Microsoft Versus
Dissecting Microsoft | Directory

Security Patches

From Jason Coombs' mailing list response to Bruce Schneier regarding Microsoft patch management and the Sapphire / SQL Server Slammer worm:

Microsoft Baseline Security Analyzer (MBSA) and Microsoft's version of HFNetChk both failed to detect the presence of the well-known vulnerability in SQL Server exploited by Sapphire, which is one of the reasons so many admins (both inside and outside MS) had failed to install the necessary hotfix. MBSA and HFNetChk are Microsoft's official patch status verification tools meant to be used by all owners of Windows server boxes...

...In addition to designing MBSA to avoid scanning for SQL Server vulnerabilities, failing to update mssecure.xml reliably and in a timely manner, deprecating HFNetChk by pushing the MBSA GUI as its preferred replacement, and hiding the details of the technical limitations and internal security assumptions made by design in Microsoft's security analysis tools, Microsoft pushes Windows Update ( as a safe and reliable way to keep Windows boxes up-to-date. Unfortunately, Windows Update isn't designed to supply or verify the presence of SQL Server hotfixes, either.

None of Microsoft's own hotfix/patch status scanning tools designed to prove "baseline security" were able to help administrators avoid Sapphire. This entire scenario, this comedy of errors, illustrates the security risk created by any organization that pushes security around from department to department, passing the buck and hoping that somebody else will know how to deal with the problem. The result is a system so flawed that it borders on the absurd.

The MBSA also fails to determine if some client patches are installed. One patch for a JPEG vulnerability is often too complicated for MBSA to detect and a WordPerfect file converter patch is simply ignored. If the fundamental security tool for administrators is incorrect or incomplete it's a useless application. It leaves administrators with the task of checking for updates by other methods, such as SMS or Windows Update Services, so there's almost no point to having the tool in the first place.

It's possible Microsoft is delaying fixing many security issues until NGSCB (previously known as Palladium) is released around 2007. This would avoid having to take the resources to fix problems now while claiming greater security and control later. However, these security actions are also a great threat to free speech and are restricting free use.

Installing Microsoft's patches for security vulnerabilities also carries risk. More than a few patches have created new vulnerabilities or introduced other new bugs such as severe performance degradation. One patch corrupted files in compressed folders and received no immediate attention from Microsoft. This implies lack of planning and testing before distribution. Installation of patches in a certain order can also introduce new problems. These risks require IT departments to test patches before distribution, leaving vulnerabilities in place during testing. The frequency of fixes by Microsoft further complicates the release of patches to production systems. These issues with Microsoft's software updates don't relate to only non-Microsoft software. Their security updates sometimes break their own software. Security patches may not seem a critical issue to every computer user, but consider that in the health care industry Microsoft's patches can literally affect people's lives.

Let's take the Windows XP Service Pack 2 as an example. Microsoft spent more than 7 months in 2004 developing and testing this huge operating system upgrade. Regardless of these efforts it was a very problematic experience for more than one third of the users who installed it. For many users, the only result was a blue screen and complete reinstallation of XP. It causes many problems for security and virus applications, which could be understandable since this update involves major security changes. But these issues are difficult to resolve manually and there are also many issues that aren't related to security. Hundreds of programs, including Office XP, do not function properly with SP2 installed. Many application issues were expected to arise, but not Windows hangs and crashes, especially after so much testing. And even after all this work to secure Windows, security issues were discovered in Service Pack 2 just days after releasing it to users via Windows Update. Even the firewall, which is intended to block network traffic as necessary, allows any user on the Internet to remotely view all files on the computer when configured in certain unexpected ways.

Copyright © 2004-2007 Matthew Schwartz