Microsoft PDC reveals the future of Windows

Microsoft PDC reveals the future of Windows

By Brian Livingston

I’ve just returned from the Professional Developers Conference in Los Angeles, where Microsoft announced that there’s a great version of Windows coming if you can just wait a few years.

Actually, they didn’t say that, but they could have. At the PDC, held Oct. 19-23 in the L.A. Convention Center, Microsoft handed out to the 7,000+ developers in attendance the first CDs containing a working, pre-beta build of its new operating system, code-named Longhorn. This product will turn into a shipping desktop version of Windows some time in 2005 or 2006.

Timelines shown by Microsoft speakers during the conference’s main presentations asserted that the first beta build of Longhorn (officially called Beta 1) would be released in the 2nd half of 2004. If that schedule holds up, it means that Longhorn could ship before the end of 2005 if all the development work goes smoothly. If snags are encountered, on the other hand, the product could slip into 2006. At this point, I believe it’s futile to speculate on the exact ship date, which is impossible to predict.

Since Longhorn is so far away from being a working product, I believe that two other upcoming Microsoft releases will have a much greater near-term impact:

• Windows XP Service Pack 2 in 1H 2004
  A beta of XP SP2 will be released to interested testers by December 2003, according to Microsoft representatives. The final SP2 release, scheduled for the 1st half of 2004, promises to close some of the security issues in XP. The plan is to make the operating system more resistant to worm attacks, even in machines that may not have a critical patch installed. The changes include improvements to Microsoft’s Internet Connection Firewall (actually turning it on, for example, instead of leaving it off by default), new support for “no execute” areas of memory in order to prevent buffer overruns, and safer versions of Internet Explorer, Outlook Express, and Windows Messenger.
• Windows Server 2003 Service Pack 1 in 2H 2004
  While not providing definite guidance on when SP1 for Server 2003 will be released for beta testing, Microsoft suggests that the beta release of SP1 will go out in the 1st half of 2004. The final service pack, scheduled for release in the 2nd half of 2004, is also expected (like the service pack for XP) to concentrate on security fixes for the server OS.

If your company uses Windows XP or develops software that runs on XP, it’s important that you get into the beta test program for XP SP2. Many of the changes planned for that service pack will break programs that aren’t designed for the new environment. In particular, changes to Microsoft’s firewall, RPC (Remote Procedure Calls), and DCOM (Distributed Component Object Model) may interfere with some of today’s programs.

“Developers need to test their apps on SP2 as soon as possible,” said Michael Howard, Microsoft’s senior program manager of security engineering and communications, in a telephone interview. “Some features will be turned off by default” that your programs may rely upon, he emphasized.

An excellent 11-page paper that describes the changes in XP, entitled “Windows XP Service Pack 2: A Developer’s View,” was handed out at a security workshop during the PDC. A copy of the paper has been posted in the MSDN Library. I strongly recommend that you take a look.

Compared to XP SP2, less information is available about plans for SP1 for Windows Server 2003. I’ll cover developments in these and other areas as they evolve.

Now is the time for readers to send me their findings on the pre-beta release of Longhorn and word on the betas of XP SP2 and Server 2003 SP1. To send me tips on these or any other subjects, visit WindowsSecrets.com/contact.

Microsoft's major patch changes

Microsoft has made what I consider the most significant changes in its security-bulletin release policy since the beginning of security bulletins. Instead of sending out Windows patches every week, as has until recently been the case, the Redmond software giant now plans to circulate new patches only once a month, on the 2nd Tuesday of each month. (If a worm is running loose “in the wild,” Microsoft says it will release a special patch immediately.)

I wrote in the paid version of the Oct. 16 Brian’s Buzz that I’d analyze for you the full implications of this new policy. After interviewing several Microsoft officials and independent experts, I’m devoting today’s special report to this topic.

Microsoft’s last patch release was on Oct. 15. On that date, the company announced five patches affecting every supported version of Windows and two patches involving Exchange Server. The next scheduled announcement will be Nov. 11. No new patches have been released between these monthly milestones. That makes this the first time in years that the company has gone as long as four weeks without putting out a Windows patch. Because of this gap, I won’t in today’s issue analyze the latest new patches, since there aren’t any.

I wrote in my Nov. 3 eWeek column that some experts are already saying a monthly schedule will lead to less security than a real-time release policy. Personally, I believe the shift to monthly batches of patches can make your company more secure, if you act decisively to take advantage of the new regime. On the other hand, if you put off rolling out new patches for a week or two after a monthly announcement, you might then say, “I’ll wait until another batch comes out next month.” That would make Microsoft’s switch to a monthly schedule a net loss of security for your company.

The opportunity for greater Windows security is yours to grasp or ignore. Here, then are the major points you need to know:

• You have a rendezvous with destiny every 2nd Tuesday. Microsoft is moving its release of patches from every Wednesday to every 2nd Tuesday morning. This shift from Wednesday to Tuesday is intended to give legitimate companies almost a full working week to download, test, and roll out the latest batch of patches before black-hat hackers have enough spare time to create and launch viruses and worms.

