Microsoft has hit back at critics of its policy on issuing security patches and said that its new monthly update allowed organisations to deploy patches more quickly and effectively.
The company's latest monthly update, issued last week, hit the headlines because it included two "critical" patches.
Stuart Okin, chief security officer at Microsoft, said the impact of the MS Blaster virus last August convinced users of the need to download patches quickly. The monthly patching regime, introduced in October 2003, allowed IT departments to plan their deployment of patches.
However, the new policy alerts hackers to security flaws in Microsoft software, according to Jay Heiser, chief analyst at network security provider TruSecure. "Most exploits occur after the patch has been released," he said. "It is a race against time for users to deploy the patch, but users do not know how long they have."
One corporate Microsoft user issued an alert to its IT security staff and assigned a high priority to applying the critical patches issued last week. The IT department decided that because of the large number of Microsoft components affected, the vulnerability could become the basis for worm and virus outbreaks similar to the damaging Code Red and Blaster worms.
Another user tested the patch on six machines before rolling it out using Alteris patch management software. Even though the alert was critical, a senior IT professional at the organisation said, "We did not do anything different to what we normally do."
Microsoft's patching policy has not altered the way the company updates machines. He said critical alerts are handled straightaway but medium-risk alerts are delayed. "We usually delay the patch update until we roll out a major update, which allows us to test the configuration more thoroughly," he said.
Windows 2003 fails security hurdle
A mechanism in Microsoft Windows 2003 designed to minimise hacking was criticised by security experts last week. The problem concerned incorrect error handling on the Windows 2003 Wins service.
The checks were designed to protect systems from denial of service attacks arising from a hacker attempting to exploit any potential buffer overflow errors in the software.
Gerhard Escelbeck, chief technology officer at security service provider Qualys, said the way Microsoft had implemented the protection was flawed. "The protection mechanism shuts down the Wins service, in effect causing a denial of service, instead of restarting it."
This has now been corrected in the latest patch update.