June 4, 2003 11:00 AM PDT
Windows Server 2003 gets first patch
- Related Stories
Microsoft renews security vowsJune 3, 2003
Backup flaw found in new WindowsMay 22, 2003
Microsoft offers Windows security guideApril 25, 2003
Damage controlFebruary 6, 2003
One year on, is Microsoft 'trustworthy'?January 16, 2003
.Net Server: Three delays a charm?November 18, 2002
Although security experts--even those at Microsoft itself--had pointed to the company's latest server OS as the first test of the software giant's massive Trustworthy Computing initiative, representatives maintained that the patch did not mean the release had been a failure in its security practices.
"It actually highlights positive progress in Trustworthy Computing," said Microsoft's U.K. security chief, Stuart Okin, explaining that Server 2003 is significantly hardened in comparison to previous versions of Windows.
The vulnerability has less effect on Server 2003 because it relies on services that are switched off by default in that version of Windows, explained Okin. Earlier versions of Windows have services switched on by default, which can be used to form part of an attack. The company has already issued tools to lock down previous versions of Windows, but these are not universally applied.
Windows Server 2003 is the first major release of Windows to come out since the company's much publicized decision to emphasize security and make sure all its code is safe. The operating system was delayed three times, partly to improve security and reliability. It has therefore been seen as a test of whether the company really can make products that are more than secure, and stem the deluge of security flaws and vulnerabilities that have marred its OSes in the past.
The new flaw affects Internet Explorer 6, which ships with Windows Server 2003 as well as with other Microsoft OSes. It is fixed, along with other IE6 flaws, in a cumulative patch released Wednesday. Although the patch is rated "critical" for all other operating systems, it is only "moderate" for Server 2003, according to Microsoft's system for grading the severity of the vulnerabilities it addresses.
A security patch so soon after the release is potentially embarrassing, but independent security researchers agreed that the default configuration of Windows Server 2003 seems more secure.
"You can always (change the settings and) make your system insecure, but the major issue is that it comes secure in its initial configuration," said Johannes Ullrich, chief technology officer for the Internet Storm Center, run by SANS, the SysAdmin, Audit, Network, Security Institute.
Most installations of Windows Server 2003 will never need to have a Web browser, Ullrich said, unless the application is as a Windows terminal server, where multiple users log on to the computer and run their software right off that system.
In late May, Microsoft vowed to fix a backwards-compatibility problem with the backup component of Windows Server 2003, a minor flaw that didn't affect security.
Jeff Jones, Microsoft's senior director of Trustworthy Computing, stressed that the company has never said that it would eliminate bugs from its system. That's largely seen as an impossible task.
"We are not claiming that there won't be a critical vulnerability; there will be one eventually," Jones said. "The really significant aspect here is that we have reduced the attack surface" of Windows Server 2003.
Microsoft measures the potential avenues for attacking its applications as that software's Relative Attack Surface Quotient. If a critical vulnerability is found, but the attacker can't remotely exploit the flaw, then the threat is largely mitigated, Jones said.
The vulnerability was found by specialist e-Eye Digital Security in March, but there was no evidence of anyone using attacks based on it, so it was dealt with quietly, Microsoft said. Because Windows Server 2003 had already been released to manufacturing, the patch had to be developed and released at a later date.
Although some patches can be put together in days, this one took somewhat longer. "There is no standard template for how long a patch takes to create," Okin said. The patch was not seen as an emergency because the flaw was not being used by hackers, and there were lots of mitigating factors making it less dangerous, he said.
The announcement comes one day after Scott Charney, Microsoft's global security chief, reiterated Microsoft's promises to simplify the way it distributes patches to customers. Since Server 2003 was released, the company has also issued a guide to implementing the operating system securely.