[ISN] Microsoft Pulls XP Update Over Glitch

From: InfoSec News (isnat_private)
Date: Wed May 28 2003 - 00:26:06 PDT

  • Next message: InfoSec News: "[ISN] U.S. government to get cybersecurity chief"

    http://www.washingtonpost.com/wp-dyn/articles/A45119-2003May27.html
    
    By TED BRIDIS
    The Associated Press
    Tuesday, May 27, 2003
    
    WASHINGTON - Microsoft Corp. withdrew a security improvement for its
    flagship Windows XP software after it crippled Internet connections
    for some of the 600,000 users who installed it.
    
    Microsoft officials said Tuesday the update - which had been available
    as an option since Friday on its "Windows Update" Web site -
    apparently was incompatible with popular security software from other
    companies, such as Symantec Corp.
    
    Microsoft said Internet connections failed immediately for an
    unspecified number of more than 600,000 computers using Windows XP who
    downloaded and installed the update. Consumers could reconnect only by
    removing the update, which promised to improve reliability for types
    of secure Internet connections commonly used by corporations.
    
    The glitch occurs amid a debate in Washington among cybersecurity
    experts whether the technology industry should test the reliability
    and security of such updates more aggressively. Hackers can easily
    attack government systems where updates aren't installed routinely,
    but some experts install them only reluctantly because of worries
    about unintended consequences of some updates.
    
    A White House plan completed this year instructed the General Services
    Administration to work with the Homeland Security Department to study
    the effects of software patches on hundreds of computer programs. The
    plan said the government will share its findings with the technology
    industry.
    
    That provision fell short of earlier drafts of the White House plan,
    which urged industry to create its own testing center that would make
    sure updates don't cause additional security problems. Some experts
    complained it wasn't feasible because of the complexity of studying
    millions of possible hardware and software combinations.
    
    Microsoft was still investigating the latest glitch, which affected an
    obscure security technology in Windows. The update should have allowed
    traveling executives, for example, to connect more securely and more
    reliably from a hotel room back to their corporate computer networks.
    
    Microsoft said the changes it made complied with the latest industry
    standards, and said early indications linked the problems to some
    popular third-party products, such as protective firewall software
    sold by other companies.
    
    Microsoft would not say how many of its customers reported problems
    but said it was a small number. The company pulled the update from its
    Web site over the Memorial Day weekend; officials could not say when
    the update might be available again.
    
    "Most systems didn't crash; they simply lost network connectivity,"  
    said Michael Surkan, a Microsoft program manager for its networking
    communications group. "There were hundreds of thousands of people who
    downloaded this, and we know of only a handful of people who had the
    problem."
    
    Because the software update was considered a security improvement and
    not an urgent repair, it was available only to customers who
    specifically visited the Windows Update site Friday. Other repairing
    patches can be delivered automatically to consumers.
    
    
    On the Net: Affected software update:  
    http://support.microsoft.com?scidkb;LN;818043
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed May 28 2003 - 03:41:19 PDT