Windows Server 2003 gets first security patch

Despite the embarrassment of having to release a security patch for its Server 2003 operating system barely two months after launch, Microsoft claims the details are a positive sign for trustworthy computing
Written by Peter Judge, Contributor

Less than two months after launching its Windows Server 2003 operating system, Microsoft has released a security patch to fix a vulnerability that could let malicious sites run damaging code on the server.

Although security experts -- even those at Microsoft itself -- had pointed to the company's latest server OS as the first test of the software giant's massive Trustworthy Computing initiative, representatives maintained that the patch did not mean the release had been a failure in its security practices.

"It actually highlights positive progress in Trustworthy Computing," said Microsoft's U.K. security chief, Stuart Okin, explaining that Server 2003 is significantly hardened in comparison to previous versions of Windows.

The vulnerability has less effect on Server 2003 because it relies on services that are switched off by default in that version of Windows, explained Okin. Earlier versions of Windows have services switched on by default, which can be used to form part of an attack. The company has already issued tools to lock down previous versions of Windows, but these are not universally applied.

Windows Server 2003 is the first major release of Windows to come out since the company's much publicised decision to emphasise security and make sure all its code is trustworthy. The operating system was delayed three times, partly to improve security and reliability. It has therefore been seen as a test of whether the company really can make products which are more than secure, and stem the string of security flaws and vulnerabilities that have marred its operating systems in the past.

The new flaw affects Internet Explorer 6, which ships with Windows Server 2003, as well as other Microsoft operating systems. It is fixed, along with other IE6 flaws, in a cumulative patch released on Wednesday. Although the patch is rated "critical" for all other operating systems, it is only "moderate" for Server 2003, according to Microsoft's system for grading the severity of the vulnerabilities it addresses.

A security patch so soon after the release is potentially embarrassing, but independent security researchers agreed that the default configuration of Windows Server 2003 seems more secure.

"You can always (change the settings and) make your system insecure, but the major issue is that it comes secure in its initial configuration," said Johannes Ullrich, chief technology officer for the Internet Storm Center, run by SANS, the SysAdmin, Audit, Network, Security Institute.

Most installations of Windows Server 2003 will never need to have a Web browser, Ullrich said, unless the application is as a Windows terminal server, where multiple users log on to the computer and run their software right off that system.

In late May, Microsoft vowed to fix a backwards-compatibility problem with the backup component of Windows Server 2003, a minor flaw that didn't affect security.

Jeff Jones, Microsoft's senior director of Trustworthy Computing, stressed that the company has never said that it would eliminate bugs from its system. That's largely seen as an impossible task.

"We are not claiming that there won't be a critical vulnerability; there will be one eventually," Jones said. "The really significant aspect here is that we have reduced the attack surface" of Windows Server 2003.

Microsoft measures the potential avenues for attacking its applications as that software's Relative Attack Surface Quotient. If a critical vulnerability is found, but the attacker can't remotely exploit the flaw, then the threat is largely mitigated, Jones said.

The vulnerability was found by security specialist e-Eye in March, but there was no evidence of anyone using attacks based on it, so it was dealt with quietly said Microsoft. Because Windows Server 2003 had already been released to manufacturing, the patch had to be developed and released at a later date.

While some patches can be put together in days, this one took somewhat longer. "There is no standard template for how long a patch takes to create," said Okin. The patch was not seen as an emergency because it was not being used by hackers, and there were lots of mitigating factors making it less dangerous, he said.

The announcement comes one day after Microsoft's global security chief, Scott Charney reiterated Microsoft's promises to simplify the way it distributes patches to users. Since Server 2003 was released, the company has also issued a guide to implementing the operating system securely.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.

Editorial standards