http://www.eweek.com/article2/0,4149,1267897,00.asp By Larry Seltzer September 12, 2003 During the run-up to Blaster, in the period when we all expected an exploit to strike any minute, I was visiting friends. They had one computer, a Windows XP Home box, with only an AOL dial-up line. One night I went online to check the latest sports scores, my curiosity got the better of me— and I just had to check Windows Update. Oops! Forget anything else, this was going to take a while. If you don't pay regular attention to patching Windows, then you could easily find yourself with tens of megabytes of downloads to install. And if you have only one phone line, don't expect the phone to be ringing for a long time. Over two consecutive nights, I set their machine to download patches until morning and that basically did the job. Still, a couple of extra downloads were necessary because the installations needed to be done separately. At the same time, it's worth noting that there were still options available on the Windows Update site, such as the .NET Framework, that I didn't choose to install because these programs are unnecessary for such users. Now, I knew to make that choice, but I don't think my friends could have. While broadband is spreading rapidly, there are still a whole lot of folks who use dial-up, and many who have no broadband options available. Because the slow connections make it impractical for dial-up users to stay up to date on security patches, it's highly likely that a large percentage of them are out of date. This situation is a continuing security problem for all internet users and businesses. Broadband customers have a plethora of features to customize their patching experience. Automatic Updates will check for available updates from Microsoft's site and download them in the background, letting you know when they are available for installation. You can even schedule the system to install downloaded updates at some predetermined time, say 3 o'clock in the morning. However, there is no way to schedule the system to go out and retrieve the updates, which can be installed at some point. The closest thing to a workable solution for dial-up users is to leave the connection on at all times and then use Automatic Updates to eventually download what you need. It occurred to me that one way to make things easier for dial-up users, and even broadband users in many cases, would be to issue periodic update CDs. Imagine a disc with all of the updates on it and a program, it could even be written in Windows Script Host, to check a system for which updates need to be installed, apply them in the correct order and even reboot in between. Such a program would not be hard to write. Microsoft could charge a trivial amount for the discs but it would be better just to give them away and encourage users to pass the discs around when they were done. At that point you'd still need to check Windows Update for recent additions, but it's unlikely you'd have an unbearably long download time. In fact, the CD could launch Windows Update at the end of its script. I often set up computers for testing and a disc like this would be a great convenience. But think of how much easier it would make life for dial-up users. I recently put this suggestion to Microsoft and their response basically avoided the whole issue. Why wouldn't the company want to offer such a CD, assuming that's the motivation behind their stonewalling? Some might suggest that such an update CD would make it harder for Microsoft to check if you're running a pirated copy of Windows. Perhaps there are better reasons, and I might know them if Microsoft had offered them. Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Sep 17 2003 - 04:01:01 PDT