An In-Depth Look Into Windows Security in 2003
by Mirko Zorz - Monday, 22 December 2003.
Earlier this year, Craig Fiebig, general manager of Microsoft's security business unit told vnunet that "Providing reliable, easy-to-install patches is expensive and troublesome". I asked Cooper what he thought on the subject and he said: "Of course patching remains a very complex, time-consuming, and difficult task. The tasks required to ensure continued operation through any upgrade or patch application are not likely to be employed by most. Testing, preferably in an environment not directly connected to your production network, with sufficient replicated servers to accurately gauge the results, is expensive and resource intensive. Couple that with frequent releases of newer patches replacing ones you just tested, and it gets a bit much for the average business. Consumers may be better able to blindly accept new updates, but companies certainly can not, and should not, rely entirely upon the presence of a patch as the determining factor as to whether to install it."

Patching is an enormous issue according to Ed Skoudis. He notes that: "Unless we all deploy patches, our systems will continue to be massively vulnerable. I wholeheartedly expect to see several major new vulnerabilities discovered in 2004, with the subsequent (or even prior!) release of worms to exploit them. Therefore, we've got to press the vendors to release _good_ patches quickly, and we must deploy them."

"Happily, applying patches to end user desktop/laptop systems now is easier than ever, with new patch distribution sites available from Microsoft, Debian, and a variety of other vendors. Once a user realizes how painless it is to patch their desktop/laptop system once, I am hopeful that they will return frequently and keep their systems up to date. I do expect end-user awareness of this issue to increase in 2004." he added.

Despite the large number of security patches aimed at Windows XP users that mainly istall them without too much thinking, administrators are something completely different as they have much more to account for. Skoudis said: "Sysadmins continue to be skeptical and worried about the implications of the latest patches. A wholesome, useful patch may have unintended consequences, disabling important applications. Such concerns have and will continue to slow down patch deployment on the server. I was actually happy to see Microsoft's announcement regarding regular monthly patch release days. This will help us all schedule patch testing and deployment into our work processes, smoothing the process. In short, 2004 is going to be rough, but I expect to see some level of improvement on the patching issue."

It's all about trust

One of the widest security discussions this year was certainly focused around the Microsoft Trustworthy Computing initiative. Some were praising it while others like Russ Cooper weren't that happy about it and back in February he said that, in his opinion, the initiative was failing.

Ten months later I was curious to hear what Cooper thought on the subject. He said: "At this point I will give Microsoft a "D" for 2003's efforts. The "Protect Your PC" effort is a very good start at outreach to the consumer community. I feel there are more and better things they should do, such as free upgrades for everyone with a licensed copy of a Windows OS to Windows XP, availability of a Windows Update CD at convenient locations such as Wal-Mart, and modifications to how the OS is configured by default."

Does anyone notice Microsoft's efforts?


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th