A growing number of Microsoft Corp. customers are angry and frustrated with what they say are the companys thinly veiled attempts to use its well-publicized security initiative to get them to upgrade or buy new software.
Users contacted by eWeek last week reported various technical problems with Microsofts automated services that let customers download and install patches for applications such as Internet Explorer 5.5 or Windows NT 4.0. They also said that when they contacted Microsoft support personnel, they were told that the software they were running was outdated. The solution: Upgrade to a more recent, more secure version.
One user with extensive security training, who asked not to be named, said she recently installed Windows 2000 Service Pack 3, which includes security fixes. The installation destroyed her network connection, forcing her to uninstall the service pack and leaving that machine exposed to the vulnerabilities the update should have fixed.
Others say that the combination of problems with Windows Update and other such services, along with Microsofts decision to release some of its patches solely through these automated tools, have led them to dispense with installing some fixes altogether.
Although Microsoft has agreed as part of its consent decree with the Department of Justice to continue to provide support and updates for its older products, the users say the company seems to be penalizing customers who use legacy applications by making it difficult for them to obtain patches.
“More and more security hot fixes seem only to be available via Windows Update. We use [St. Bernard Software Inc.s] UpdateExpert for patch management, and now some of the hot fixes cant be directly downloaded by the tool,” said Doug Wyatt, systems administrator at Kohlman Systems Research Inc., in Lawrence, Kan. “Then there are the apparently intentional difficulties in manually obtaining NT 4.0 patches for use when you dont have a hot-fix management tool running on Windows 2000. Do you suppose Microsoft wants to help me decide to upgrade from NT 4.0 to XP?”
Microsofts Trustworthy Computing initiative has included security reviews of the code in many of its products. As a result, those current and forthcoming applications are being hardened and made more secure than prior versions.
Microsoft officials said the company encourages customers to upgrade to Windows XP and IE 6.0, among other applications, but denied that it is pressuring customers to do so.
“Certainly NT 4.0 and IE 5.5 are still under support,” said Steve Lipner, director of security assurance at Microsoft, in Redmond, Wash. “Would I prefer that as many customers as possible be on IE 6 from a security standpoint? Yes. And weve done more with XP than we did with NT as far as security is concerned.”
But Patrick Flannigan, an IT administrator at CFS Mortgage Corp., in Phoenix, said Microsofts decision to emphasize security over functionality has made even Microsoft Outlook 2002 useless in his company.
“The average end user has no choice but to accept Microsofts decision as to what they can or cannot download,” Flannigan said. “I dont believe Ill ever be able to trust them again with patches … only applying them if I feel they wont affect my existing software.”