ZDNet UK / News and Analysis / Business of IT / IT Strategy

Windows Server 2003 gets first security patch

By Peter Judge, ZDNet.co.uk, 4 June, 2003 22:29

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Stuart Okin, eeye, microsoft windows server 2003 security patch

NEWS
Less than two months after launching its Windows Server 2003 operating system, Microsoft has released a security patch to fix a vulnerability that could let malicious sites run damaging code on the server. Although security experts -- even those at Microsoft itself -- had pointed to the company's latest server OS as the first test of the software giant's massive Trustworthy Computing initiative, representatives maintained that the patch did not mean the release had been a failure in its security practices. "It actually highlights positive progress in Trustworthy Computing," said Microsoft's U.K. security chief, Stuart Okin, explaining that Server 2003 is significantly hardened in comparison to previous versions of Windows. The vulnerability has less effect on Server 2003 because it relies on services that are switched off by default in that version of Windows, explained Okin. Earlier versions of Windows have services switched on by default, which can be used to form part of an attack. The company has already issued tools to lock down previous versions of Windows, but these are not universally applied. Windows Server 2003 is the first major release of Windows to come out since the company's much publicised decision to emphasise security and make sure all its code is trustworthy. The operating system was delayed three times, partly to improve security and reliability. It has therefore been seen as a test of whether the company really can make products which are more than secure, and stem the string of security flaws and vulnerabilities that have marred its operating systems in the past. The new flaw affects Internet Explorer 6, which ships with Windows Server 2003, as well as other Microsoft operating systems. It is fixed, along with other IE6 flaws, in a cumulative patch released on Wednesday. Although the patch is rated "critical" for all other operating systems, it is only "moderate" for Server 2003, according to Microsoft's system for grading the severity of the vulnerabilities it addresses. A security patch so soon after the release is potentially embarrassing, but independent security researchers agreed that the default configuration of Windows Server 2003 seems more secure. "You can always (change the settings and) make your system insecure, but the major issue is that it comes secure in its initial configuration," said Johannes Ullrich, chief technology officer for the Internet Storm Center, run by SANS, the SysAdmin, Audit, Network, Security Institute. Most installations of Windows Server 2003 will never need to have a Web browser, Ullrich said, unless the application is as a Windows terminal server, where multiple users log on to the computer and run their software right off that system. In late May, Microsoft vowed to fix a backwards-compatibility problem with the backup component of Windows Server 2003, a minor flaw that didn't affect security. Jeff Jones, Microsoft's senior director of Trustworthy Computing, stressed that the company has never said that it would eliminate bugs from its system. That's largely seen as an impossible task. "We are not claiming that there won't be a critical vulnerability; there will be one eventually," Jones said. "The really significant aspect here is that we have reduced the attack surface" of Windows Server 2003. Microsoft measures the potential avenues for attacking its applications as that software's Relative Attack Surface Quotient. If a critical vulnerability is found, but the attacker can't remotely exploit the flaw, then the threat is largely mitigated, Jones said. The vulnerability was found by security specialist e-Eye in March, but there was no evidence of anyone using attacks based on it, so it was dealt with quietly said Microsoft. Because Windows Server 2003 had already been released to manufacturing, the patch had to be developed and released at a later date. While some patches can be put together in days, this one took somewhat longer. "There is no standard template for how long a patch takes to create," said Okin. The patch was not seen as an emergency because it was not being used by hackers, and there were lots of mitigating factors making it less dangerous, he said. The announcement comes one day after Microsoft's global security chief, Scott Charney reiterated Microsoft's promises to simplify the way it distributes patches to users. Since Server 2003 was released, the company has also issued a guide to implementing the operating system securely.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section. Let the editors know what you think in the Mailroom.

Related stories

Gates vows better security to customers

One year on, is Microsoft 'Trustworthy'?

Microsoft opens Windows for UK

Heart of England NHS begins massive digitisation plan

Hard-drive woes hit PC shipments in fourth quarter

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

Dennis Nilsson

If we allow corporate interest to dictate the way our government circumvents due process against foreign entities then we should accept the same...

45 minutes ago by Dennis Nilsson via Facebook on ACTA stumbles in Germany
GHar123

I totally dislike pirating of works, I fear that artists will be deterred from creating works if they think that they are going to get ripped off....

2 hours ago by GHar123 on ACTA stumbles in Germany
JCB33

How dare film makers, artists or anybody that invests in creativity stop us pirating their works for free. I want to be able to walk into my local...

