As I do every week before sitting down to write this commentary, I opened up the folder containing articles I've written this year and it's easy to see a theme developing: By a wide margin, Microsoft security topics have dominated this year's editorials--and it's not something I planned. Like so much else I write, Windows & .NET Magazine UPDATE's content is dictated by recent events. And as I write this commentary in mid-2004, security is very much the number-one topic. We just can't escape it.
The most recent security-related news is that Microsoft is delaying its eagerly anticipated Windows Update Services (WUS)--the successor to Microsoft Software Update Services (SUS)--from late 2004 until the first half of 2005. I first wrote about WUS in Windows & .NET Magazine UPDATE in March ( http://www.winnetmag.com/article/articleid/42119/42119.html ), and if the beta is any indication, the implementation details haven't changed since then.
But WUS, like Windows XP Service Pack 2 (SP2) and other products, is waiting on an update to Microsoft's patch-downloading infrastructure, Windows Update. Windows Update 5, also in beta, will contain important changes, including an update to Microsoft's trickle download technology, Background Intelligent Transfer Service (BITS), that will help the company better distribute massive updates such as SP2.
So why does Microsoft have to push back the WUS release? Microsoft tells me that changes to the new Automatic Updates agent in XP SP2 are responsible for the delay. But one side effect of this delay is that the company is also delaying the promised summer public beta of WUS, this time until late 2004. This beta is the preview release that Microsoft intends to distribute publicly, and it will likely represent the first time that most UPDATE readers will have a chance to obtain the WUS code. Although I still expect many of you to excitedly check out this release, Microsoft's inability to ship even beta code on time is a bit disheartening.
For small and midsized businesses, the news is more than disheartening. Now, more than ever, Microsoft shops need an automated way to distribute critical updates and other patches to desktops, and not all businesses have the resources or technical acumen to install Microsoft's enterprise-oriented Systems Management Server (SMS). That said, SUS is a fine, if somewhat limited solution for the short term. Asking businesses to hold on to that infrequently updated product for up to another year, however, is problematic. For example, SUS distributes only Windows patches, but WUS will add support for various Microsoft Office versions, Exchange Server 2003, SQL Server 2000, and the Microsoft Data Engine (MSDE).
WUS isn't the only security-oriented Microsoft product facing delays these days. Here's a partial rundown of the products Microsoft has recently delayed:
* XP SP2--Originally due in late 2003, SP2 was revamped and set on course for a release in the first half of 2004. But Microsoft delayed it until July, then August. Currently, it looks like SP2 could ship around the second week of August. If you're not already evaluating SP2 Release Candidate 2 (RC2), publicly available from the Microsoft Web site, I beseech you to do so now. SP2 is going to break things, and you need to be ready.
* Various known Microsoft Internet Explorer (IE) vulnerabilities-- The world's most-attacked Web browser is an open target for intruders, and the recent release of an interim configuration change doesn't solve the most glaring problems with this product. I discussed IE in detail last week ( http://www.winnetmag.com/article/articleid/43276/windows_43276.html ), and several readers noted that, because you can't permanently remove IE from Windows, replacing it with a third-party browser won't help. This idea isn't entirely true: Simply ceasing to use IE will reduce your "attack surface," if you'll excuse my using a Microsoft term. But yes, it's true that any IE-based attacks can still succeed if you've hidden IE and manage to download the appropriate attack to your system. But hiding IE is safer than continuing to use it and a step along the road to better security. No, it's not the complete solution.
* Windows Server 2003 SP1--This release will feature an intriguing new roles-based Security Configuration Wizard, but like most other Windows-oriented products, SP1 is waiting on XP SP2. After the SP2 release to manufacturing (RTM), Microsoft can begin work on Windows 2003 SP1 in earnest. But promises of a late 2004 release now seem unrealistic. Don't expect this update until the first half of 2005.
* SQL Server 2005 and Visual Studio (VS) 2005--The next versions of SQL Server and VS will include various functional enhancements, but the most notable aspect of these products is how often they've been delayed. SQL Server 2005, previously code-named Yukon, was originally due in late 2003. It will now ship almost 3 years later. And I don't have the space to discuss the Software Assurance (SA) concerns that arose in the wake of SQL Server's delays.
* Longhorn--Does anyone else remember when Longhorn was a minor, interim release on the way to Blackcomb? Today, Longhorn's everything-but-the-kitchen-sink philosophy appears poised to make this release the next Windows NT Cairo. And although I'm one of those rare proponents of Longhorn's optional and misunderstood Palladium security technologies, I have to wonder what benefit these features can have if they never ship. Originally expected in 2003, and recently delayed until 2006, Longhorn might never ship. Again, it's disheartening.
I've groused a lot recently about Microsoft's security problems, but even more disturbing, perhaps, is the company's apparent inability to ship product. As rivals such as Linux, Apple Computer, and Mozilla make huge gains on both the server and the desktop, it's hard to understand how a company with Microsoft's resources can stand still for so long. But is it possible that Microsoft's security problems are really to blame for its sudden inability to release new products?
