- Problems with the consumer version of an online extension to Windows that's aimed at making patch installation easier are prompting concerns about the reliability of an upcoming corporate release of the Microsoft technology.
But Steve Lipner, Microsoft's director of security, claimed last week that the concerns are misplaced and said that the corporate version of the Windows Update technology is working fine in beta-test trials.
Russ Cooper, moderator of NTBugtraq, an online mailing list covering Windows NT security, advises users to stop using Windows Update for downloading patches, claiming that it's unreliable.
Windows Update is basically designed to give users a way to quickly locate and download software patches for fixing security vulnerabilities on individual systems.
Cooper says it's dangerous for users to rely on the technology for several reasons.
For instance, sometimes the Windows Update website informs users that they're adequately patched when in fact they aren't, he says. At other times, it asks them to patch systems that have already been patched, or it doesn't install a patch fully, Cooper claims. Windows Update's method of determining successful patch installation can't be trusted either, he adds.
Susan Bradley, a Microsoft Certified Professional and certified public accountant at Tamiyasu, Smith, Horn and Braun Accountancy in Fresno, California, says she recommends that network administrators not use Windows Update for security patches. However, "there are certain critical hot fixes that are not security-related but still needed," she adds. "It is very easy to download these for the XP machines [using Windows Update]."
Microsoft plans to release the corporate edition of Windows Update later this quarter. The technology is being introduced as part of the company's Strategic Technology Protection Program announced last fall.
The corporate version will not only dynamically alert companies of new patches, but it will also give them a way to more efficiently manage and distribute patches across their networks, Lipner says.
Cooper says the problem is that the two versions are based on the same technology, so whatever the consumer version of Windows Update does, the corporate edition does too, "and in the same way."
Microsoft is also working on streamlining its patch releasing process, Lipner said. Currently, patches are available from myriad sources and services, which at times yield conflicting information. "We know there are issues, and this is something that we are certainly working on fixing," Lipner said. "This is not something we can wave a magic wand over."
Pete Lindstrom, an analyst at Framingham, Massachusetts-based Hurwitz Group saiys these are issues that Microsoft is aware of and has been trying to address for some time now.
"I think they worked hard to facilitate [the patching process]. But there's so little trust on the users' part that most [of this effort] has been unrecognised," Lindstrom says.