8 hours ago by JCB33 on ACTA stumbles in Germany
Moley

@GrueMaster. I prefer horses for courses rather than one size fits all. I, and I suspect most other computer users, do not really wish to have...

10 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
greycynic

The product that scares me every time I have to use it is the Office 2007 version of Excel. The first bug that I found was applying the median...

10 hours ago by greycynic on Ten flawed products that derail productivity
GrueMaster

Nice review and very informative. One thing I'd like to add (in reply to whs001's 1st question), the main reason to have the same interface from...

12 hours ago by GrueMaster on A tale of two distros: Ubuntu and Linux Mint
Frederick Wrigley

I'be been using Mint 12 since the RC came out, and I am far more happy with the Cinnamon, the Mate, and, yes (with extensions), theGnome 3...

12 hours ago by Frederick Wrigley via Facebook on A tale of two distros: Ubuntu and Linux Mint
bdantas

Excellent article. One small correction, though--although a fresh installation of Linux Mint 12 will, indeed, provide the user with a version of...

13 hours ago by bdantas on A tale of two distros: Ubuntu and Linux Mint
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

14 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

14 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Moley

For Gnome 2 die-hards, it is possible to add icons to the bottom panel (or top top panel, if you prefer) which provide the exact Gnome 2...

15 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
ramwellian

Your comments would seem pretty naive and immature. Your 'solution' appears to be, "gee, let's all just give in to the hackers and give them...

15 hours ago by ramwellian on Cloud computing security: no more oxymoron?
BugStalker

"Interesting thought ... If you installed Win7 as a dual boot on a machine that previously only had Linux, and it wrecked your Linux installation,...

15 hours ago by BugStalker on Windows 7 Declares War on GRUB
whs001

This is an excellent summary of Ubuntu and Mint and the interface differences between them. Most such articles take a very partisan position for...

15 hours ago by whs001 on A tale of two distros: Ubuntu and Linux Mint
Moley

@ewallace. Not so clear. Anyone can obtain the text, for example from here http://www.ustr.gov/webfm_send/2379. I support ACTA so long as it and...

15 hours ago by Moley on ACTA: Facts, misconceptions and questions
45283

I think WinRT is fantastic. I just wish it was an option for people that didn't want to go through Microsoft's App Store with its attendant...

18 hours ago by 45283 on Why Windows 8 needs architectural hygiene for WOA
Burn-IT

Nine people? £30m? Who's back pocket is that lot going in? And IF they say it is for new buildings, what about all the ones the government has...

20 hours ago by Burn-IT on Police set to launch three £30m e-crime hubs
ewallace

Just to be clear, nobody knows what is in the text of ACTA, here is a photograph of the text of ACTA http://twitpic.com/8h9iju as submitted to the...

20 hours ago by ewallace on ACTA: Facts, misconceptions and questions
fgvrg56

Unfortunately main issue is that ASUS is refusing to accept that they make some mistake on this version of asus Transformer prime. 1 - GPS sensor...

21 hours ago by fgvrg56 on Asus Eee Pad Transformer Prime Wi-Fi & GPS problems?
Ben Woods

@Marcus A fair question. Just talked with Archos which said it was working on an announcement for next week....

22 hours ago by Ben Woods on Archos confirms G9 Ice Cream Sandwich update schedule

Latest in IT Strategy

Heart of England NHS begins massive digitisation plan

Hard-drive woes hit PC shipments in fourth quarter

Featured white papers

CIO challenges: Bringing your iPad to work

Aruba Networks

CIO challenges: Bringing your iPad to work

The arrival of personal technology in the office is a challenge for all organisations, but how can it be adapted securely for corporate... Read more

The Relevance of Cloud Infrastructure to Enterprise Challenges

SAVVIS

The Relevance of Cloud Infrastructure to Enterprise Challenges

This white paper reviews the evolution of data center outsourcing, and introduces cloud offerings within this historical... Read more

Graphene: A guide to the future from ZDNet UK

ZDNet UK

Graphene: A guide to the future from ZDNet UK

What is graphene? How is graphene made? And why isn't a graphite pencil worth thousands of pounds? Explore this strange material with ZDNet UK's guide to... Read more

Inside ZDNet UK

A tale of two distros: Ubuntu and Linux Mint

A tale of two distros: Ubuntu and Linux Mint

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

BlackBerry Bold 9790

BlackBerry Bold 9790

How to handle data replication

How to handle data replication

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault