Microsoft Users Upset With 'Security Updates'

[Steven]

December 23, 2002

Microsoft Users Upset With 'Security Updates'

By Dennis Fisher

A growing number of Microsoft Corp. customers are angry and frustrated with what they say are the company's thinly veiled attempts to use its well-publicized security initiative to get them to upgrade or buy new software.

Users contacted by eWeek last week reported various technical problems with Microsoft's automated services that let customers download and install patches for applications such as Internet Explorer 5.5 or Windows NT 4.0. They also said that when they contacted Microsoft support personnel, they were told that the software they were running was outdated. The solution: Upgrade to a more recent, more secure version.

One user with extensive security training, who asked not to be named, said she recently installed Windows 2000 Service Pack 3, which includes security fixes. The installation destroyed her network connection, forcing her to uninstall the service pack and leaving that machine exposed to the vulnerabilities the update should have fixed.

Others say that the combination of problems with Windows Update and other such services, along with Microsoft's decision to release some of its patches solely through these automated tools, have led them to dispense with installing some fixes altogether.

Although Microsoft has agreed as part of its consent decree with the Department of Justice to continue to provide support and updates for its older products, the users say the company seems to be penalizing customers who use legacy applications by making it difficult for them to obtain patches.

"More and more security hot fixes seem only to be available via Windows Update. We use [st. Bernard Software Inc.'s] UpdateExpert for patch management, and now some of the hot fixes can't be directly downloaded by the tool," said Doug Wyatt, systems administrator at Kohlman Systems Research Inc., in Lawrence, Kan. "Then there are the apparently intentional difficulties in manually obtaining NT 4.0 patches for use when you don't have a hot-fix management tool running on Windows 2000. Do you suppose Microsoft wants to help me decide to upgrade from NT 4.0 to XP?"

Microsoft's Trustworthy Computing initiative has included security reviews of the code in many of its products. As a result, those current and forthcoming applications are being hardened and made more secure than prior versions.

Microsoft officials said the company encourages customers to upgrade to Windows XP and IE 6.0, among other applications, but denied that it is pressuring customers to do so.

"Certainly NT 4.0 and IE 5.5 are still under support," said Steve Lipner, director of security assurance at Microsoft, in Redmond, Wash. "Would I prefer that as many customers as possible be on IE 6 from a security standpoint? Yes. And we've done more with XP than we did with NT as far as security is concerned."

But Patrick Flannigan, an IT administrator at CFS Mortgage Corp., in Phoenix, said Microsoft's decision to emphasize security over functionality has made even Microsoft Outlook 2002 useless in his company.

"The average end user has no choice but to accept Microsoft's decision as to what they can or cannot download," Flannigan said. "I don't believe I'll ever be able to trust them again with patches ... only applying them if I feel they won't affect my existing software."

http://www.eweek.com/article2/0,3959,797850,00.asp