Microsoft's patch and pray model

Microsoft's quick-fix Windows security patches seem to be creating problems of their own, so is it wrong for them to be released in the first place?

Fran Foo, ZDNet Australia
commentary Imagine, for a moment, if Microsoft were a hospital.

You're wheeled in for hip replacement surgery but end up with one leg amputated. Shattered, you're told not to worry ... the commonly available (and cheap) vitamin C will help control any pain. But that's not the point ... what about the leg?

You can imagine the multitude of malpractice suits in such cases.

Unfortunately, the reality is such that Microsoft will not compensate customers who use its flawed products. It's 'buyer beware' all the way.

Reading about the latest Windows patch -- which incidentally was problematic -- made me thank my lucky stars Microsoft wasn't directly involved in healthcare (I know some of you might be sniggering right now what with the state of our public hospitals).

The latest patch, released in Microsoft Security Bulletin MS05-051 on October 11, was meant to fix critical security flaws in:

  • Windows 2000 Service Pack 4
  • Windows XP Service Pack 1 and Service Pack 2
  • Windows XP Professional x64 Edition
  • Windows Server 2003 and Windows Server 2003 Service Pack 1
  • Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  • Windows Server 2003 x64 Edition

"An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

"We recommend that Windows 2000 and Windows XP Service Pack 1 customers apply the update immediately. We recommend that customers using other operating system versions apply the update at the earliest opportunity," Microsoft said in the bulletin.

So sys admins around the world swung into action and started applying the fix. Installing the patch would hopefully ensure that vulnerabilities could not be remotely exploited, among other issues.

Unbeknownst to them, it seemed the solution to the problems had, well, problems of its own. A few days later, Microsoft publicly recanted the security alert.

"On a computer that is running Microsoft Windows XP, Windows 2000 Server, or Server 2003, one or more problems may occur after you install the critical update that is discussed in Microsoft Security Bulletin MS05-051," the company said in an advisory.

Microsoft admitted that users who installed the patch could face myriad issues such as the inability to log on, Windows Firewall and Windows Installer refusing to start, emptying of the Network Connections folder, and many more.

Was it wrong for the company to release the patch in the first place?

Fortunately for Microsoft, most customers seem to have taken the developments in their stride (lucky they still have their legs). Enterprise software is a complex animal and trying to fix a maze of code is no mean feat -- this is something customers understand. But the complexity also makes it harder to drill down to the source of the problem.

With no proper answer in sight, using Microsoft's products is increasingly costing an arm and a leg.

I've always said that an organisation's greatest enemy is internal forces, and not the competition. Microsoft's self-inflicted wounds in this whole saga is a great example.

Do you think Microsoft's latest security blunder will drive enterprise customers to investigate alternative operating systems or are Windows users generally happy with the company's products? E-mail us at edit@zdnet.com.au or talkback below.

Fran Foo is ZDNet Australia managing editor.