Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Patch-Fatigued Users Contemplate Ditching Microsoft
InternetWeek ^ | September 15, 2003 | John Foley, George V. Hulme

Posted on 09/15/2003 1:30:06 PM PDT by HAL9000

With the Blaster worm seeming to be under control, alleged virus-author Jeffrey Parson under house arrest in Minnesota, and hacker Adrian Lamo under the watchful eye of the feds, business-technology managers may have enjoyed a few hours of peace and quiet last week. But it was short-lived. On Sept. 10, Microsoft issued a security bulletin warning of three new critical vulnerabilities in the Windows operating system, sending systems administrators rushing to patch their computers. It's become an all-too-common scenario--and one that's causing some businesses to re-evaluate their heavy reliance on Microsoft products.

A year-and-a-half after Bill Gates declared that trustworthy computing had become Microsoft's No. 1 priority, the software bugs keep coming. The latest vulnerabilities involve the Remote Procedure Call service in Windows, making it possible for a malicious hacker to take control of a target system, introduce an infectious worm, or launch a denial-of-service attack. A week earlier, Microsoft issued five other warnings, four involving the omnipresent Office applications suite. For the year, the tally stands at 39.

And those are just the holes that have been uncovered by others and reported to Microsoft. In addition, the software vendor is combing through its code, finding holes, and issuing patches without publicizing the flaws. No one knows how many more are yet to be uncovered. "There's no way to wrap your hands around that," says Dan Ingevaldson, engineering manager with security vendor Internet Security Systems Inc.

Some business and technology professionals are running out of patience. "The issues around these vulnerabilities are escalating to the point where it's not just CIOs or CTOs, it's corporate officers, it's boards of directors asking: 'What are we going to do?'" says Ruth Harenchar, CIO of Bowne & Co., which last week scrambled to patch 4,500 Windows PCs and 500 servers in the United States and more overseas. "The situation appears to be getting worse, not better."

The patching work has thrown Bowne & Co.'s technology projects off schedule. Now, the specialty-printing-services company is assessing its options. Among them: redesigning its network around a thin-client model to reduce the number of PCs running Windows and, on other machines, migrating to Linux. "It's getting to be enough of a burden that you have to seriously start thinking about alternatives," Harenchar says.

Raymond James & Associates has assembled a team of IT staffers to manage the constant patching. "Organizations have to mobilize and realize this is going to be a way of life for the foreseeable future," says VP of IS Gene Fredriksen.

The financial-services firm, with offices around the world, last week began the arduous task of patching 10,000 PCs and 1,000 servers. "The pressure is on," Fredriksen says. "Anybody that isn't patched by the weekend is going to have trouble." The fear is that the latest vulnerability leaves Windows computers open to a Blaster-like worm. "There's a very good chance that a worm is going to be developed" to take advantage of the latest security holes, says ISS's Ingevaldson.

"People are getting fed up," says Lloyd Hession, chief information security officer at financial-network provider Radianz, adding that the number of Windows patches is reaching "epic proportions." The situation is causing more than just a few disgruntled customers to re-evaluate how much they use Microsoft products. Says Gartner security analyst John Pescatore, "There's definitely a very large trend towards that."

The problem of buggy code isn't limited to Microsoft software. And, at a congressional subcommittee hearing on the vulnerability of the country's computing infrastructure to worms and viruses--a hearing that was held, coincidentally, on the same day last week that Microsoft issued its security bulletin--Symantec Corp. president John Schwarz testified that software vulnerabilities "are being exploited faster and more aggressively than ever."

But Microsoft is at the center of the storm because its software is so widely used and a favorite target of the malcontents who write viruses and hack systems. At the same hearing, Microsoft senior security strategist Philip Reitinger described Microsoft's security-response program as "state of the art." He admitted, though, that "much remains to be done."

Just what is Microsoft doing to fix things? Last year, the company interrupted product development to train its Windows programmers in techniques for writing more-secure code. It has made some products harder to hack by turning off settings that raise risks, and it's screening old code for problems. And the automatic-update technology introduced in Windows XP is now available in Windows Server 2003 and Windows 2000.

Other steps are in the works. They include a hardware approach to creating secure systems called the Next-Generation Secure Computing Base, extending automatic updates to more Microsoft products, new "protective" software that guards systems even when patches aren't applied, and antivirus products and services.

Jeff Jones, senior director of trustworthy computing security, says Microsoft is making progress and points to the fact that Windows Server 2003 had half as many patches as Windows 2000 after 90 days of availability. "That's a clear improvement," Jones says.

