Users have reacted with a mixture of concern and resignation to the discovery of a critical flaw in almost all versions of Microsoft’s Windows software, including the Windows Server 2003 operating system.
The vulnerability exists in a communication protocol that deals with message exchange over TCP/IP. It allows attackers to take over a victim's system and install malicious code; view, modify or delete data; or create new user accounts.
"It is probably the most serious vulnerability that we have seen from Microsoft in the past 12 to 18 months," said Chris Rouland, director of Internet Security Systems in Georgia.
The flaw - word of which followed the announcement of another major Windows vulnerability only a week before - highlights the continuing challenge that users face in securing Microsoft software, said Scott Loach, senior information security engineer at Raymond James Financial, a financial services firm in Florida.
Raymond James had just completed patching 500 Windows servers against the previous flaw and was now scrambling to protect its systems against the new vulnerability.
The frequency with which such patching is needed has prompted the company to consider automated patching technology, Loach said.
"We've had endless meetings with Microsoft about the state of their security and the way these patches come out and the trouble it causes us," Loach said. "It's just what you have to live with" when dealing with Microsoft, he added.
The flaw discovered last week "is the latest in a seemingly never-ending stream of issues that afflict [Microsoft] products," said Bruce Azuma, corporate director of information technologies at Wilbert, an Illinois-based company in the funeral services and industrial plastics businesses. "As a medium-size business user of Microsoft, I am growing more and more concerned with Microsoft's ability to release stable, secure products."
Such flaws also raise questions about the efficacy of Microsoft's Trustworthy Computing initiative, said John Cowan, corporate IT director at Caldwell Industries, a Kentucky-based injection moulding manufacturer.
"On a scale of one to ten, I would give [Trustworthy Computing] a three," Cowan said. "I don't know what the problem is, but it doesn't look like they have been able to lock down their software like they said they would."
Discovery of the flaw "cracked the bubble" around Windows Server 2003 security and will force Microsoft to redouble its efforts to find out what went wrong, said Pete Lindstrom, an analyst at consultancy The Spire Group. But it would be premature to see it as a sign of broader security problems in Windows Server 2003, he cautioned. "I would be embarrassed for anyone who jumps to that conclusion," he said.
Kevin Kean, director of Microsoft's security research centre, this week insisted that the company's Trustworthy Computing initiative was working, despite the fact that serious flaws keep cropping up in Windows software.
Trustworthy Computing "is a long-term vision," Kean said. "We are committed to improving [it] on an ongoing basis. When we find something that goes wrong . . . we try to figure out where we need to make progress."
One sign that Trustworthy Computing has begun to pay off is the relatively low number of flaws uncovered in Windows Server 2003 so far, compared with Windows 2000 at the same stage, Kean said. Just four security bulletins have been released for Windows Server 2003, compared with 14 for Windows 2000 in the same period, Kean said.
Some users agreed with Kean's assessment. "In fairness to them, they are doing the right things," said David Rymal, IT director at Providence Health System in Everett, Wash.
"[Windows 2003] shows a complete reversal in deployment methodology compared to earlier versions, when everything was turned on and left unsecured by default," said Antony DeVoto, NT systems administrator at Volvo Finance North America in N.J. "Finally we are seeing Trustworthy Computing making a difference that should benefit us all."