Problems with Microsoft Corp.s Windows Update are causing the automated scanning service to mismanage patches, leaving IT managers to wonder whether the systems they thought were safely patched are actually vulnerable.
WU, which was originally meant for consumers but is used widely in the enterprise as well, checks a customers PC for needed product updates and critical security patches. Customers can then download and install whichever components they need.
But confusion has risen with patch management in WU because Microsoft has at least four mechanisms for installing patches, each with its own vagaries and nuances. The complexity has led to technical glitches and patch mismanagement.
In one extreme case, a Microsoft customer said a patch he installed via WU removed without warning several previous hot fixes he had installed. As a result, one of his systems was successfully attacked by the Nimda virus, for which he once had a patch. “It got Nimda again because the roll-up uninstalled the previous patches,” said John McGuire, a staff engineer and security expert at Strictly Business Computer Systems Inc., a consulting and engineering company in Huntington, W.Va.
Many of the problems with the automated updates have surfaced only recently as customers have begun using the new—and also flawed—Microsoft Baseline Security Analyzer tool to scan their systems for missing virus patches.
During the system scan, WU checks for installed security patches by scanning the registry for each patchs key. If the key is present, WU will not show the customer that patch as a possible download.
However, its possible for the key to be present without the patch being installed if, for example, the download failed midway through.
By contrast, MBSA and HFNetChk, another free scanning tool on which MBSA is based, scan the actual files on a customers machine and compare the patches they find with an XML database. But that database contains only patches that have been released as part of a Microsoft security bulletin, whereas WU also offers updates that have been released with operating system updates. All of which means IT managers downloading fixes via WU and scanning their systems with MBSA or HFNetChk are getting mixed messages.
“Microsoft will make changes to hot fixes and make no further mention of the changes until someone outside Microsoft has documented that it has occurred. Time and effort is spent by users and administrators on these issues,” said Fred Dunn, systems management server administrator at the University of Texas Health Science Center at San Antonio. “I think … we are trying to believe in the integrity of Microsofts security analysis tools and patches, but Microsoft is not making that easy for us.”
The problems come at an inopportune time for Microsoft, given that it has released into beta a new version of WU, called WUCE (WU Corporate Edition). A full release is due next month or in June. WUCE has the same scanning functions as the consumer version, which has led some security experts to recommend that potential customers avoid it. “I wont be recommending it because its unreliable, and I dont want customers to get a false sense of security,” said Russ Cooper, surgeon general of TruSecure Corp., in Herndon, Va., who has tested the WUCE beta version.
Microsoft officials acknowledge the confusion but said much of it has been triggered by two patches—MS02-008 and MS02-009—which were updated after their release and have caused WU and MBSA to report conflicting results. But the company is working to reconcile the differences among the tools.
“One thing were focused on hard internally is how we can get as high a level of integrity and consistency as possible,” said Steve Lipner, director of security assurance at Microsoft, in Redmond, Wash. “We need consistency and clarity across these tools.”
Related stories:
- Flaws in Microsoft Tool Mount
- Microsoft Tool Scans for Flaws, Missing Patches
- DNS Bug Leaves Windows Users Patchless
- Automatic Updates Give XP Users New Headaches