Windows leak fuels unease

Concerns over Microsoft security deepened last week after closely-guarded Windows source code leaked onto the web, and it emerged that significant operating system flaws remain unpatched months after their discovery.

Microsoft confirmed the leaked code was from Windows 2000 and NT 4.0, and said police were investigating. It said there was no impact on customers at present.

The software giant also last week issued a critical patch for all Windows systems from NT onwards, even though security firm eEye alerted it to the problem over six months ago. The apparent lack of urgency at Microsoft was underscored by the fact that the firm stuck to its monthly patch release schedule to publish the critical update.

Chief security officer of Microsoft UK Stuart Okin said: "If it's a question of waiting 24 hours or a week until we were comfortable with the testing point, then we will release the patch as part of the monthly cycle."

Microsoft had previously assured users that critical patches would be issued out of the regular cycle to reflect their importance.

Last week eEye said there was more trouble in store for Microsoft users as it listed a further seven unpatched flaws.

The latest fix again drew into question the quality of Microsoft's patches.

Firms with NT were only vulnerable to last week's flaw if they had applied a previous Microsoft patch, issued in October.

Microsoft said the long wait for the patch had not caused harm because the security firm that spotted the flaw promised to keep it secret. "We're not always going to get this grace period, and sometimes have to reduce the quality of the testing if there's a higher risk (of publicity)," said Okin. "But we feel this one has gone through thorough testing."

Microsoft's record for patch testing is not good. Last March, it issued a patch that caused some Windows 2000 Server systems to fail. But eEye chief executive Marwan Naja said giving vendors indefinite time to release fixes could work against end-users' interests. "We expected the patches sooner," said Naja. "Our web site is there to keep a tab on the guys who can be lazy, to say, 'You have to move faster.'"

Despite concerns, firms are applying last week's fix. Tarek Meliti of server host TDM Group said, "There's no workaround. We've emailed all customers telling them to patch."

The flaw affects Microsoft's Abstract Syntax Notation (ASN) library, which defines the syntax of messages sent between applications. There are many avenues open for attackers, including Kerberos and digitally-signed email. This is not the first ASN vulnerability to surface; in June 2002, ASN flaws were found in Cisco network kit.

See also:

The Open Debate

The pros and cons of Windows and Linux in enterprise IT  12 May 2004

Code leak flaw may exist, admits Microsoft

Vulnerability turns up in IE 5 - but patches only fix version 6  18 Feb 2004

Microsoft denies IE flaw claim

Stolen Windows code not to blame for Internet Explorer exploit, claims Redmond  17 Feb 2004

Give Microsoft a break

Microsoft may be behind many complications in IT, but what about the firm's effort and sporadic efficiency?  17 Feb 2004

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!