It’s been a long, hot summer for Microsoft.
The company has been under heavy fire since late June for security holes that left many of its most popular products wide open to crack attacks such as Code Red, SirCam and other malicious hacking exploits.
Patches were released to plug the holes, but then Microsoft’s own systems were invaded by both Code Red and SirCam, leaving some to wonder how the company expects average folks to keep up with the ever-increasing slew of security patches and alerts, when Microsoft itself seemingly can’t manage to patch its own systems.
In response to this season of increased discontent, Microsoft is now focusing on finding easier ways to help people find and patch the security holes in their computers, Microsoft’s chief security officer Howard Schmidt said at a press briefing last week.
The first public release of this simpler security project is the Microsoft Personal Security Advisor (MPSA), a free Web-based tool for personal users of Windows NT 4.0 or Windows 2000 operating systems. The tool scans computers, looking for any security problems in installed Microsoft software.
But the results that some users have received after using MPSA may engender yet more ill will against Microsoft. Every system in a test group of eight machines whose users claimed to be extremely conscientious about applying Microsoft security patches were rated by MPSA as high risks for malicious hack attacks.
“Oh my god, I can’t believe all these holes,” said Terry Montono, a high school computer lab teacher. “I lecture my kids about keeping up with patches and I thought I was doing a good job of keeping my computer clean. But it’s like there’s a secret basement in Windows 2000 that’s filled with huge cracks that will let people enter my computer.”
Despite being aggravated about all the holes the scan found, Montono thought the MPSA tool was “outstanding, easy to understand and very valuable to everyone.”
Using MPSA is easy: Click on the “Scan Now” button and the program combs through a system in 2 or 3 minutes. The tool attempts to guess the system’s passwords, checks for installed security patches and updates for Microsoft products, and examines the computer’s system settings for potential problems.
It then produces a report that clearly indicates all areas of concern with a link to the appropriate Microsoft patch or fix documentation.
All the testers agreed the report was easy to understand, but the majority also said that Microsoft’s instructions about how to handle the MPSA-discovered security holes were too confusing.
Warned that her system had a too-low “Restrict Anonymous” setting, Helen Carter, a graphic artist, clicked on the link she hoped would explain how to correct the problem.
Instead, she said, the link led her to a long advisory that said, in part, “Setting the Restrict Anonymous registry value to 2 should only be considered in Windows 2000 environments only, and after sufficient quality assurance tests have verified that appropriate service levels and program functionality is maintained.”
“I haven’t a clue how to run quality assurance and service tests –- I just want to know whether my computer is secure or not,” Carter said. “This tool seems real friendly and easy to work with on the surface, but it soon drags you down into Microsoft hell, just like all Microsoft programs do.”
Carter said the MPSA tool convinced her of only one thing: “It’s time to buy a Mac.”
Many test users, including Carter, were dismayed at the amount of patches that their computers needed despite their conviction that they had been running secure systems.
“Thirty-two security patches and fixes? And I thought I was keeping up with this stuff. I check Microsoft’s security update site once a month and download and install whatever I am advised to download,” Frank Gerome, a Web designer, said. “So how the hell can I be missing 32 essential patches?”
Microsoft’s documentation for MPSA notes that the scanner may not detect some patches that users have already installed.
But it also warns that users shouldn’t assume that the scanner has missed a patch, since the fix “may no longer be properly installed and need to be reinstalled. To be sure that your system is properly secured you should reapply all Hotfixes that MPSA shows as missing.”
MPSA’s documentation also notes that a recently released security patch may be identified by MPSA, but not be added to the site where most users typically check for patches, the Windows Update site, until several weeks later when Windows Update is itself updated.
“I know it sounds bizarre, but I was pretty proud of my ability to keep up with Microsoft patches. It’s like you are a macho geek if you can keep up with all this stuff,” Gerome said. “But now I’m starting to wonder whether catching all the fixes that Microsoft releases is beyond any mere mortal’s power.”
Some programmers believe that the seemingly neverending flow of security patches is due to Microsoft packing its programs with features that look impressive, but are often unnecessary for most users. And they believe that this “code bloat” inevitably leads to bugs.
Bloat and bugs go hand in hand, said Rick Downes, a programmer at RadSoft, a company that focuses on creating “lean and mean” applications.
“Bloat means you’re dealing with sloppy programmers. Bugs means you’re dealing with sloppy programmers, too. It’s the same thing,” Downes said. “How can programmers release code to anyone if they don’t check it out first? How can programmers write bugged, bloated and above all sloppy code in the first place? Good programmers don’t do this. They never have and they never will.”
Microsoft officials said the company is working hard on making sure that the company’s new operating system, XP, will be clean and secure from the start. “We want to focus on engineering (XP), securing it and then deploying it so we raise the bar on security,” Schmidt said.
But security scans and the cavalcade of patches look to be a part of the foreseeable future for users of older Microsoft systems.
“We know that software being written by human beings is never going to be bug-free,” said Scott Culp, Microsoft’s security program manager.
And, if there are holes, the hackers who delight in picking apart Microsoft’s products looking for any and all security snafus will certainly find them.
Chris LeTocq, an analyst at Guernsey Research, said Microsoft’s push toward consumer education is a good move for the company whose software is the most frequent target of hacker attacks.
“When you look at the issues that Microsoft has with security, because they are a predominant target and they have people banging on them all the time … it’s a good idea to prompt users,” LeTocq said.
But he doubted that MPSA and similar tools would keep hackers from attempting to exploit vulnerabilities in Microsoft products.
“Microsoft will continue to be in the public eye mainly because of its large presence and attractiveness as a target,” LeTocq said.