Users last week reacted with a mixture of concern and resignation to the discovery of a critical flaw in almost all versions of Microsoft Corp.'s Windows software, including the Windows Server 2003 operating system.
The vulnerability exists in a communication protocol that deals with message exchange over TCP/IP. It allows attackers to take over a victim's system and install malicious code; view, modify or delete data; or create new user accounts.
"It is probably the most serious vulnerability that we have seen from Microsoft in the past 12 to 18 months," said Chris Rouland, director of Internet Security Systems Inc. in Atlanta.
The flaw -- word of which followed the announcement of another major Windows vulnerability only a week before -- highlights the continuing challenge that users face in securing Microsoft software, said Scott Loach, senior information security engineer at Raymond James Financial Inc., a financial services firm in St. Petersburg, Fla.
Raymond James had just completed patching 500 Windows servers against the previous flaw and is now scrambling to protect its systems against the new vulnerability. The frequency with which such patching is needed has prompted the company to consider automated patching technology, Loach said.
"We've had endless meetings with Microsoft about the state of their security and the way these patches come out and the trouble it causes us," Loach said. "It's just what you have to live with" when dealing with Microsoft, he added.
The flaw discovered this week "is the latest in a seemingly never-ending stream of issues that afflict (Microsoft) products," said Bruce Azuma, corporate director of information technologies at Wilbert Inc., a Broadview, Ill.-based company in the funeral services and industrial plastics businesses. "As a medium-sized business user of Microsoft, I am growing more and more concerned with Microsoft's ability to release stable, secure products."
Such flaws also raise questions about the efficacy of Microsoft's Trustworthy Computing initiative, said John Cowan, corporate IT director at Caldwell Industries Inc., a Louisville, Ky.-based injection molding manufacturer.
"On a scale of 1 to 10, I would give (the initiative) a 3," Cowan said. "I don't know what the problem is, but it doesn't look like they have been able to lock down their software like they said they would."
Discovery of the flaw "cracked the bubble" around Windows Server 2003 security and will force Microsoft to redouble its efforts to find out what went wrong, said Pete Lindstrom, an analyst at Spire Group, a consultancy in Malvern, Pa. But it would be premature to see it as a sign of broader security problems in Windows Server 2003, he said. "I would be embarrassed for anyone who jumps to that conclusion."
It's not surprising that the flaw found its way into Windows Server 2003, said Russ Cooper, an analyst at Reston, Va.-based TruSecure Corp. and moderator of the popular NTBugtraq mailing list. "For all its work, Microsoft knows that solving the buffer-overflow problem is not going to happen," Cooper said. "They can reduce the number, minimize the effects for some services, but (neither) they nor anyone else can get rid of them, no matter what hype is associated with it."
Kevin Kean, director of Microsoft's security research center, this week insisted that the company's Trustworthy Computing initiative is working, despite the fact that serious flaws keep cropping up in Windows software. "(Trustworthy Computing) is a long-term vision," Kean said. "We are committed to improving (the initiative) on an ongoing basis. When we find something that goes wrong with a (Trustworthy Computing) process, we try to figure out where we need to make progress."
One sign that Microsoft's initiative has begun to pay off is the relatively low number of flaws uncovered in Windows Server 2003 so far, compared with Windows 2000 at the same stage, Kean said. Just four security bulletins have been released for Windows Server 2003 so far, compared with 14 for Windows 2000 in the same period.
Some users agreed with Kean's assertion.
"From my limited experience with (Windows Server) 2003, I think Microsoft has gone a long way. I'm pleased with their progress and their apparent stronger focus on security," said Mike Tindor, vice president of network operations at First USA Inc., an Internet service provider in St. Clairsville, Ohio.
"(Windows 2003) shows a complete reversal in deployment methodology compared to earlier versions, when everything was turned on and left unsecured by default," said Antony DeVoto, a Windows NT systems administrator at Volvo Finance North America Inc. in Montvale, N.J.
"In fairness to them, they are doing the right things," said David Rymal, IT director at Providence Health System in Everett, Wash. "Finally, we are seeing Trustworthy Computing making a difference that should benefit us all. They are taking security very seriously, and they are certainly getting better at it."