Opinion: Don't Be Quick to Accuse Code Red-Stricken Colleagues of Negligence

In mid-June, several media outlets – MSNBC, C|Net and ENT among them –alerted readers to the existence of a dangerous new vulnerability that affected Windows NT 4.0 and Windows 2000 systems running Microsoft’s IIS 4.0 and IIS 5.0 Web servers.

At the same time, Microsoft e-mailed a bulletin to the more than 250,000 subscribers of its security mailing list and urged them to install a patch to fix the problem. The software giant claimed that it also dispatched representatives to many of its largest corporate customers to personally impress upon them the danger associated with the vulnerability.

The stakes, the software giant acknowledged, were high: A malicious attacker could exploit the vulnerability to take complete control of a compromised system.

With blanket media coverage and with Microsoft’s own efforts taken into account, it’s surprising, then, that the attacks which inevitably materialized to exploit this vulnerability – Code Red, in all of its variants – were so successful.

Given the software giant’s spotty service pack, hotfix and maintenance release histories, however, the damages wrought by Code Red should to some extent have been anticipated. Remember, we’re talking here about Microsoft, the same company that only two months ago required three attempts to successfully patch a serious vulnerability, which affected Exchange’s Outlook Web Access Component.

The fact of the matter is that many IT managers simply don’t trust Microsoft when it comes to the reliability of its software patches – and with good reason.

After all, Microsoft has botched at least two service pack releases (Windows NT 4.0 SPs 2 and 6), more than a few hotfix updates (LSA Secrets, Outlook Web Access, among others), and a variety of maintenance releases (Office 97 SR-1, Office 2000 SR-1). In many cases, Microsoft software patches have severely damaged systems; in some cases (Windows NT 4.0 SP2), they’ve rendered certain systems altogether unbootable.

For some IT managers, installing a Microsoft software update on a mission-critical system may seem a lot like playing a game of Russian Roulette – with a semiautomatic pistol. You’ve got to feel for them: Saying that they’re stuck between a rock (the possibility of malicious attack or of total system compromise) and a hard place (unplanned, expensive and potentially disastrous system downtime) doesn’t quite describe the dilemma that they face managing and hardening Windows NT 4.0 and Windows 2000 systems in the enterprise.

What do you do when you’re presented with an almost irresolvable contradiction? You take a leap of faith – and you plan for the future.

In this case, then, IT organizations should probably have bitten the bullet, so to speak, and patched their vulnerable systems as soon as was possible (and certainly after the first wave of Code Red attacks surfaced in mid-July). The potential for harm – fully realized for the first time in Code Red II, which provided attackers with a backdoor entrance and with system-level privileges on compromised systems – was just too great.

At the same time, IT organizations should bear in mind that they also enjoy some leverage in their dealings with the folks in Redmond. Earlier this year, Microsoft unveiled a revamped licensing model that keys heavily on subscription-based software services. The software giant hopes that IT organizations will opt for its new Software Assurance program, which lets them lease Microsoft operating system and application software for predetermined periods of time. The rub, of course, is that only companies which regularly upgrade their software infrastructures really stand to benefit from Software Assurance.

This doesn’t have to be the case, however. Roger Seielstad, a senior network administrator with Peregrine Systems Inc., an Atlanta-based consulting and software firm that specializes in infrastructure resource management, speculates that a maintenance and support licensing scheme such as Software Assurance could force Microsoft to adopt a more “regimented schedule for releasing service packs and upgrades” – especially if customers demand as much.

“Companies won't tolerate paying for a full year of support for a few hotfixes, most of which aren't applicable to their environments. They will expect a return on their investments,” he comments. “The current licensing model doesn't offer Microsoft the incentive to drive for high quality in existing products, as their revenue model currently is driven by sales alone, and new products drive sales.”

IDC analyst Dan Kusnetzky has observed that the only way you can be sure you’re really getting Microsoft’s attention is to shout loudly and to shout often – preferably in the company of other similarly-inclined, and equally vociferous, shouting individuals.

In view of the problems that have historically attended Microsoft service pack, hotfix and maintenance releases – and with a mind to the damages that worms like Code Red can wreak when IT organizations are loath for these reasons to apply software patches – customers should begin screaming loudly and in unison for more reliable, more timely software updates.

And until Microsoft starts listening, customers should boycott Software Assurance. That kind of shouting can be deafening.

Stephen Swoyer is a contributing editor at ENT and a freelance IT reporter. He can be reached at:

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.