Microsoft has issued a group of four updates for various versions of its Windows operating system. The patches contain fixes for nearly 30 security problems, over 20 of them termed "critical" by the software maker. Versions of the operating system affected include Windows NT, Windows XP, Windows 2000, Windows Millennium Edition and Windows 98.
One of the updates includes fixes for additional security holes in Microsoft Outlook -- the widely used e-mail and scheduling software that ships with all versions of Windows.

The announcement comprises the company's monthly release of security bulletins and thus is routine. However, the sheer number of alerts issued at once -- not to mention the fact that the majority of them fall into the highest level of importance -- has raised some eyebrows in the Windows-user community.

Pleasing All the People

Starting in October of 2003, Microsoft began bundling all of its security updates into a single monthly release in an effort to help those responsible for network security to get a better handle on their workloads. The move came as part of an evolution in the enterprise-security mindset, Aberdeen Group's Eric Hemmendinger told NewsFactor.

"We can all recall a time when the primary complaint was that announcements on vulnerabilities and fixes were too slow in coming," he said. "Now we're progressed to the point where people are complaining about the announcements because they're too frequent."

Whether updates come fast and furiously or in dribs and drabs, some network administrators will remain dissatisfied, Hemmendinger explained. Modifying the old adage that "you can't please all of the people all of the time," he said that in the case of network security, "you can't make most of the people happy most of the time."

The fact that so many of these security issues are termed "critical" by Microsoft need not affect its stated plan of releasing them monthly, Hemmendinger said. The only reason to send out an urgent advisory outside of established procedures would be if Microsoft "thought it was looking down the throat of a zero-day exploit" -- that is, if a vulnerability in the Windows operating system were discovered at the same time that hackers began using it for malicious activity.

Do-It-Yourself Patches

It is the battle-weary network administrators who find themselves most in a bind over enterprise-software security. For individual users, many software makers -- Microsoft included -- have launched automatic patch-deployment utilities. One need only click on the link at the appropriate site and the fixes are downloaded and installed automatically.

This method may work for consumers, or even individuals using desktop machines in the workplace, but it presents serious challenges for those responsible for more sophisticated network computers like application servers, Hemmendinger said.

Many organizations are experimenting with automatic patch deployment, but they are taking it very slowly and conducting extensive testing along the way. "Applications are fragile," he noted, adding that a patch that contains faulty code -- or even a good patch that inadvertently affects portions of an application -- can bring an enterprise's applications down very quickly.

You can view the original article here...