Microsoft Delays Patch Tool, Challenges Cisco

Last week was a busy one for business-technology and security professionals defending computer systems and networks that run Microsoft applications and operating systems. They had to deal with software patches, cleanup tools, and newly discovered security holes. They also got details on Microsoft's network-security initiative--and disappointing news about another delay in a patch-management tool that promises to work with a variety of the vendor's products.

Microsoft issued seven security bulletins with a total of 21 software patches, including two rated as critical. One of the vulnerabilities, a buffer overflow within Windows Task Scheduler, could let an attacker take over an unpatched system.

The company also released a tool designed to remove a piece of malicious code known as Download.ject that plants a Trojan horse on the computers of Web surfers and was part of a widespread Internet attack last month. And it said it would bolster antivirus defenses for users of its Hotmail E-mail service.

But Microsoft told customers they would have to wait until the first half of next year for Windows Update Services, a free Windows Server tool that aims to simplify the patching process for many Microsoft applications. It's the second delay for the tool, which was originally planned for the first half of this year.

"That's a real disappointment," says Lloyd Hession, chief security officer with Radianz, which provides network services to the financial-services industry. Businesses have been looking for Microsoft to improve the patching process and will be unhappy with the delay, he says. But if Microsoft is taking more time to make sure the quality-control aspects of the patching tool are solid, then the delay is understandable, Hession says.

Microsoft says it's incorporating suggestions from testers of Windows Update Services and that it hopes to issue another test version of the product in the fourth quarter. The company also attributes the delay, in part, to work its doing on an automatic-update agent in Windows XP Service Pack 2, the security-oriented upgrade to Windows XP that's now slated for release next month.

Microsoft also unveiled details about a security initiative called Network Access Protection. Much like the Network Admission Control initiative from networking leader Cisco Systems, NAP will check to make sure a computer has up-to-date security patches and antivirus signatures before it's allowed to access the network. Some 25 tech companies say they'll support NAP. Cisco, however, wasn't on the list and wouldn't discuss whether it will support the initiative. NAP is scheduled to be part of the next release of Windows Server 2003, known as R2 and slated for the second half of next year.

With Microsoft competing with Cisco's efforts, as well as an initiative by the Trusted Computing Group to build a similar standard, analysts are concerned there may be too many standards attempting to do what NAP aims to accomplish. "We're urging the two of them [Cisco and Microsoft] to compromise. The two need to support a common protocol," says John Pescatore, a VP and research fellow with Gartner.

Microsoft says it agrees. "We've heard that loud and clear," says Steve Anderson, director of marketing for Windows Server. "We want one architecture and one set of standards where everyone can play."