Some experts feel that script kiddies often have day jobs and mainly tinker with their virus-making kits during their time off. “If the hackers are finding out about it [a new vulnerability] at the same time as the companies, then they don’t have the weekend to work on it,” said Eric Schultze, chief security architect of Shavlik Technologies, a patch-management software firm, in a telephone interview.

Taking advantage of this window during which you can patch your systems before hackers can attack, however, means that you must devote enough staff time on the 2nd Tuesday and subsequent days to finish the needed work. If you procrastinate, your security may actually become worse than it was when Microsoft released patches once or more per week. Administering the monthly update process is now simply part of the cost you must bear for using the Windows platform.

• Will there be any patches on Nov. 11? Because Microsoft hasn’t released any new patches since Oct. 15, it’s easy to become complacent and say, “There may not be any new patches on Nov. 11.” Microsoft is mum on that topic, although we’ll presumably learn the facts in a few days.

Others, though, aren’t so reticent to make predictions. “We absolutely anticipate a release of patches on the 11th,” said Dave Robbins, the CEO of Bigfix, a patch-management solution company, in a telephone interview. Given the number of security vulnerabilities that have been found in Windows recently, it’s best to assume that you’ll have a lot to do on the 2nd Tuesday of this and every coming month.

• The patch format and command-line switches have changed. Different groups within Microsoft have, in the past, distributed patches in different formats, using different install programs with different options. Understanding these options is important for those who develop their own scripts to deploy critical patches “silently,” without intervention by each individual user. Presenting dialog boxes to users during patch upgrades can result in patches being canceled or installed incompletely.

One existing patch format uses a utility called Update.exe, which typically patches Microsoft Windows itself. As described in a white paper by Philip Lieberman, the owner of the Lieberman & Associates network-management software firm, Update.exe uses single-character switches such as the following for a silent installation:

/u  Use unattended mode
/o  Overwrite OEM files without prompting
/q  Use quiet mode (no user interaction)

Another format is called QFE. The Internet Explorer group and other groups of products at Microsoft use this format. QFE has several undocumented options that are not shown when using the utility’s /? switch, all of which Lieberman’s paper explains. For example, the following switches result in a patch installation with no dialog boxes being presented to the end user:

/r:a  Always restart computer after installation
/r:s  Restart without prompting the user
/q:a  Use administrator-quiet mode (no dialog boxes)

The above switches are combined on the command line as /r:as /q:a to accomplish silent installation.

With the shift to monthly patch distribution (or for whatever reason), Microsoft has recently changed the Update.exe utility so it uses switches that are full words instead of single characters. The old switches are currently still supported by the utility, but this support may disappear soon, breaking any of your automation scripts that depend on them.

Microsoft has documented the new Update.exe switches, if you know where to look. For example, security bulletin MS03-042 (826232) describes the switches (to see the descriptions in that document, scroll down, click the plus sign to the left of “Security Patch Information,” and then click the plus sign to the left of “Windows 2000 [all versions]”). The parameters for a silent install are:

/quiet  Quiet mode (no user interaction)
/passive  Unattended mode (progress bar only)

A silent install of MS03-042 for Windows 2000, therefore, would require the following command:

windows2000-kb826232-x86-enu /passive /quiet

Lieberman & Associates publishes utilities such as User Manager Pro and Task Scheduler Pro that allow IT admins to make global changes to settings and scheduled tasks on thousands of PCs across a network with a single command. I strongly recommend that you look into such products and read L&A’s PDF white paper entitled “Massive Security Hole… Ignored!“

• Patch-management software may need updating. For those IP professionals who don’t create their own deployment scripts but rely instead upon packaged patch-management software, these programs may need to be updated to work with the new Microsoft format. If and when the Redmond company distributes patches that don’t support the old Update.exe-style switches, older patch-management software may fail to properly handle the installation of patches.

Schultze of Shavlik Technologies says his company’s products – including the free HFNetChkLT and the commercial HFNetChkPro – will feel no impact from the changes. “The old patches will use the old switches and the new patches will use the new switches.”

This is not something you can simply assume about your own deployment scripts or all other vendors’ patch-management software, however. It’s wise to test this before Microsoft releases too many more batches of security bulletins.

• Get serious about patch-management tools now. Individual home users may rely upon Microsoft’s built-in Windows Update feature to download and install new patches, but businesses need stronger and more automated methods. If the prospect of testing and deploying five or ten new patches on the 2nd week of every month elicits from you a groan of pain, you’re a candidate for an industrial-strength patch-management solution.

eWeek in its June 2, 2003, issue published a comparative review by Cameron Sturdevant of four major patch-management utilities, including HFNetChkPro. (PatchLink Update received eWeek’s Analyst Choice award.)

