, Washington Post 2003-08-19
Microsoft Corp. executives, digging out from the aftermath of an unwelcome
Internet worm that wriggled into 500,000 of its customers' computers last week,say that it is time to consider making software updates automatic for home
users of the Windows operating system.
The company is "looking very seriously" at requiring future versions of
Windows to accept automatic software fixes unless the user specifically refuses
to receive them, said Mike Nash, corporate vice president of Microsoft's
security business unit.
"The feedback we got when we did XP a few years ago was 'I don't want
Microsoft automatically putting things onto my machine,' " Nash said. "What
we're finding now is that through a combination of the availability of
broadband and customers wanting to stay up to date with security patches, and,
most importantly, considering the kinds of threats out there now, that
customers want us to keep them up to date automatically -- not just by
downloading the patches for them but installing them as well."
The next version of Windows, which analysts expect to be completed in late
2004, could be the first to let the Auto Update feature download patches from
Microsoft without requiring the user's explicit approval. Microsoft is also
considering whether to make the Auto Update mandatory earlier, through an
interim upgrade known as a service pack.
A final decision to make the feature mandatory for home users has not yet been
made, but one Microsoft executive called it "the ideal solution." Microsoft
sent out a "critical update" e-mail July 16, alerting its customers to the
"Blaster" worm, but many ignored the warning until the worm began spreading
rapidly last week. The company has no plans to consider forcing business users
to install patches, because most companies are reluctant to do so. Some patches
interfere with existing programs.
But even some of Microsoft's staunchest critics say it is probably time to
require users to download patches.
"I have always been a fierce enemy of the Microsoft update feature, because I
just don't like the idea of someone else -- particularly Microsoft --
controlling my system," said Bruce Schneier, co-founder of Counterpane Internet
Security Inc. "Now, I think it's great, because it gets the updates out to the
non-technically savvy masses, and that's the majority of Internet users.
Security is a trade-off, to be sure, but this is one trade-off that's
worthwhile."
Microsoft will need to invest heavily in working the bugs out of the update
feature, said Alan Paller, research director for the SANS Institute, a security
research and training group in Bethesda. For the most part, the Auto Update
feature is deployed only on Windows 2000 and Windows XP systems.
"I like the automated patching system, but the real solution is to make it
mandatory except for users who actively take responsibility for securing their
systems," Paller said.
Harris Miller, president of the Information Technology Association of America,
applauded Microsoft for considering the move.
"People are going to have to accept mandatory updates as part of the warranty
process, and that's exactly what Microsoft should be doing," Miller said. "You
can't just send out a recall notice and hope that people come into the shop and
do their maintenance."
Privacy advocates, however, call mandatory updates unwelcome, and Microsoft
officials privately concede that those fears were one of the reasons it made
Auto Update optional. Some technology experts fear Microsoft could use
mandatory updates to silently upload changes to the operating system that could
give the company rights to block access to certain programs or content.
After Microsoft shipped its first service pack to the Windows XP operating
system last fall, many users balked, saying the consumer notice included in the
patch gave Microsoft the right to check product versions and block some
programs. Microsoft said it merely clarified the company's ability to verify
product information and provide accurate updates and that no personal
information would be collected or stored.
Seth Schoen, staff technologist for the Electronic Frontier Foundation, said
Microsoft would need to explain in a clear way exactly what users were
downloading and give them a chance to decline.
"The argument for changing the way Auto Update works certainly seems strong,
given current events," Schoen said. "But I think a lot of users would no doubt
find it very disturbing if their computer was just phoning home each day
without having any way of finding out what exactly is being changed."
Microsoft also will begin shipping new versions of Windows XP with the
built-in firewall activated by default, said Steve Lipner, director of the
company's security engineering strategy.
Current home and business XP editions require users to configure the firewall
themselves.
