New Windows Patch Proves Tricky
Fri Oct 1,10:25 AM ET
By Brian Krebs, washingtonpost.com Staff Writer
The emergence of a new Internet virus targeting a Microsoft Windows security flaw could cause more damage than usual because the company's system for fixing the problem is so complex that many people will not bother to download it, security experts warned.
On Sept. 14, Microsoft released a patch to remedy a problem in the way the company's products process digital image files. That problem could allow attackers to take control of computers running the Windows XP (news - web sites) operating system, Server 2003 software and Microsoft Office just by getting people to open an e-mail message or visit a Web site. Microsoft Office is a bundle of products that includes the popular Word, Excel and Outlook e-mail programs.
Microsoft has waged an extensive public relations campaign to convince users to set up their computers to receive software patches through the company's automatic update service, but some experts said that many users do not know that they might need to manually apply other patches at a separate Microsoft Office Update Web site to ensure that their PCs are protected against the threat.
Windows users who receive automatic updates or go to Microsoft's Windows Update site can use a scanning tool that tells them whether they need to visit its Office Update site for other fixes. But patching Office often requires users to take additional steps. For example, users who have not installed any previous Office patches will need to download and install those fixes before their computers will accept the latest patch. The Office site also may require users to have their original Microsoft Office CD-ROM handy.
Computer security experts say those extra steps have proven challenging and time-consuming even for them.
"We talked to [computer network] administrators who thought their systems were patched when all they really did was install these scanning tools," said Russ Cooper, chief scientist at Herndon, Va.-based TruSecure Corp. "I can see this creating confusion and a false sense of security for a lot of average computer users out there."
Patching Microsoft Office can be a relatively painless job or a lengthy chore depending on how the product was installed. For businesses and consumers who installed Office on their computers via the supplied Microsoft CD-ROM, patching Office involves popping the CD into each computer, a labor-intensive and expensive undertaking for small- to mid-sized organizations.
The University of Richmond, for example, faced the job of installing the patch on more than 1,000 faculty and staff computers. The school instead removed Office from the computers and reinstalled the software on every PC through the school's computer network.
Chris Faigle, Richmond's security administrator, said the bigger problem is that many students will not take the manual steps to protect themselves against the flaw.
"When we turned on automatic updates at registration time our intention was that students would get the updates and wouldn't have to mess with any of it," he said. "All we can do for now is get the word out there about the steps people need to take [to deal with] this and hope that our anti-virus tools save us if a worm or virus emerges in the meantime."
Failing to run the patch could prove dangerous for computer users. Earlier this week, hackers exploited the security hole in several online attacks, and some security experts expect that computer virus writers soon will use the flaw to launch an outbreak. Microsoft rated the flaw as "critical" -- its most severe rating -– meaning that hackers could use it to hijack vulnerable computers. Hackers often use commandeered PCs to relay spam e-mails and to wage online attacks against other computers or Web sites.
So far, no serious threat has emerged. On Sept. 24, technicians at Internet service provider Easynews spotted at least two photos in an adult online newsgroup that contained tools to take advantage of the flaw, but the virus was not considered a high threat because it could not spread from one PC to the next.
Stephen Toulouse, program manager at Microsoft's security response team, said the company plans to release more tools to make applying the new patch less confusing for customers. He declined to offer details on specific steps the company will take.
"We recognized from the beginning the complexity of this particular update, and we've gotten a lot of feedback from customers that there is more we can do in this area," Toulouse said.
Microsoft estimates that "tens of millions" of copies of the patch have been downloaded, a typical number of downloads in such a case.
Toulouse said the software giant plans to roll out a one-stop Microsoft Update site sometime next year that provides automatic updates for all of the company's products from a single source.
Critics of the update system also said that Microsoft users who navigate through the Office Update requirements still may not be completely protected because dozens of non-Microsoft products incorporate Microsoft's vulnerable image-processing engine, but Microsoft's scanning tool does not identify those programs as vulnerable.
"When people have reason to believe they did the security updates correctly when in fact they didn't, that goes back to Microsoft not doing a good enough job of walking users through this," said Tom Liston, a security volunteer at the SANS Internet Storm Center. Liston said he was so dissatisfied with Microsoft's scanning tool that he created and released a free software program to help scour PCs for non-Microsoft products that might also need patching.
"Microsoft has left a lot of users hanging this time and there's a good possibility they're soon going to end up looking silly because of it," Liston said.
Article URL
http://story.news.yahoo.com/news?tmpl=stor...a64737_2004oct1