But there are many more choices than this in the growing marketplace for Windows patch-management packages. Russ Cooper, the editor of the NTBugTraq security mailing list, announced in his Sept. 18 message a poll of his readers on the patch-management solutions they use. Gathering the responses, he built a table comparing 18 free systems and 29 fee-based systems (that his readers were willing to state that they use effectively).

The results of Cooper’s survey may surprise you. With more than 31,000 recipients on his mailing list, he’s received 4,560 responses as of Nov. 5. The voters range from IT pros who administer more than 100,000 PCs to security-minded individuals who are responsible for only a single machine. Across this spectrum, the most widely-used fee-based and free solutions (and the number of people who report managing their PCs with these offerings) are:

Fee-based solutions:

Novell ZENWorks Suite (392 responses)
Shavlik Technologies HFNetChkPro (263)
Microsoft Systems Management Server (223)

Free solutions:

Manual patch installs (1518 responses)
Microsoft Windows Update (1142)
Microsoft Software Update Services (676)

Cooper’s survey page breaks down the responses by network size and links to Web sites that explain in detail most of the 47 total solutions that his readers say they’re using. If you’re facing a monthly wave of new patches but are still using antiquated methods to roll them out, you owe it to yourself to look at the tools used by other businesses of your size and then invest in one or more of them.

• Security patches will no longer be discussed in Knowledge Base articles. The archive of Microsoft’s technical-support articles, known as the Knowledge Base, has for years provided descriptions and links to security bulletins and their related patches. Now, Microsoft is placing all information about patches into the security bulletins themselves. There will still be a new, numbered KB article that relates to the patch discussed in each new security bulletin. But the KB article will contain no useful information, only a link to the appropriate bulletin.

On the one hand, this change will unfortunately reduce the amount of official Microsoft information about Windows patches that one finds when searching the Knowledge Base. On the other, it will no longer be necessary to read both the lengthy security bulletin and the often lengthier Knowledge Base article. All the pertinent details will henceforth be put into the security bulletins, which are already getting much longer than many have been in the past.

Inexplicably, Microsoft still plans to use the KB article number rather than the security bulletin number to display in the Add/Remove Software control panel the list of patches that a machine has installed. For example, the most recent security bulletin, MS03-047 for Exchange Server 5.5, installs patches identified in Add/Remove Software as “Hotfix for Exchange 5.5 v2a (KB828489a)” and “Hotfix for Exchange 5.5 v2b (KB828489b).”

For all of the above reasons, I will continue to mention in future issues of Brian’s Buzz the KB article number alongside the security bulletin number that it is associated with (as many readers have requested). But I will no longer be linking to the KB article, since no information will be found there.

• New security bulletin search engine. Finally, Microsoft launched on Nov. 3 a new search tool called Security Bulletin Search. This page is intended, according to descriptions on Microsoft’s Web site, to let you “specify the severity ratings and release dates of the security updates you want to see.” For example, you can select check boxes so a search would find only bulletins rated Critical or Important, not Moderate or Low. Also, Microsoft explains, “you can choose to see only the most recent security updates, excluding those that have been replaced by later updates.”

Unfortunately, when I tested this search feature on Nov. 4, the page displayed only an error message when I selected a Microsoft product and then turned on the check box called “Show only bulletins that contain patches that have not been replaced by a more recent patch.” No patches at all were listed, although I know that the products I selected definitely have several patches available.

As of Nov. 5, Microsoft has removed the intended search-engine look and replaced it with a sparser interface. The slimmed-down application no longer allows you to ask for only the most recent releases or security bulletins of a given severity (although the site still lauds these features in several places). Perhaps Microsoft will fix these features and return them to the page before long.

The search engine is still handy because you can use it to display only those patches that apply to a given Microsoft product version (such as Windows Server 2003). Try it

• Conclusion. Microsoft’s new monthly patch-release schedule offers disciplined Windows pros a way to keep their systems updated without slogging through the patching process every single week. Individuals (via Windows Update) and enterprises (using patch-management software) can both time their update routines to the 2nd Tuesday batches that Microsoft plans to release.

For more details on the Redmond company’s new schedule, see the white paper entitled “Revamping the Security Bulletin Release Process.”

The Meatrix

Whatever you may think about “Matrix Revolutions” – the final installment of the Matrix trilogy, which is in theatres now – I’m sure you’ll find that “The Meatrix” is a lot funnier.

A mysterious cow with sunglasses, Moo-pheus, brings a blue pill and a red pill to a barnyard pig, Leo, to free him from his fantasies of a family farm. The excellent Flash animation is the result of a grant awarded to GRACE, the Global Resource Action Center for the Environment. The short film has a strong ecology message at the end, but if you can live with that it’s quite an entertaining flick. Caution: plays music, watch the volume level of your speakers if you’re in a cubicle. More info