Some customers are satisfied Microsoft is doing everything it can. "Their intentions are good," says Robert Egan, VP of IT at Boise Cascade Corp., which recently created a task force to respond to Microsoft's security bulletins. Egan says the work involved is "tolerable" but adds that the real issue is that "we'd rather be spending time enhancing our systems" than fixing them.

That's the rub. Another business-technology executive estimates his company's IT department has wasted more than 1,000 hours patching Windows systems. He's looking at thin clients and Linux as alternatives to Windows and, late last week, he was drafting a letter to Microsoft. The message: He'd like Microsoft to reimburse his company for all those hours of lost productivity.

Yet, business better get used to it. CIOs need to "literally put a line item" in IT budgets to cover the ongoing cost of patches, advises Kerry Gerontianos, president of systems integrator Incremax Technologies Corp. On the old goal of administration-free Windows, Gerontianos says, "that was a dream."



TOPICS: News/Current Events; Technical
KEYWORDS: blaster; lowqualitycrap; microsoft; spaghetticode; usesgoto; virus; whinersgalore; windows; worm
Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100 ... 161-173 next last
To: justlurking
There you go again.

True, some of those "applications" are not part of the Kernel but they are part of Linux.

The same logic applies to Windows and the 72 patch number. You can break out those 72 patch into what is the OS and what are "applications" that just happen to be packaged with the OS. Remember that Windows also includes a number of "applications" with the OS. It comes with a DNS Server, DHCP, WINS, Web Server (IIS), Directory Services (AD), ASP, Kerberos.... and on and on. Start adding on the security patches numbers for applications for the Linux Kernel like PHP and the security swiss cheese Apache and the numbers for Linux get VERY ugly.

61 posted on 09/15/2003 7:25:32 PM PDT by AgentOfTruth (- Sometimes the truth is insensitive)
[ Post Reply | Private Reply | To 54 | View Replies]

To: LibWhacker
"Yep, if Microsoft were to disappear tomorrow all the virus writers would retire."

Yep, and the economy would take a shit! Business runs quite well on MS. Could be better but they are way ahead of who ever is in second place!

Why don't you be the first to ditch your MS machine and all you can control.
62 posted on 09/15/2003 7:26:34 PM PDT by lawdude
[ Post Reply | Private Reply | To 3 | View Replies]

To: tortoise
He does that allot, said there was no CDE for linux than when I presented one he said ti was crap (could not back it up) then left..
63 posted on 09/15/2003 7:27:40 PM PDT by N3WBI3
[ Post Reply | Private Reply | To 44 | View Replies]

To: N3WBI3
"For the year, the tally stands at 39."

I was just going by what the article said. It doesn't seem like I'm dowloading more than that a month, but I could be. I've never had twelve at a time, though. Let me check...

For all available updates, I'm showing seven installed updates for September, five from August, seven from July, two from June, three from May, ten from April, three from March, eight from February, and four from January = 5.4 per month.

For Critical, Security, and Recommended Updates, I'm showing two for September, four for August, six for July, two for June, three for May, seven for April, three for March, eight for February, and one for January = 4 per month.

64 posted on 09/15/2003 7:30:12 PM PDT by scott7278 ("If I'm not back by dawn -- call the president.")
[ Post Reply | Private Reply | To 56 | View Replies]

To: AgentOfTruth
Lets just not count lets look at what we are counting:

Redhat itself comes with hundreds of third party applications one fo the errors was for "Hangul Terminal is a terminal emulator for the X Window System, based on Xterm." unlike the windows updates of which by inspection looks to be about 75% OS related, linux updates to the kernel or core servers (Apcahe/MySql/Sendmail) are far less frequent.

Is Linux perfect, no but a server which does not have literally hundreds of apps installed requires far less patching than windows, and most of those do not require a reboot..

65 posted on 09/15/2003 7:40:04 PM PDT by N3WBI3
[ Post Reply | Private Reply | To 48 | View Replies]

To: tortoise
I see that your legendary poor reading comprehension is biting you in the ass once again. You apparently missed that Linux systems are typically rooted because of poor system administration, not underlying software vulnerabilities.

You pulled that out of your ass. No sale. Produce proof -- or STFU. You've spread FUD here so much that your word is worth zip.
66 posted on 09/15/2003 7:55:25 PM PDT by Bush2000
[ Post Reply | Private Reply | To 47 | View Replies]

To: AgentOfTruth
True, some of those "applications" are not part of the Kernel but they are part of Linux.

They are included in most Linux distributions. They aren't Linux, or even part of Linux, at least in terms of who is "responsible". They are maintained by separate teams of developers, and blaming "Linux" would be like blaming Microsoft for a bug in Photoshop.

