The software behemoth announced the move in a bid to shut down any additional exploitation of a vulnerability that affects Windows-based desktop and notebook PCs.
Microsoft says that users who have beta versions of its forthcoming Service Pack 2 for Windows XP installed are already protected. (The company posted its statement regarding the configuration change on its Web site.)
But the latest episode also points at the time constraints of dealing with malicious code. Crucial days--if not hours--can elapse between the moment vulnerabilities surface on the Internet and the time vendors get around to releasing patches and configuration changes.
In this case, Microsoft said the configuration change is "currently available" on the company's Web site and would be made available later in the day on Windows Update. Windows Update is the Microsoft-run service that can manually or automatically update Windows systems, depending on how users have it configured.
But the process reveals a lack of attention to detail--and that's the bigger problem because it represents a glaring shortcoming in the company's Trustworthy Computing initiative.
The notice, which was posted on Microsoft's site by 9 a.m. on July 2, says the Windows Update service will be distributing the fix later in the day. People who want to move more quickly are directed to download the code from Microsoft's Download Center.
But clicking the link will lead to a page that offers not a clue about where to find the fix that Microsoft says is there. The site lists popular downloads and even featured downloads. But nowhere is something that says, "If you've come here for the download that protects you against Download.Ject, click here!"
The only hope of finding it is in a link that expands the list of most-popular downloads to one that's more comprehensive. I clicked on that. A scan of the list offers no clues as to whether one of the downloads might be the one I'm looking for. At the very least, a list of dates should be shown here.
So, in exasperation, I entered "Download.Ject" into the keywords search field. Presumably, when I hit go, this will take me to the download I'm looking for. But still nothing.
Microsoft had no comment at the time this story was published about why the statement refers to a download that can't be found. But it did offer a link that leads directly to the download. Unfortunately, following this link reveals yet another problem.
Instead of mentioning Download.Ject or "keystroke logging" (some keywords that users will want to see in order to know that they've reached the right place), the heading on the page appeals to software developers instead. It says "Critical Update for Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer (KB870669)." The more recognizable keywords aren't mentioned in the description of the update either.
This glitch in Microsoft's processes doesn't speak well of the Trustworthy Computing initiative or the attention to detail that Microsoft is applying to the most dangerous of transgressions. In order to breed confidence, Microsoft still must go to greater lengths to make sure that updates for securing systems are ready to go before announcing them. And it must also post prominent and easy-to-understand road signs that point regular users and administrators of Windows systems to the highest-priority updates as quickly as possible.
Biography
David Berlind is executive editor at ZDNet.
My concern is for the large corporation. They disable windows automatic update, and replace it with somthing far less efficent. A normal Large Corporate system is usually weeks/months behind on updates.
Faster than you could write/publish a complaint My Personal PC has already updated itself. What's the glitch in CNET's processes.
"This critical patch is for a security hole that allows remote compromise of Microsoft windwos" KB # 987359-825872135
I remember having a Difficult I had trying to find the patch for the RPC/DCOM (MS03-026) vuln (Blaster/Nachi)
You could not even put a new machine online for 6 seconds without getting infected, and there was no big red flashing download link on the front page of Microsoft.com?
No, windows update did not even contain the term RPC in the patch description. ***??
Sure it was marked "Critical" but so was the update for the offenive symbol fix in the bookshelf font.
How is is that those two problems can possibly be given the same level of severity??
They need to include actual descriptions for people looking for them, and create another seperate severity level reserverd only for high thread remotely exploitable security problems, not changes to 1 font symbol in a font not more than 3 people have ever used.
user. But if they list the real danger, what will most users think
of?
They would probably consider moving to another platform or
actually request that they fix the problems. MS hasn't been able
to fix the problems because the OS is so bloated and they have
so many pieces tied into the system that to fix the problem is to
open it to another hack.
Basically they have to keep patching or they have to admit their
OS is useless. As I use Linux (Red Hat) Mac OS X , and Windows
2000. Of the 3, I spend the most time updating, patching, and /
or scanning for virus, worms, or other malicious problems, you
can take an educated guess as to which I am referring to.
Longhorn, which is still at least 2 years away, will most likely be
more of the same. MS says they have made gains in their
security, but why have they allowed old holes to seep back into
their software?
I await a reply form MS on this dropping of the ball.
- Why?
- by wrwjpn July 7, 2004 10:33 PM PDT
- What I think most users want to know is "Why?".
- Like this Reply to this comment
-
-
- MS programmed the holes themselves
- by dhk July 11, 2004 2:25 PM PDT
- From the beginning, MS wanted to use its OS to retrieve information about PC users and what they were buying. This information is used to determine which companies MS will go after (either to buy outright or to buy stock in -- for incorporating into its own stuff, for investment purposes, or to undermine the product because they fear it as a rival).
- Like this
-
(7 Comments)What makes their OS so full of holes that other OSes don't have? Some have said it is DOS, others says it is just sloppy programming. Which is correct or what is the real reason?
I don't want to hear somebody say because MS has the largest share. That can't be the only reason.
Bill
To do the above, they placed a large number of backdoors and tunnels into their software (and engaged in illegal monopolistic practices to ensure MS Windows would be on all PCs and in that way they would have access to everyone's PC).
Hackers simply use the backdoors and tunnels that are already there for MS's use. It is one of the reasons that MS patches are usually incomplete or partial patches -- MS has no intention of actually closing off access.
These are not programming flaws, but flaws of judgement (and development).
I've seen nothing posted anywhere that says the IE patch for this particular problem actually works, or even that the MS patch for the web servers works. The reason this hack has been contained is simple. The Russian authorities closed down the web server that was receiving the information.