Microsoft under fire for 'critical' 14-patch update

Microsoft is facing criticism about the size and lack of testing of the monthly security update it released last week, which...

Microsoft is facing criticism about the size and lack of testing of the monthly security update it released last week, which contained 14 patches.

Russ Cooper, chief scientist at consultancy TruSecure, said, "By supplying patches to 14 different components of Windows in a single patch, declaring many of them to be critical, Microsoft has forced administrators to adopt patches to all components."

This will prolong the testing users need to undertake. He also suggested that the lack of beta testing puts a question mark over the quality of the Windows XP Service Pack 2, which is due to be released before the end of June.

Stuart Okin, chief security officer at Microsoft, rebuffed the criticism about lack of testing. Most security breaches occur after the patches have been released, so a beta programme would expose users to the risk of attack, he said.

"Patches do not go through a beta programme but do go through a testing [process], the length of which depends on what is being fixed."

This month's patches will be rolled up into SP2, which is currently going through a beta test programme. It will be the first service pack in Microsoft's history to receive this treatment.

Microsoft intends to use SP2 to set the standard on operating system security, as it drives forward its Trustworthy Computing initiative.

According to Microsoft, 80% of the code in SP2 is security related, and the remaining 20% adds new functionality such as better support for Bluetooth-enabled devices and a new version of the Tablet PC operating system.

Because of the number of security changes planned in SP2, Microsoft has compiled a 156-page Word document detailing how users could be affected.

Paul Randle, Windows client product manager at Microsoft, said, "Our design goal is to make SP2 work with existing applications." Significantly, he said users should not need to buy new versions of their anti-virus software, which is often required when a new version of the operating system is released.

Richard Edwards, research analyst at Butler Group, urged users to start assessing the impact of SP2 by downloading the release candidate version.

"For some users, a month may be more than enough time to test a couple of applications," he said. But when users had a large number of applications to check, he warned that testing could take far longer. "Download the software and start testing," he advised.

Microsoft has already released the first release candidate of SP2. In mid-May it is due to introduce the second release candidate.

SP2 focus delays Longhorn release       

The focus on Service Pack 2 has led to Microsoft pushing back Longhorn, the next release of Windows.  

The first beta version, which was expected during 2004, will now not be available until the first half of 2005.  

A Microsoft spokeswoman said Microsoft would also be making "some minor scaling back of Longhorn".  

However, she said that the key components of Longhorn, such as the WinFS file system based on SQL Server, Indigo and the Avalon user interface have not been scaled back.

Read more on IT risk management