Tightening The Security Screws In Windows

Is now the time to make On the default setting in Automatic Updates? Security Supersite Editor Larry Seltzer offers that it's clear people won't do the right thing.

Everyone agrees, even me, that education is crucial to make our computer systems more secure. But recent experiences dont paint an optimistic picture. Either were not educating people or education is not working: Too many users still fail to take simple precautions to protect themselves, and many engage in dangerous practices that perpetuate attacks.

The incidents of the past couple of weeks are both illustrative. The Blaster worm succeeded in spite of a massive publicity campaign on the danger of the relevant flaw in Windows and the existence of a patch.

Worse, in monitoring several security mailing lists I saw many users looking for any excuse not to apply the patch. According to conservative estimates, some 500,000 systems were infected with Blaster, and Ive seen much higher estimates. For example, Satellite ISP DirecWay just sent out an e-mail to their customers stating that "approximately 10 to 20 percent of DIRECWAY end-users are infected with the Blaster virus."

Meanwhile, based on the hundreds of Sobig.F e-mails I received in the first 24 hours of this weeks outbreak, clearly users have left themselves wide open to it as well.

Has education failed? Short of making computer hygiene mandatory like drivers education with tests, something on the order of John Dvoraks idea to license computer users, I cant see public education campaigns having any better results than we found with Blaster. And that was completely unacceptable.

If users wont take care of their computers, the unfortunate answer (depending on your point of view) is to do it for them. This is what Microsoft is considering, according to a recent Washington Post article. It states that Microsoft is considering having Windows download and apply security patches automatically.

Check out Microsoft Watchs rundown on and the changes due with the forthcoming Microsoft Installer 3.0 technology.

Currently available in Windows XP and Windows 2000 SP3+, this updating capability is called Automatic Updates and is accessible through the Control Panel System applet. It is turned off by default. (For Windows 2000 Server, Automatic Updates is only aware of patches for the OS, not for important server applications like SQL Server or IIS).

The applet has 3 options if you turn Automatic Updates on:

  • Notify the user that updates are available;
  • Download any updates that are available and notify the user, but dont install them; and
  • Download any updates that are available and install them according to a schedule specified by the user.

So, it sounds as if Microsoft is considering making the third option the default behavior, at least with respect to certain very critical updates, such as the one that prevented the Blaster worm.

Believe it or not, even some experienced admins are unaware of this feature in its current state. A recent eWEEK.com article quotes a network administrator critical of Microsoft for not providing essentially what Automatic Updates provides, especially in conjunction with Microsofts Software Update Services, which basically allows an administrator to set up an internal update server for clients to use instead of the Windows Update site. This administrator said: "The only way its going to happen is automation...Microsoft should provide this free."

Hello. They do.

Just turning patch installation on by default in Windows wont solve every problem, and it could cause more if it were handled badly. For instance, a corporate network wouldnt want end user systems applying these patches themselves. Yet Im sure there will be group policies to turn it off. Such networks have SUS as an alternative. But even many of these sites hadnt applied the Blaster patch after about 4 weeks of urgent warnings, so perhaps they need to be compelled as well.

Another serious problem is dial-up users. Setting up their systems to connect and download megabytes of updates automatically could easily cause serious problems, and yet at the same time these users are part of the problem. Its difficult to see know how the dial-up problem can be solved effectively and reasonably.

Still, as the Washington Post article makes clear, the consensus among experts is changing. The article quotes Bruce Schneier, co-founder and CTO of Counterpane Internet Security Inc. and no friend of Microsoft, as being enthusiastic about the idea. Others are also open now to it, and a representative of the Electronic Frontier Foundation (EFF) is cautious but not opposed.

Prior to our recent experience with Blaster, I am certain all these people would have been aghast at the possibility of Microsoft installing patches on users systems without their explicit permission. Blaster has been a watershed event in computer security.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer