Microsoft's Patch Policy Pickle
In the wake of recent widespread worm attacks on the Internet, Microsoft is considering taking an unprecedented step: making automatic download and installation of security updates the default option for Windows and perhaps Microsoft Office. But first, experts say, Microsoft needs to improve the quality of both its patches and the Windows Update system that delivers them.
Despite problems with current patches, many people could be better off with automatic updates as the default (users currently must enable them). A Windows Update download to repair the RPC (remote procedure call) flaw that the Blaster worm exploited had been available nearly a month before Blaster showed up in mid-August, and Blaster didn't affect Windows XP, NT, 2000, and 2003 Server users who installed the patch. But those who don't accept updates probably didn't know about the patch until too late.
Trusecure Corporation's self-styled Surgeon-General Russ Cooper--an advisor to corporate clients on Windows security, and a longtime moderator of the NTBugtraq security forum--says businesses don't need to apply every patch Microsoft puts out but recommends that users without specialized security expertise apply all patches as soon as possible. "The vast majority of users don't want to be asked about updates and would love to see it all done for them without their ever being aware," Cooper adds.
Whether they are automated by default or not, updates definitely won't be mandatory, says Greg Sullivan, Windows client division lead product manager. In the meantime, Microsoft's Protect Your PC program has been running full-page newspaper ads and a Web site to urge users to install updates and use firewalls and antivirus software.
Microsoft is also considering strengthening Windows' anemic built-in Internet Connection Firewall and enabling it by default in future Windows versions and service packs. Even without the anti-Blaster RPC patch installed, Windows XP users who managed to locate ICF buried deep within their system's network settings and then enable it were safe from Blaster, though not from the in-box-clogging Sobig worm that followed.
"Since ICF doesn't stop outbound connections, it has no way of preventing things like Sobig," explains Cooper, noting that some free firewall programs, such as Zone Labs' ZoneAlarm, do police outbound data. However, while beefing up ICF could look like unfair competition to Zone Labs and other third-party firewall makers, Cooper deems the risk well worth taking: "Microsoft could make big points with consumers by giving them a really decent firewall and taking the heat from the Department of Justice."
PC users have swallowed security pills before. America Online users have long endured lengthy, mysterious downloads when logging off. Top antivirus utilities rely on automatic signature updates to catch the latest viruses; the best packages enable these updates by default. But outcries over potential privacy issues related to product activation in Windows XP and Office XP show that computer users don't want a software vendor snooping around their PCs--especially when that vendor is Microsoft.
The company would do well to fix its often buggy Windows Update system. Subscribers to Microsoft's Windows Update newsgroup report a litany of glitches that often prevent the patches from installing. Even worse, Cooper says, Windows Update told some users the RPC patch was installed, when in fact it was not. Even experts like Cooper can't easily tell if an update is really installed, due to obscure Registry, file, and log file changes. But, Cooper notes, patches rarely trouble most people--"say, 1 out of every 100 or so."
Privacy consultant Richard M. Smith says that before making updates automatic by default, Microsoft should disable many of Windows' potentially flawed, and often nonessential, component software services. For example, the Messenger service allows network administrators--and spammers--armed only with a PC's IP address to pop up text message windows from any remote computer.
Smith doesn't believe that Microsoft can make its developers as passionate about security as they are about features. "I don't think they have what it takes, culturally, to write more-secure software." Until that changes, Windows users must patch and bear it.