Microsoft Reaches New High for Patches
Microsoftreleased 30 percent more security patches this year than last year, accordingto Giga Information Group. The analyst group says, “The burgeoning popularityof all things Windows make Microsoft and its products more frequent targets.”
A report byGiga’s Laura DiDio says the two security patches released by Redmond inDecember brought the 2000 total to 90, compared with 62 patches released in1999.
WindowsMedia, on both the client and server end, was a major target of hacks lastyear. In December, Microsoft released a patch for a particular denial ofservice (DoS) attack that could cripple servers running Windows Media Server.
Malicioususers were able to connect to a Windows Media Server running the UnicastService, and then quickly close the session with a certain string of packets.Although the server recognizes that the session is closed, the server resourcesare still allocated to the user. When the steps were repeated, a user couldcripple a server.
To restoreservices, administrators had to restart the afflicted server.
The hackingcommunity presumably shared scripts to automate the packet strings fordisabling servers in this manner. Although the DoS attacks used to crippleYahoo! and other sites in early 2000 used packets to exhaust server resources,the spring attacks used floods of meaningless packets, not specialized packetsfor disabling servers. This attack requires greater sophistication to perform.
Microsoft’spatch prevents this attack from exhausting resources on a Windows Media Server
Redmondalso released patches for Windows Media Player for two separate problems. Inboth cases, the Media Player software was enabling hackers to run programs onother users’ PCs. “It continues the disturbing trend, common to nearly allsecurity flaws, of invading a network and/or individual PC and making unwantedchanges,” states the Giga report. It rates the seriousness of the security holeat 5, on a scale to 10.
A similarsecurity problem plagued Microsoft’s Office products last summer. The OfficeAssistant, an animated character/help window, was Active X enabled. Hackerswere able to script it to perform malicious tasks.
Ironically,DiDio states that the increase in security patches could be seen as a positivefor Microsoft: “Microsoft has become much more security conscious in the latestversions of all its software patches and more proactive in responding quicklyto correct reported flaws.”
The reportwarns that each company has to take responsibility for its own security. “Knowwhat’s on your network and PCs. Keep up to date on the latest patches and fixesand perform regular risk analysis and assessments of your site. In the finalanalysis, it’s your data. If you don’t defend it, no one else will.”
MicrosoftCorp., Redmond, Wash., www.microsoft.com
GigaInformation Group Inc.,Cambridge, Mass. www.gigaweb.com