comment After the Download.Ject attack, Microsoft last Friday released a "configuration
change" it wants people to apply to installations of the Windows XP, Windows
Server 2003 and Windows 2000 operating systems.
The software behemoth announced the move in a bid to shut down any additional
exploitation of a vulnerability that affects Windows-based desktop and notebook
Microsoft says that users who have beta versions of its forthcoming Service
Pack 2 for Windows XP installed are already protected. (The company posted its
statement regarding the configuration change on its Web site.)
latest episode also points at the time constraints of dealing with malicious
code. Crucial days--if not hours--can elapse between the moment vulnerabilities
surface on the Internet and the time vendors get around to releasing patches and
In this case, Microsoft said the configuration change is "currently
available" on the company's Web site and would be made available later in the
day on Windows Update. Windows Update is the Microsoft-run service that can
manually or automatically update Windows systems, depending on how users have it
|But the process reveals a lack of
attention to detail--and that's the bigger problem because it represents a
glaring shortcoming in the company's Trustworthy Computing initiative.
Microsoft is trying to limit
the length of time authors of malicious code have to inspect software fixes, to
write and distribute malware that exploits the vulnerabilities, and to attack
still-unprotected systems. But the process reveals a lack of attention to
detail--and that's the bigger problem because it represents a glaring
shortcoming in the company's Trustworthy Computing initiative.
The notice, which was posted on Microsoft's site by 9 a.m. on July 2, 2004,
says the Windows Update service will be distributing the fix later in the day.
People who want to move more quickly are directed to download the code from
Microsoft's Download Center.
But clicking the link will lead to a page that offers not a clue about where
to find the fix that Microsoft says is there. The site lists popular downloads
and even featured downloads. But nowhere is something that says, "If you've come
here for the download that protects you against Download.Ject, click here!"
The only hope of finding it is in a link that expands the list of
most-popular downloads to one that's more comprehensive. I clicked on that. A
scan of the list offers no clues as to whether one of the downloads might be the
one I'm looking for. At the very least, a list of dates should be shown here.
So, in exasperation, I entered "Download.Ject" into the keywords search
field. Presumably, when I hit go, this will take me to the download I'm looking
for. But still nothing.
Microsoft had no comment at the time this story was published about why the
statement refers to a download that can't be found. But it did offer a link that
leads directly to the download. Unfortunately, following this link reveals yet
Instead of mentioning Download.Ject or "keystroke logging" (some keywords
that users will want to see in order to know that they've reached the right
place), the heading on the page appeals to software developers instead. It says
"Critical Update for Microsoft Data Access Components - Disable ADODB.Stream
object from Internet Explorer (KB870669)." The more recognizable keywords aren't
mentioned in the description of the update either.
This glitch in Microsoft's processes doesn't speak well of the Trustworthy
Computing initiative or the attention to detail that Microsoft is applying to
the most dangerous of transgressions. In order to breed confidence, Microsoft
still must go to greater lengths to make sure that updates for securing systems
are ready to go before announcing them. And it must also post prominent and
easy-to-understand road signs that point regular users and administrators of
Windows systems to the highest priority updates as quickly as possible.
Berlind is executive editor at ZDNet.