With the Blaster worm seeming to be under control, alleged virus-author Jeffrey Parson under house arrest in Minnesota, and hacker Adrian Lamo under the watchful eye of the feds, business-technology managers may have enjoyed a few hours of peace and quiet last week. But it was short-lived. On Sept. 10, Microsoft issued a security bulletin warning of three new critical vulnerabilities in the Windows operating system, sending systems administrators rushing to patch their computers. It's become an all-too-common scenario--and one that's causing some businesses to re-evaluate their heavy reliance on Microsoft products.
A year-and-a-half after Bill Gates declared that trustworthy computing had become Microsoft's No. 1 priority, the software bugs keep coming. The latest vulnerabilities involve the Remote Procedure Call service in Windows, making it possible for a malicious hacker to take control of a target system, introduce an infectious worm, or launch a denial-of-service attack. A week earlier, Microsoft issued five other warnings, four involving the omnipresent Office applications suite. For the year, the tally stands at 39.
And those are just the holes that have been uncovered by others and reported to Microsoft. In addition, the software vendor is combing through its code, finding holes, and issuing patches without publicizing the flaws. No one knows how many more are yet to be uncovered. "There's no way to wrap your hands around that," says Dan Ingevaldson, engineering manager with security vendor Internet Security Systems Inc.
"You have to seriously start thinking about alternatives," Bowne CIO Harenchar says.
Photo by Jean-Christian Bourcart/Getty Images
The patching work has thrown Bowne & Co.'s technology projects off schedule. Now, the specialty-printing-services company is assessing its options. Among them: redesigning its network around a thin-client model to reduce the number of PCs running Windows and, on other machines, migrating to Linux. "It's getting to be enough of a burden that you have to seriously start thinking about alternatives," Harenchar says.
Raymond James & Associates has assembled a team of IT staffers to manage the constant patching. "Organizations have to mobilize and realize this is going to be a way of life for the foreseeable future," says VP of IS Gene Fredriksen.
The financial-services firm, with offices around the world, last week began the arduous task of patching 10,000 PCs and 1,000 servers. "The pressure is on," Fredriksen says. "Anybody that isn't patched by the weekend is going to have trouble." The fear is that the latest vulnerability leaves Windows computers open to a Blaster-like worm. "There's a very good chance that a worm is going to be developed" to take advantage of the latest security holes, says ISS's Ingevaldson.
"People are getting fed up," says Lloyd Hession, chief information security officer at financial-network provider Radianz, adding that the number of Windows patches is reaching "epic proportions." The situation is causing more than just a few disgruntled customers to re-evaluate how much they use Microsoft products. Says Gartner security analyst John Pescatore, "There's definitely a very large trend towards that."
The problem of buggy code isn't limited to Microsoft software. And, at a congressional subcommittee hearing on the vulnerability of the country's computing infrastructure to worms and viruses--a hearing that was held, coincidentally, on the same day last week that Microsoft issued its security bulletin--Symantec Corp. president John Schwarz testified that software vulnerabilities "are being exploited faster and more aggressively than ever."
But Microsoft is at the center of the storm because its software is so widely used and a favorite target of the malcontents who write viruses and hack systems. At the same hearing, Microsoft senior security strategist Philip Reitinger described Microsoft's security-response program as "state of the art." He admitted, though, that "much remains to be done."
Just what is Microsoft doing to fix things? Last year, the company interrupted product development to train its Windows programmers in techniques for writing more-secure code. It has made some products harder to hack by turning off settings that raise risks, and it's screening old code for problems. And the automatic-update technology introduced in Windows XP is now available in Windows Server 2003 and Windows 2000.
Other steps are in the works. They include a hardware approach to creating secure systems called the Next-Generation Secure Computing Base, extending automatic updates to more Microsoft products, new "protective" software that guards systems even when patches aren't applied, and antivirus products and services.
Jeff Jones, senior director of trustworthy computing security, says Microsoft is making progress and points to the fact that Windows Server 2003 had half as many patches as Windows 2000 after 90 days of availability. "That's a clear improvement," Jones says.
Some customers are satisfied Microsoft is doing everything it can. "Their intentions are good," says Robert Egan, VP of IT at Boise Cascade Corp., which recently created a task force to respond to Microsoft's security bulletins. Egan says the work involved is "tolerable" but adds that the real issue is that "we'd rather be spending time enhancing our systems" than fixing them.
That's the rub. Another business-technology executive estimates his company's IT department has wasted more than 1,000 hours patching Windows systems. He's looking at thin clients and Linux as alternatives to Windows and, late last week, he was drafting a letter to Microsoft. The message: He'd like Microsoft to reimburse his company for all those hours of lost productivity.
Yet, business better get used to it. CIOs need to "literally put a line item" in IT budgets to cover the ongoing cost of patches, advises Kerry Gerontianos, president of systems integrator Incremax Technologies Corp. On the old goal of administration-free Windows, Gerontianos says, "that was a dream."