IT executives are fed up with Microsoft's kludge of tools to manage and install the numerous patches and hotfixes it issues and say the company must deliver one management tool that works reliably and consistently, or companies will never have secure systems.
Frustrations are running high after two incidents showed Microsoft's patch-management tools sometimes offer conflicting data that could leave systems vulnerable to security breaches. That riles IT executives who often hear from Microsoft that certain security breaches can be avoided if systems are properly patched.
"Someone needs to get serious about patch management over at Microsoft, because IT administrators have become the losers," says Russ Cooper, editor of the NT BugTraq Web site and the surgeon general for TruSecure.
Microsoft has issued 20 security and hotfix patches this year.
Cooper says Microsoft needs to provide an accurate and reliable way to patch systems instead of the current mishmash of services, tools and download sites. Short of that, experts say, Microsoft's recent Trustworthy Computing initiative to develop secure code will be useless to IT.
Cooper says the answer doesn't lie with Windows Update Corporate Edition, scheduled to ship this spring, because it has the same accuracy problems as the Microsoft service called Windows Update - it can't guarantee successful patch installation.
Windows Update is one of two tools at the heart of the patch-management mess. The other tool is HFNetChk, which scans systems for security patches. HFNetChk is integrated with Microsoft's Baseline Security Analyzer.
The most recent issue occurred this month with patch MS02-018, which was for Internet Information Server. The patch contained a file with the same version number - but a different date - as a file from a previous patch, MS02-012 (which addressed SMTP issues).
Windows Update didn't overwrite the MS02-012 file, but reported the patch was successfully installed. A subsequent scan using HFNetChk reported a problem with the patch installation. Also, if the MS02-018 patch was installed from a link provided in a security bulletin instead of through Windows Update, the MS02-012 file was overwritten. Users had no idea which version of the file was correct.
In a February incident, the tools offered conflicting data when patches were partially changed, but the version numbers were not altered when using the Windows Update service. In that case, HFNetChk reported that the patches were not the most current version, but they were.
"I can't necessarily trust what HFNetChk or Windows Update tell me I need," says Paul Calvi, director of IT for Annual Reviews. "Ideally, Microsoft would produce a single patch-management tool for all its software products that would manage, deploy and report on all patches."
But Calvi says he needs such a tool "yesterday" and he wants it from Microsoft. Currently he uses software from St. Bernard Software. Other patch-management vendors include Shavlik Technologies, which sells a professional version of HFNetChk; Configuresoft; Ecora and PatchLink.
Whatever Microsoft does, experts say, it has to resolve three problems: too many patch-management tools that aren't in sync; too many vehicles for delivering patches; and inconsistent patch-installation technologies.
Microsoft says it is working on consistency and automation.
"We are looking at how do we get HFNetChk to accurately reflect what Windows Update is doing," says Steve Lipner, director of security assurance at Microsoft. "What will take longer is getting to an overall integrated or common patch technology."
Some users say there should be a suite of tools that get data from a single Microsoft source. Steve Sheldon, a Microsoft certified systems engineer for a large securities vendor he asked not be named, says the tools need to be integrated with Active Directory so when a machine is added into the directory it is scanned and the necessary are patches applied. "The key is ease of use and automation. The more [manual] work you have to do, the more likely something will be missed."
|
||||||||||||||||
RELATED LINKS
