Microsoft's patchwork mess

comment ZDNet's David Berlin explains the flaws in Microsoft's patch process.
Written by David Berlind, Inactive
comment After the Download.Ject attack, Microsoft last Friday released a "configuration change" it wants people to apply to installations of the Windows XP, Windows Server 2003 and Windows 2000 operating systems.

The software behemoth announced the move in a bid to shut down any additional exploitation of a vulnerability that affects Windows-based desktop and notebook PCs.

Microsoft says that users who have beta versions of its forthcoming Service Pack 2 for Windows XP installed are already protected. (The company posted its statement regarding the configuration change on its Web site.)

But the latest episode also points at the time constraints of dealing with malicious code. Crucial days--if not hours--can elapse between the moment vulnerabilities surface on the Internet and the time vendors get around to releasing patches and configuration changes.

In this case, Microsoft said the configuration change is "currently available" on the company's Web site and would be made available later in the day on Windows Update. Windows Update is the Microsoft-run service that can manually or automatically update Windows systems, depending on how users have it configured.

But the process reveals a lack of attention to detail--and that's the bigger problem because it represents a glaring shortcoming in the company's Trustworthy Computing initiative.
Microsoft is trying to limit the length of time authors of malicious code have to inspect software fixes, to write and distribute malware that exploits the vulnerabilities, and to attack still-unprotected systems. But the process reveals a lack of attention to detail--and that's the bigger problem because it represents a glaring shortcoming in the company's Trustworthy Computing initiative.

The notice, which was posted on Microsoft's site by 9 a.m. on July 2, 2004, says the Windows Update service will be distributing the fix later in the day. People who want to move more quickly are directed to download the code from Microsoft's Download Center.

But clicking the link will lead to a page that offers not a clue about where to find the fix that Microsoft says is there. The site lists popular downloads and even featured downloads. But nowhere is something that says, "If you've come here for the download that protects you against Download.Ject, click here!"

The only hope of finding it is in a link that expands the list of most-popular downloads to one that's more comprehensive. I clicked on that. A scan of the list offers no clues as to whether one of the downloads might be the one I'm looking for. At the very least, a list of dates should be shown here.

So, in exasperation, I entered "Download.Ject" into the keywords search field. Presumably, when I hit go, this will take me to the download I'm looking for. But still nothing.

Microsoft had no comment at the time this story was published about why the statement refers to a download that can't be found. But it did offer a link that leads directly to the download. Unfortunately, following this link reveals yet another problem.

Instead of mentioning Download.Ject or "keystroke logging" (some keywords that users will want to see in order to know that they've reached the right place), the heading on the page appeals to software developers instead. It says "Critical Update for Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer (KB870669)." The more recognizable keywords aren't mentioned in the description of the update either.

This glitch in Microsoft's processes doesn't speak well of the Trustworthy Computing initiative or the attention to detail that Microsoft is applying to the most dangerous of transgressions. In order to breed confidence, Microsoft still must go to greater lengths to make sure that updates for securing systems are ready to go before announcing them. And it must also post prominent and easy-to-understand road signs that point regular users and administrators of Windows systems to the highest priority updates as quickly as possible.


David Berlind is executive editor at ZDNet.

Editorial standards