A Default to Safety

Microsoft must be careful in implementing automatic updating.

August truly deserved the description "the dog days of summer" this year, at least regarding Internet security. The month was easily one of the worst ever in terms of the spread of worms and viruses, with Blaster and SoBig.F dominating headlines. Ideally, code from vendors such as Microsoft would be perfectly secure, and it would be impossible to write viruses—but that wont happen any time soon. Perhaps the talented coders who write these viruses and worms will get a life and decide to do something productive, but we dont hold out much hope for that, either.

Maybe users will pay attention to their systems and patch holes when they become known or at least use workarounds to prevent their systems from being exploited by viruses and worms. But after writing countless articles on how to secure systems and listening to the trials of our readers when they try to get users to patch and secure their systems, we can safely say that some people will never take responsibility for system security.

Thats why we are glad to hear that Microsoft is considering changing its Automatic Update feature, which is available in Windows XP, so that by default it will automatically download and install patches as needed. We appreciate that this will not be the case for enterprise users, who can end up with unforeseen problems with some patches. The default Automatic Update setting is intended only for home and small-business users.

In a recent conversation with Steve Lipner, director of security engineering strategy at Microsoft, we were also glad to hear that the Automatic Update default setting will not be mandatory. Users will still have the option to disable automatic updating. According to Lipner, Microsoft is still refining its plans. He said the company is considering deploying the revised Automatic Update in a service pack.

We believe making automatic updating the default setting for home users is a step toward reducing the spread of viruses and worms, although it will not be a cure-all. While the effect of Blaster would have been greatly lessened by the revised Automatic Update, the feature would have had no effect on the spread of the SoBig virus. Microsoft must be careful in implementing automatic updating. It must avoid changing user licensing agreements in updates, where a user never gets a chance to click on OK. This would lower trust in Microsoft at a time when it needs to gain trust.

Microsoft should also immediately triple the amount of testing of patches before they are released to the public. If automatic updating becomes a default setting, any patch that causes more damage than it fixes could be more devastating than any virus for users and could severely reduce Microsofts chance of gaining their trust.

Send your responses to eWEEK@ziffdavis.com.