Wednesday, July 9, 2008

July 8: Microsoft Security Update Gets an F

F is short for Fail, and Microsoft got a failing grade from me on its latest security update for Windows XP (KB951748). Upon installation, tens of thousands of users lost Internet connectivity.

Security Update for Windows XP (KB951748) addresses a serious problem and it should be installed. Unfortunately, this update does not work well with Check Point's ZoneAlarm, a widely used software firewall.

Microsoft's grade was based solely on its failure to test or detect compatibility problems with ZoneAlarm.

Internet Connectivity Shut Off
Once the update was installed, ZoneAlarm detected suspicious activity in the Windows XP kernel and disabled network traffic. It did what it was designed to do.

The Blame Begins
ZoneAlarm is made to block suspect intrusions and extrusions. Many people are blaming ZoneAlarm for the problem, but I do not think it is their fault. Firewalls are under frequent attack, and ingenious ways of selectively allowing or blocking network traffic enables ZoneAlarm to be effective.

Unless Check Point had prior access to the update, the blame rests with Microsoft. Microsoft needed to test their update on computers with ZoneAlarm installed. If they discovered an incompatibility, they should have contacted Check Point to work out a temporary or permanent solution.

Microsoft knows that hundreds of thousands of its users also use ZoneAlarm: Check Point does not know what is in the security update and how it was implemented.

I lost over two hours trying to diagnose and fix the problem. This could have been avoided easily.

Initially, Check Point recommended uninstalling the new security update. That is bad advice because the security update is needed. The alternative is uninstalling or weakening ZoneAlarm, but that might be worse than removing the update.

Newly-patched ZoneAlarm Versions are Available
To enable Internet access with Microsoft's security update; Check Point patched its ZoneAlarm product line. If users can get online, new versions (as of July 9, 2008) are available for the following products:Once I understood the nature of the problem, I uninstalled Microsoft's security update, downloaded the new version of ZoneAlarm and then reinstalled the security update.

Labels: , , , ,

Social bookmark this


Post a Comment

<< Home