One could contend that some of them are necessary for Linux to be "useful" and equivalent to Windows. Therefore, it might be fair to include them in an overall comparison to Microsoft.

However, there are also a number of applications that have no direct equivalent on a Windows desktop, and typically don't exist except in enterprise server configurations. Unless your Microsoft patch count includes those types of applications or server software, it wouldn't be a fair comparison.

Start adding on the security patches numbers for applications for the Linux Kernel like PHP and the security swiss cheese Apache and the numbers for Linux get VERY ugly.

Check your list again. They were already included.

67 posted on 09/15/2003 8:02:45 PM PDT by justlurking
[ Post Reply | Private Reply | To 61 | View Replies]

To: justlurking
They are included in most Linux distributions. They aren't Linux, or even part of Linux, at least in terms of who is "responsible". They are maintained by separate teams of developers, and blaming "Linux" would be like blaming Microsoft for a bug in Photoshop.

Of course, that doesn't stop your side from lumping vulnerabilities in IE or Outlook or IIS into Windows. You want your cake and eat it, too -- decrying "Windows" vulnerabilities and simultaneously claiming that any vulnerability that isn't in the Linux kernel isn't Linux. Pathetic weasels.
68 posted on 09/15/2003 8:31:10 PM PDT by Bush2000 (E)
[ Post Reply | Private Reply | To 67 | View Replies]

To: N3WBI3
Takes far less time and planning that patching a windows server..

My advice would be to put down the crackpipe...
69 posted on 09/15/2003 8:32:47 PM PDT by Bush2000 (E)
[ Post Reply | Private Reply | To 58 | View Replies]

To: AgentOfTruth
A security patch is a security patch. I didn't classify them, Red Hat and Microsoft did.

Yes, but how many of these are actual server security patches the normal server admins actually need to use? We use exposed Linux servers all over the Internet running fiber backbones in a number of capacities (over my objections, actually) and I believe they have had exactly one security bulletin over the last year and a half that actually required them to patch something (one of the daemons, in that case). Our admins are pretty sharp and our security is tight, but the only box ever rooted on our network was a Win2k box that we let someone host there for free. We run a ton of completely exposed Linux servers, and we see every vulnerability that pops up and aggressively watch that stuff, but we've needed to patch something exactly once in 18 months. And I know why that list doesn't compute; most of the "security patches" on that list are things that concern desktop users, not any of the server applications we are likely to use. I certainly know that the couple Windows servers we have (which are not exposed) have been patched multiple times in the same period, and these boxes are not even routable from the Internet.

As for Apple, they are running a FreeBSD kernel (very secure), but who knows what vulnerabilities they've added on top of it. I'll say that the jury is out on the security merits of MacOS X, though it should be pretty good in theory.

70 posted on 09/15/2003 8:38:43 PM PDT by tortoise (All these moments lost in time, like tears in the rain.)
[ Post Reply | Private Reply | To 57 | View Replies]

To: Bush2000
I would like to point out to you and the rest of my former ping buddies that INITIALIZED profanity can be subject to the Abuse button to.

Quiet you!


71 posted on 09/15/2003 8:50:22 PM PDT by Coral Snake (Biting commies, crooks, globalist traitors, islamofascists and any other type of Anti American)
[ Post Reply | Private Reply | To 34 | View Replies]

To: Bush2000
Of course, that doesn't stop your side from lumping vulnerabilities in IE or Outlook or IIS into Windows.

Microsoft themselves claimed (in court) that IE was an integral and unseparable part of Windows

Personally, I wouldn't claim that IIS is part of Windows, even though it was on the Windows distribution disk(s). It took a separate, overt action on the part of the user to install it.

However, the problem with comparing a Windows-only application from Microsoft to an open source application that happens to run on Linux is that Linux is usually only one of the supported platforms.

In only a quick scan, I can identify several of them that also run on Windows: Mozilla, Ethereal, PHP, Apache, VNC, Lynx, Netscape, MySQL, and Ghostscript all have Windows source and binary distributions, although I don't know if they were exploitable. If you want to attribute them as Linux security problems, then they are potential Windows security problems as well -- even though they are not Microsoft products.

72 posted on 09/15/2003 8:55:11 PM PDT by justlurking
[ Post Reply | Private Reply | To 68 | View Replies]

To: HairOfTheDog
Oh good grief..... It is just not that big of a deal to stay up with patches.... Would rather have them real time than not have them.....

Cry me a river! No pity from me PE!

