Digg this story   Add to del.icio.us  
Microsoft Weighs Automatic Security Updates as a Default
Brian Krebs, Washington Post 2003-08-19

Microsoft Corp. executives, digging out from the aftermath of an unwelcome

Internet worm that wriggled into 500,000 of its customers' computers last week,

say that it is time to consider making software updates automatic for home

users of the Windows operating system.

The company is "looking very seriously" at requiring future versions of

Windows to accept automatic software fixes unless the user specifically refuses

to receive them, said Mike Nash, corporate vice president of Microsoft's

security business unit.

"The feedback we got when we did XP a few years ago was 'I don't want

Microsoft automatically putting things onto my machine,' " Nash said. "What

we're finding now is that through a combination of the availability of

broadband and customers wanting to stay up to date with security patches, and,

most importantly, considering the kinds of threats out there now, that

customers want us to keep them up to date automatically -- not just by

downloading the patches for them but installing them as well."

The next version of Windows, which analysts expect to be completed in late

2004, could be the first to let the Auto Update feature download patches from

Microsoft without requiring the user's explicit approval. Microsoft is also

considering whether to make the Auto Update mandatory earlier, through an

interim upgrade known as a service pack.

A final decision to make the feature mandatory for home users has not yet been

made, but one Microsoft executive called it "the ideal solution." Microsoft

sent out a "critical update" e-mail July 16, alerting its customers to the

"Blaster" worm, but many ignored the warning until the worm began spreading

rapidly last week. The company has no plans to consider forcing business users

to install patches, because most companies are reluctant to do so. Some patches

interfere with existing programs.

But even some of Microsoft's staunchest critics say it is probably time to

require users to download patches.

"I have always been a fierce enemy of the Microsoft update feature, because I

just don't like the idea of someone else -- particularly Microsoft --

controlling my system," said Bruce Schneier, co-founder of Counterpane Internet

Security Inc. "Now, I think it's great, because it gets the updates out to the

non-technically savvy masses, and that's the majority of Internet users.

Security is a trade-off, to be sure, but this is one trade-off that's


Microsoft will need to invest heavily in working the bugs out of the update

feature, said Alan Paller, research director for the SANS Institute, a security

research and training group in Bethesda. For the most part, the Auto Update

feature is deployed only on Windows 2000 and Windows XP systems.

"I like the automated patching system, but the real solution is to make it

mandatory except for users who actively take responsibility for securing their

systems," Paller said.

Harris Miller, president of the Information Technology Association of America,

applauded Microsoft for considering the move.

"People are going to have to accept mandatory updates as part of the warranty

process, and that's exactly what Microsoft should be doing," Miller said. "You

can't just send out a recall notice and hope that people come into the shop and

do their maintenance."

Privacy advocates, however, call mandatory updates unwelcome, and Microsoft

officials privately concede that those fears were one of the reasons it made

Auto Update optional. Some technology experts fear Microsoft could use

mandatory updates to silently upload changes to the operating system that could

give the company rights to block access to certain programs or content.

After Microsoft shipped its first service pack to the Windows XP operating

system last fall, many users balked, saying the consumer notice included in the

patch gave Microsoft the right to check product versions and block some

programs. Microsoft said it merely clarified the company's ability to verify

product information and provide accurate updates and that no personal

information would be collected or stored.

Seth Schoen, staff technologist for the Electronic Frontier Foundation, said

Microsoft would need to explain in a clear way exactly what users were

downloading and give them a chance to decline.

"The argument for changing the way Auto Update works certainly seems strong,

given current events," Schoen said. "But I think a lot of users would no doubt

find it very disturbing if their computer was just phoning home each day

without having any way of finding out what exactly is being changed."

Microsoft also will begin shipping new versions of Windows XP with the

built-in firewall activated by default, said Steve Lipner, director of the

company's security engineering strategy.

Current home and business XP editions require users to configure the firewall


    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus