easier are prompting...

Problems with the consumer version of an online extension to Windows aimed at making patch installation easier are prompting concerns about the reliability of an upcoming corporate release of the Microsoft technology.

But Steve Lipner, Microsoft's director of security, claimed last week that the concerns are misplaced and said that the corporate version of the Windows Update technology is working fine in beta-test trials.

Russ Cooper, moderator of NTBugtraq, an online mailing list covering Windows NT security, advised users to stop using Windows Update for downloading patches, claiming that it is unreliable.

Windows Update is basically designed to give users a way to quickly locate and download software patches for fixing security vulnerabilities on individual systems.

Cooper said it is dangerous for users to rely on the technology for several reasons.

For instance, sometimes the Windows Update Web site informs users that they are adequately patched when in fact they are not, he said. At other times, it asks them to patch systems that have already been patched, or does not install a patch fully, Cooper claimed. Windows Update's method of determining successful patch installation cannot be trusted either, he added.

Susan Bradley, a Microsoft Certified Professional and certified public accountant at Tamiyasu, Smith, Horn and Braun Accountancy in California said she recommends that network administrators do not use Windows Update for security patches. However, "there are certain critical hot fixes that are not security-related but still needed," she added. "It is very easy to download these for the XP machines [using Windows Update]."

Microsoft plans to release the corporate edition of Windows Update later this quarter. The technology is being introduced as part of the company's Strategic Technology Protection Program announced last autumn.

The corporate version will not only dynamically alert companies of new patches, but it will also give them a way to more efficiently manage and distribute patches across their networks, Lipner said.

Cooper said the problem is that the two versions are based on the same technology, so whatever the consumer version of Windows Update does, the corporate edition does too, "and in the same way".

Microsoft is also working on streamlining its patch releasing process, Lipner said. Currently, patches are available from myriad sources and services, which at times yield conflicting information. "We know there are issues, and this is something that we are certainly working on fixing," Lipner said. "This is not something we can wave a magic wand over."

Pete Lindstrom, an analyst at Hurwitz Group, said these are issues that Microsoft is aware of and has been trying to address for some time now.

"I think they worked hard to facilitate [the patching process]. But there's so little trust on the users' part that most [of this effort] has been unrecognised," Lindstrom said.

Read more on Business applications