 |
 |
|
Microsoft: Please don't keep us in the dark! |
Robert Vamosi,
Senior Associate Editor,
CNET/ZDNet Reviews
Monday, June 2, 2003
|
 |
It's Friday night, the start of a holiday weekend, and, unlucky you, you have a major project to finish up for work. Rather than go into the office, you're all set up to telecommute from home. Wanting to be as secure as possible, you download the latest updates for Windows XP from the Microsoft Windows Update site. But, after rebooting, you find you can't connect to your company's VPN. Worse, you can't even get online.
You call your company's IT department. If you can't reach them because it's the start of a weekend, you call a professional instead. The tech support guy asks, "Have you installed any new software recently?" You say yes, you installed one little Microsoft update that was supposed to enhance the security of your VPN connection.
Tech support tells you to remove the offending update via the Add/Remove Program Control Panel. This resolves your dilemma, but may leave you with a hefty bill, if you had to contact a pro.
SOUND FAR-FETCHED? It's not. Something like this actually happened to many of the 600,000 Microsoft Windows XP users who downloaded the latest OS update during this past Memorial Day weekend. It's just another example of how, despite its much-publicized Trustworthy Computing initiative, Microsoft often leaves you and me in the dark regarding its software flaws.
The update in question, which has been pulled from the Windows Update site, was indeed intended to beef up security in remote-access VPN connections, by enhancing the Layer Two Tunneling Protocol (L2TP) and Internet Protocol security (IPSec) in Windows XP. Instead, it shut down Internet access for anyone using a non-Microsoft firewall.
Unlike previous versions of Microsoft's operating system, Windows XP ships with its own firewall software. Most people, however, also use more robust, third-party firewalls, such as those developed by Norton, McAfee, ZoneLabs, or Sygate. These firewalls, which use methodologies different from Microsoft's, were the reason many people couldn't get online after installing the update. Basically, some firewalls weren't able to communicate with the new Microsoft IPSec driver, and therefore blocked all packets of Internet-bound data.
To learn more about what went wrong with this Windows XP update, I visited the Microsoft site. After some digging, I found a Knowledge Base article that provided detailed information about what the update should have accomplished. But the article contained only one sentence about known incompatibility issues with non-MS firewalls: "This [update] may affect server configurations for third-party gateways." It did not provide any further information, such as instructions on how to remedy the situation.
SO WHO'S TO BLAME? I fault Microsoft for not testing this update thoroughly, and for not publicizing the problems that resulted because of it. Since the problem was caused by an update, not a full-blown security patch, an e-mail was not sent to the 50,000 people who subscribe to Microsoft's Security Bulletins, which are supposed to keep them appraised of abnormalities in the company's software. Microsoft also did not post any notices about this issue in a prominent position on its Web site. In short, if you didn't figure out--on your own or with the help of a pro--that you needed to uninstall the update, you might still be wondering why you can't connect to the Net.
I'd like to provide you with a quote from someone at Microsoft who could defend the company's decision to post a non-essential update without thoroughly testing it. But my repeated attempts to contact a Microsoft spokesperson for comment have proved fruitless.
Not that I'm too surprised. The last time I criticized Microsoft's handling of Internet Explorer security updates, I received an e-mail from Microsoft's PR firm, Waggener Edstrom. But they were concerned only that I'd neglected to mention the free Microsoft Security Bulletin service (in fact, I wrote about this in the second-to-last paragraph).
What have we learned from this episode? First, never update software on a Friday. Seriously. That's one reason Microsoft sends out its security bulletins on Wednesdays--so your IT department is around to help you if there are problems. Second, don't count on Microsoft to keep you informed when something goes wrong with its software. And third, we've learned you shouldn't download a Microsoft update until it's been around for a few days, just in case it shuts down your Internet connection--or worse. Sadly, that's the reality of Trustworthy Computing.
Have you ever had problems with Windows Update? How could Microsoft better handle security issues? TalkBack to me.
|
Try this
|
|
|
|
|
|
|
|
A good software firewall for the technically minded--at a reasonable price.
|
|
|
|
|
|
|
|
|
|
|
|
|