It's not that big a deal when you've only got a few computers that you have to deal with... But I've got clients with lots of users, scattered all over the country, many of which don't have direct Internet access, though they still have access to email, and it's damned near impossible to patch a Windows system that doesn't have Internet access. In other cases, we've got some schools who are clients, and they simply don't have the man power to run around to over 2000 systems to apply patches, or run Windows Update (can't apply patches without having local administrator access, and there's no way that the student are getting that sort of local access). Even if you can get all of their patches in downloadable form, then you have to take the time to be sure that they're rolled out, something that can take over an hour to do properly.

If you're dealing with a large system, it gets very time consuming and very expensive, very quickly!

Mark

73 posted on 09/15/2003 8:56:19 PM PDT by MarkL (See Dante Run... Run Dante Run! See Priest Score! Score, Priest, Score! (Go Chiefs!))
[ Post Reply | Private Reply | To 29 | View Replies]

To: tortoise
We use exposed Linux servers all over the Internet running fiber backbones in a number of capacities (over my objections, actually) and I believe they have had exactly one security bulletin over the last year and a half that actually required them to patch something

Great, kids. The moral of the story is if you turn off EVERYTHING, you don't have to patch your box. What a benefit .../SARCASM
74 posted on 09/15/2003 8:59:45 PM PDT by Bush2000
[ Post Reply | Private Reply | To 70 | View Replies]

To: Coral Snake
I would like to point out to you and the rest of my former ping buddies that INITIALIZED profanity can be subject to the Abuse button to.

Your mere presence is profane.
75 posted on 09/15/2003 9:00:37 PM PDT by Bush2000
[ Post Reply | Private Reply | To 71 | View Replies]

To: tortoise
Don't worry too much about Bush2000. He and his buddies always dissapear when the realize that their talking point for the day is a LOSER.
Funny I notice that you have a reptilian screen name just like I do. ;-).
76 posted on 09/15/2003 9:00:43 PM PDT by Coral Snake (Biting commies, crooks, globalist traitors, islamofascists and any other type of Anti American)
[ Post Reply | Private Reply | To 47 | View Replies]

To: palmer
The first thing that you need to do is get yourself out to Steve Gibson's web site and download a number of files... I don't know if I remember them all, but you will want to get socket-to-me and socket-lock, which puts the kibash on raw socket access, which can leave your system vulnerable, un-plug-n-pray, which disables UPnP (something that the FBI strongly recommends), shoot-the-messenger, which will turn off the messenger service altogether, and Xpedite, which you shouldn't need if you're patches are up to date. Then run a shields up port scan to see how vulnerable you are.

Mark

77 posted on 09/15/2003 9:01:10 PM PDT by MarkL (See Dante Run... Run Dante Run! See Priest Score! Score, Priest, Score! (Go Chiefs!))
[ Post Reply | Private Reply | To 37 | View Replies]

To: justlurking
Microsoft themselves claimed (in court) that IE was an integral and unseparable part of Windows

They might have made that claim but the court didn't buy that argument. The court went so far as to order MS to disintegrate them. So try again.

If you want to attribute them as Linux security problems, then they are potential Windows security problems as well -- even though they are not Microsoft products.

Get real. Mozilla and Apache and Netscape aren't distributed on Windows disks. But they are distributed with Linux.
78 posted on 09/15/2003 9:05:34 PM PDT by Bush2000
[ Post Reply | Private Reply | To 72 | View Replies]

To: N3WBI3
I have 12 updates (one is critical) in the past week that have went to test. they average far more than four an month..

Actually, on a client system where I installed an OEM copy of WindowsXP, complete with SP1, when I went out to WindowsUpdate two weeks ago, I was informed that there were 28 critical updates... How long has WinXP SP1 been out? BTW, I suspect that the number is now greater.

Mark

79 posted on 09/15/2003 9:08:04 PM PDT by MarkL (See Dante Run... Run Dante Run! See Priest Score! Score, Priest, Score! (Go Chiefs!))
[ Post Reply | Private Reply | To 56 | View Replies]

To: Bush2000
Great, kids. The moral of the story is if you turn off EVERYTHING, you don't have to patch your box.

No, genius. The point is that you turn off what you don't need and configure it so that it is secure as possible. We probably have around ten different network daemons running on them at any given moment on average. Nonetheless, the OS has not needed to be patched and only one of the myriad of daemons that we run had to be patched. These boxes do most everything that a normal Unix server does plus some extra things most Unix servers do not. They have simply been trouble free for the most part and no security vulnerabilities have been published for the various applications we use (excepting the one).

80 posted on 09/15/2003 9:12:58 PM PDT by tortoise (All these moments lost in time, like tears in the rain.)
[ Post Reply | Private Reply | To 74 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100 ... 161-173 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson