It's Friday night, the start of a holiday weekend, and unlucky you, you have a major project to finish up for work. Rather than go into the office, you're all set up to telecommute from home. Wanting to be as secure as possible, you download the latest updates for Windows XP from the
Microsoft Windows Update site. But after rebooting, you find you can't connect to your company's VPN. Worse, you can't even get online.
You call your company's IT department. If you can't reach anyone because it's the start of a weekend, you call a professional instead. The tech-support guy asks, "Have you installed any new software recently?" You say yes, you installed one little Microsoft update that was supposed to enhance the security of your VPN connection.
Tech support tells you to remove the offending update via the Add/Remove Programs Control Panel. This resolves your dilemma but might leave you with a hefty bill if you had to contact a pro.
It happened
Sound far-fetched? It's not. Something like this
actually happened to many of the 600,000 Microsoft Windows XP users who downloaded the latest OS update during this past Memorial Day weekend. It's just another example of how, despite its much-publicized
Trustworthy Computing initiative, Microsoft often leaves you and me in the dark regarding its software flaws.
The update in question has been pulled from the Windows Update site.
|  |
|
The update in question, which has been pulled from the Windows Update site, was indeed intended to beef up security in remote-access VPN connections by enhancing the Layer Two Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec) in Windows XP. Instead, it shut down Internet access for anyone using a non-Microsoft firewall.
Unlike previous versions of Microsoft's operating system, Windows XP ships with its own firewall software. Most people, however, also use more robust, third-party firewalls, such as those developed by
Norton,
McAfee,
Zone Labs, and
Sygate. These firewalls, which use methodologies different from Microsoft's, were the reason many people couldn't get online after installing the update. Basically, some firewalls weren't able to communicate with the new Microsoft IPSec driver and therefore blocked all packets of Internet-bound data.
To learn more about what went wrong with this Windows XP update, I visited the Microsoft site. After some digging, I found a
Knowledge Base article that provided detailed information about what the update should have accomplished. But the article contained only one sentence about known incompatibility issues with non-Microsoft firewalls: "This [update] may affect server configurations for third-party gateways." It did not provide any further information, such as instructions on how to remedy the situation.
What were they thinking?
Who's to blame? I fault Microsoft for not testing this update thoroughly and for not publicizing the problems that resulted because of it. Since the problem was caused by an update, not by a full-blown security patch, an e-mail message was not sent to the 50,000 people who subscribe to Microsoft's
Security Bulletins, which are supposed to keep them apprised of abnormalities in the company's software. Neither did Microsoft post any notices about this issue in a prominent position on its Web site. In short, if you didn't figure out--on your own or with the help of a pro--that you needed to uninstall the update, you might still be wondering why you can't connect to the Net.
|
I fault Microsoft for not testing this update thoroughly.
| |
|
I'd like to provide you with a quote from someone at Microsoft who could defend the company's decision to post a nonessential update without thoroughly testing it. But my repeated attempts to contact a Microsoft spokesperson for comment have proved fruitless.
Not that I'm too surprised. The last time I criticized Microsoft's handling of
Internet Explorer security updates, I received an e-mail message from Microsoft's PR firm, Waggener Edstrom. But the firm was concerned only that I'd neglected to mention the free Microsoft Security Bulletin service. (In fact, I wrote about this in the second-to-last paragraph.)
What have we learned from this episode? First, never update software on a Friday. Seriously. One reason Microsoft sends out its security bulletins on Wednesdays is so that your IT department is around to help you if there are problems. Second, don't count on Microsoft to keep you informed when something goes wrong with its software. And third, we've learned that you shouldn't download a Microsoft update until it's been around for a few days, just in case it shuts down your Internet connection--or worse. Sadly, that's the reality of Trustworthy Computing.
Have you ever had problems with Windows Update? How could Microsoft better handle security issues? TalkBack to me.
