• Promo: B.Sc. Info Systems, Trinity

    IT workers face the challenge of developing their communications, business and management skills.
    » more

  • Blog: At a loss over data loss

    You can lead us all to water but we're just too lazy to drink.
    » more

  • Web Pick: Times Online -- Games

    Do you love a good puzzle during your lunch hour? Bit of a Sudoku fanatic? Look no further.
    » more

SECURITY

Buggy Windows patch backfires on the security-minded

18-10-2005

by Silicon.com

Security-conscious Windows users who tweaked the operating system to protect their PCs better are getting hit hardest by a flawed Microsoft patch, experts said on Monday.

Microsoft has acknowledged that a patch released last week can cause trouble for some users. It could lock them out of their PC, prevent the Windows Firewall from starting, block certain applications from running or installing, and empty the network connections folder, among other things, the software maker said in an advisory on Friday.

The trouble occurs when default permission settings on a Windows folder have been changed, according to Microsoft. Those changes aren't common, but have been applied by some people to add extra security to their systems, experts said.

Johannes Ullrich, the chief research officer at the SANS Institute, said: "The flaw in the patch affects users who tightened down access lists. These are typically more-advanced, security-conscious users."

The settings are also likely to be used by businesses with strict access requirements, such as those in the financial services or healthcare industries, said Vijay Adusumilli, a senior product manager at security software vendor St Bernard Software. "They tighten settings for security purposes," he said.

The patch was released on Tuesday to fix four Windows vulnerabilities. Microsoft tagged the combined vulnerabilities "critical", and experts warned that a worm attack linked to the issue could be imminent. The software maker urged all users to immediately apply the update, delivered in security bulletin MS05-051.

Adusumilli said: "If users made changes to their security settings and tightened them, this patch is going to break a whole lot of software." The update simply didn't take into account all the possible Windows user configurations, he said.

The problem may result in more apprehension among users when it comes to applying Windows patches, Adusumilli noted. "Microsoft's patch quality reputation just started to improve but I think this is going to dent that a bit," he said.

That is worrying, especially with a narrowing amount of time between the release of a software fix and a malicious code attack that exploits the vulnerability related to it, SANS' Ullrich said. The narrowing "patch window" has moved people to apply remedies faster.

Ullrich said: "Many companies have come to rely on high patch quality to use accelerated deployment procedures for critical patches. But the problems with MS05-051 will make people think twice next time around."

The flawed update delivered "two strikes against good security," he said. "First, you get penalised for running an enhanced security template. Next, you get penalised for patching quickly."

Microsoft had no immediate comment for this story.

Joris Evers writes for CNET News.com.

Reprinted with permission from Silicon.com

Click here to make ENN your home page
Sign Up for FREE ENN Newsletters

VIDEO REVIEW

Dell not dull; sees red
Dell adds a splash of colour to its latest laptop range, but is this enough, or do consumers want an edgier look? » Read more

ENN CORPORATE

Complete copywriting services
Do you need skilled writers to put together compelling prose for your company? Why not check out the new-look corporate services site from ENN and see how we can put our skills to your use. » Read more

  • Hosted by TeleCity

SUBSCRIBE

Not a member yet?
Sign up free, click here
To change your ENN Newsletter and alerts preferences here

WHO'S WHO IN PR

Full listing of Irish PR firms, including high-tech specialists. » Click here