Security-Challenged at Microsoft

Problematic downloads of patches can jeopardize the safety of entire networks

In last week's column, I took a look at how Microsoft (MSFT ) included solid security features in Windows XP but left it up to consumers to make them work. The XP experience turns out to be a typical one for Microsoft: Turning its attention to security issues, the company is getting things half right.

Consider the saga involving Office programs that started on Oct. 4. Microsoft alerted subscribers to a security bulletin detailing a problem in versions of Excel and PowerPoint for both Windows and Macintosh. Such security notices, which usually include instructions for fixing the hole, come out once or twice a week, and the issues range from obscure vulnerabilities in Windows 2000 servers to problems--like this one--that could jeopardize millions of PCs.

The issue described by bulletin MS01-50 was nasty. Microsoft warned that, under some circumstances, a malicious program, or "macro," attached to an Excel spreadsheet or a PowerPoint presentation could run when the file was opened, despite security settings in the applications that were supposed to stop automatic execution. Macros can do just about anything, from sending e-mail to everyone in your address book to deleting files. The federally funded CERT Coordination Center followed up with a warning of a "strong possibility of widespread abuse."

Fortunately, it seems that widespread abuse didn't occur. It's a good thing, because Microsoft didn't make it easy to fix the problem. I dutifully followed the links to download the patches for the Office XP versions of PowerPoint and Excel and discovered that I needed two files totaling nearly 10 megabytes--at least 10 times the size of a typical fix. The next surprise came when I attempted to install the files and was asked to agree to an End User License Agreement consisting of Microsoft legal boilerplate. But my patience snapped when Windows demanded that I insert my original Office XP installation CD to install the patch. I immediately thought of road warriors who did the responsible thing and spent maybe an hour downloading the files over a slow hotel connection--only to discover that they couldn't complete the installation because they lacked the foresight to keep an Office XP CD with them at all times.

An e-mail exchange with an anonymous Office spokesperson failed to offer much enlightenment. The end-user license is necessary, the company said, "to protect the code from being used illegitimately." For users who don't have an Office CD available, the letter went on, "we recommend reinstalling from a network (admin source), then either using the admin patch or the client patch."

WORMS AND VIRUSES. In an effort to cut through the gibberish, I spoke with Jeanne Scheldon, director of Office Sustaining Engineer Services. The need for original disks, she said, is actually imposed by Windows, not Office: The disks are not needed with Windows Me and XP. The large size of the patches was due in part to Microsoft's decision to roll in a number of fixes that had nothing to do with security, such as correcting an error in how Excel sorts Czech-language lists. As an alternative to carrying the CD, she suggested copying its contents--a total of 449 MB for Office XP--to a laptop hard drive.

What's wrong with such suggestions? Patches only work when they are installed, and unpatched computers can imperil entire networks. The Nimda worm took advantage of flaws in Microsoft servers for which fixes had long been available but which administrators had failed to install. The Melissa virus shut down mail systems in 1999 using a hole in Word very similar to the new ones in Excel and PowerPoint.

Microsoft is doing a good thing by quickly distributing patches and notification when holes are discovered. But anything that complicates installation of the patch is a disservice to the purchasers of Microsoft products and also to the Internet community, whose security depends on the security of every computer on the Net. That means not bloating critical downloads with fixes for problems that don't affect security, keeping the installation process free of language that only lawyers understand, and avoiding requirements like having a CD on hand. Until Microsoft puts security first, we'll have to cope with half-measures.


    Before it's here, it's on the Bloomberg Terminal.