subject: Microsoft set to backtrack on SP2 advice posted: Tue, 17 Aug 2004 17:18:12 +0100
[heh - ***Anyone For unix???*** Speaking as someone who *will* be
called to about six different offices at once on the day this patch
comes out, due to the auto-activating firewall, and as I had to
enable autoupdates because M$ software was so crap in the first
place, and as I had to install XP because M$ licensing prevents my
customers from buying anything else, ... "some severe distress" is
not in the ballpark. Its more like, pulling my fucking hair out.
Except I am gonna make a lot of cash out of the problems SP2 causes
so I will just blame Bill, shake my head and laugh from a distance.
My ole' 98 PC is just fine, thanx! Ho ho ho. Stu]
16 August 2004
Microsoft set to backtrack on SP2 advice
Company caught between rock and hard place
By Munir Kotadia, Techworld
Microsoft is set to backtracking about the importance of installing
the Windows XP service pack update. A leaked e-mail, dated 11 August,
from a senior source within Microsoft’s security team says that the
company should reduce the severity rating of the update from
“Critical” to “Important” - even though it admits that this will mean
most users’ machines will remain infested with worms and viruses.
The move follows concerns by sysadmins that the ‘critical’ rating
would upgrade unmanaged PCs automatically, causing difficulties for
IT departments. But the company recognises that it’s in a difficult
position.
“We would need to push consumers to take action to install [SP2] and
recognize that many would not do so,” says the executive in the e-
mail. “The effect of that is that worms and viruses will propagate
through those machines as before. We are between the rock and the
hard place,” he added.
Microsoft would not comment on the content of the leaked e-mail but
the press office has not confirmed that the severity rating of SP2
remains 'critical'.
Mikko Hypp"nen, director of anti-virus research at Finnish company F-
Secure, said the vast majority of malware authors’ create viruses and
worms by dissecting patches to uncover the original vulnerability.
The technical information contained inside a patch is used to develop
the exploit.
By releasing the update as “Important”, Hypp"nen said Microsoft is
allowing the “bad guys” to get a head start on creating the next
generation of viruses and worms.
“If a fix for a common problem is available, but it's not widely
installed to affected computers, it might actually make things worse.
‘Black hat’ hackers get the latest patch, run it, and compare the
patched program with the original, un-patched program. This way they
can pin-point exactly what was fixed and figure out a way to exploit
it,” said Hypp"nen.
Unfortunately, before Microsoft can help the millions of consumers
affected by viruses, it has to consider the effect a significant
software update will have on its most profitable customers, the large
corporates.
According to the Microsoft security advisor’s e-mail, he is worried
that IT administrators will lose control over remote worker’s
machines that use Auto Update – as recommended on Microsoft’s Web
site -- and as a result many remote workers would be locked-out of
corporate applications.
“While it is fair to say that they [enterprise customers] knew SP2
was coming… and that it would cause some problems in deployment… they
did not know that it would be rated critical. The critical rating
means that their unmanaged machines, from remote employees to
independent sales staff to contract employees and partners, will be
upgraded without the involvement of the IT staff. That is causing
them some severe distress,” the Microsoft security executive said.
In order to deploy a service pack or operating system (OS) update
reliably, larger organisations usually spend months or even years
modifying and testing their applications before starting the
migration process.
To ease the transition, Microsoft has launched a software tool that
enables IT administrators to hold off the automatic update system for
120 days. But this was never going to be enough.
“As you know, most of our customers take substantially longer [than
120 days] to test and deploy OS upgrades, which is how they view SP2.
I agree with the decision that SP2 is a critical upgrade for
consumers but… it seems to me that the only solution, which may be
unpalatable, is to downgrade the severity of the SP2 release to
Important so that the upgrade does not occur automatically,” the
security advisor said.
But anti-virus companies are warning that such a move is likely to
increase the amount of viruses and worms circulating on the Internet
and actually make life worse for most Windows users.
Graham Cluley, senior technology consultant for anti-virus company
Sophos, said viruses and worms are likely to be developed
specifically to target non-SP2 systems.
“It's quite likely. There will be some people who have either not
patched or updated to SP2. Those users will be at risk from attack,”
he said.
Microsoft firewall could be security risk - Company admits to some
flaws
[the firewall is inbound only!!!! half worthless! and!!! it can be
disabled by other programs! cool!!!!!!! Ready to shell out on new
SP2-compatible firewalls? hehe. - Stu]
---
* Origin: [adminz] tech, security, support (192.168.0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:04:09
search: