Although security experts--even those at Microsoft itself--had pointed to the company's latest server OS as the first test of the software giant's massive Trustworthy Computing initiative, representatives maintained that the patch did not mean the release had been a failure in its security practices.
"It actually highlights positive progress in Trustworthy Computing," said Microsoft's U.K. security chief, Stuart Okin, explaining that Server 2003 is significantly hardened in comparison to previous versions of Windows.
The vulnerability has less effect on Server 2003 because it relies on services that are switched off by default in that version of Windows, explained Okin. Earlier versions of Windows have services switched on by default, which can be used to form part of an attack. The company has already issued tools to lock down previous versions of Windows, but these are not universally applied.
Windows Server 2003 is the first major release of Windows to come out since the company's much-publicised decision to emphasise security and make sure all its code is safe. The operating system was delayed three times, partly to improve security and reliability. It has therefore been seen as a test of whether the company really can make products that are more than secure, and stem the deluge of security flaws and vulnerabilities that have marred its OSes in the past.
The new flaw affects Internet Explorer 6, which ships with Windows Server 2003 as well as with other Microsoft OSes. It is fixed, along with other IE6 flaws, in a cumulative patch released Wednesday. Although the patch is rated "critical" for all other operating systems, it is only "moderate" for Server 2003, according to Microsoft's system for grading the severity of the vulnerabilities it addresses.
A security patch so soon after the release is potentially embarrassing, but independent security researchers agreed that the default configuration of Windows Server 2003 seems more secure.
"You can always (change the settings and) make your system insecure, but the major issue is that it comes secure in its initial configuration," said Johannes Ullrich, chief technology officer for the Internet Storm Center, run by SANS, the SysAdmin, Audit, Network, Security Institute.
Most installations of Windows Server 2003 will never need to have a Web browser, Ullrich said, unless the application is as a Windows terminal server, where multiple users log on to the computer and run their software right off that system.
In late May, Microsoft vowed to fix a backwards-compatibility problem with the backup component of Windows Server 2003, a minor flaw that didn't affect security.
Jeff Jones, Microsoft's senior director of Trustworthy Computing, stressed that the company has never said that it would eliminate bugs from its system. That's largely seen as an impossible task.
"We are not claiming that there won't be a critical vulnerability; there will be one eventually," Jones said. "The really significant aspect here is that we have reduced the attack surface" of Windows Server 2003.
Microsoft measures the potential avenues for attacking its applications as that software's Relative Attack Surface Quotient. If a critical vulnerability is found, but the attacker can't remotely exploit the flaw, then the threat is largely mitigated, Jones said.
The vulnerability was found by specialist e-Eye Digital Security in March, but there was no evidence of anyone using attacks based on it, so it was dealt with quietly, Microsoft said. Because Windows Server 2003 had already been released to manufacturing, the patch had to be developed and released at a later date.
Although some patches can be put together in days, this one took somewhat longer. "There is no standard template for how long a patch takes to create," Okin said. The patch was not seen as an emergency because the flaw was not being used by hackers, and there were lots of mitigating factors making it less dangerous, he said.
The announcement comes one day after Scott Charney, Microsoft's global security chief, reiterated Microsoft's promises to simplify the way it distributes patches to customers. Since Server 2003 was released, the company has also issued a guide to implementing the operating system securely.
How trustworthy is Microsoft to have a trustworthy Computing initiative. The Anti-trust case, the attacks on Linux, and in the future '2005' Longhorn that will be the death of it all, even for older Windows versions. As I write this comment MPAA and others have and continue to try and change the laws for consumer personal computers to be nothing more then play-only boxes at the cost of those consumers. I have to believe they think that if they get their way with the law that somehow that dumb consumers will buy it anyway at a higher price. If i could not copy anything, i could not create anything ( as programming ) on the future "trustworthy Computing" computer, how will I create a copyright written work as a book, how will I create a new program and obtain copyright for it if all is closed to such creative work on these future computers. The big question: Why buy it. As always, the hardware gang follow in line and will make it all work at a level the everyday non-tech computer user will not understand nor have anything to say about it because they are making money as that is all they want to do. I know this is off topic here, but it is just this trustworthy Computing by Microsoft that has me on edge of my chair in worry about the so called future of computers.