Users pressure Microsoft on tests in wake of Sasser

Businesses demand rigorous patch testing and more information.

Businesses demand rigorous patch testing and more information.

Businesses have called on Microsoft to step up testing on its security patches after the Sasser computer worm left a trail of destruction last week.

The worm, which disabled computer systems running Windows 2000, XP and 2003 operating systems, hit thousands of small companies and high-profile targets including the UK Coastguard Service, British Airways and American Express.

But companies found their difficulties exacerbated as they rushed to install patches over the bank holiday weekend, when it emerged that the fix contained bugs that caused some systems to crash and interfered with Oracle databases.

David Lacey, global information security director at Royal Mail and founder of the Jericho group of leading IT users, urged Microsoft to step up testing of its MS04-011 patches following the outbreak. "Microsoft is moving in the right direction, but it has to move faster and step up an extra gear," he said.

The call was echoed by Nick Leake, director of infrastructure and operations at ITV, who urged the software supplier to consider testing patches with a closed group of companies before general release.

"Microsoft can only improve the quality of its patching with more extensive testing," he said.

Paul Simmonds, global information security director at ICI and Jericho founder, called on Microsoft to provide more timely data to companies to help them protect their systems.

"We need in-depth information on dependencies and potential problems. I would much rather know that a patch has potential problems," he said.

Microsoft’s UK chief security officer Stuart Okin played down the bugs in the MS04-011 patch, saying there were few complaints from users and the problems were very specific and well documented on Microsoft’s website.

Microsoft was working with customers and ISPs to improve testing, he revealed, but he ruled out full beta testing with a closed user group.

"How do you do a beta testing program when you know that 99.99% of all worms and viruses are written by reverse engineering the patch?" he said.

The Confederation of British Industry called for greater collaboration between IT suppliers and governments to drive up security following the Sasser outbreak.

"The only way these attacks are going to be dealt with is through a concerted effort by users, suppliers and the IT security industry. It really requires governments to work together internationally," said Jeremy Beale, head of e-business at the CBI.

Sasser worm highlights IT's patching dilemma >>

Hack timeframe

13 April: Microsoft issues MS04-011 to fix 14 holes in Windows. It is criticised for releasing a complex patch without beta testing

21 April: Microsoft publishes a revised knowledge base article (835732) detailing "known issues that customers may experience" when installing the patch

1 May: Hackers release Sasser.a, which targets the Local Security Authority Subsystem Service

2 May: American Express is affected by Sasser

3 May: UK IT departments unable to patch laptops owing to bank holiday. Sasser.b variant appears

4 May: Reports of a number of high-profile organisations being affected by versions of Sasser, including the UK Coastguard Service and British Airways’ systems at Terminal 4. Sasser.c and Sasser.d are released.

Read more on Microsoft Windows software