[ISN] Windows Patches and the Dial-Up Problem

From: InfoSec News (isnat_private)
Date: Wed Sep 17 2003 - 01:21:05 PDT

  • Next message: InfoSec News: "[ISN] MSU lining up computers to fight virus"

    http://www.eweek.com/article2/0,4149,1267897,00.asp
    
    By Larry Seltzer 
    September 12, 2003   
    
    During the run-up to Blaster, in the period when we all expected an
    exploit to strike any minute, I was visiting friends. They had one
    computer, a Windows XP Home box, with only an AOL dial-up line. One
    night I went online to check the latest sports scores, my curiosity
    got the better of meó and I just had to check Windows Update. Oops!  
    Forget anything else, this was going to take a while.
    
    If you don't pay regular attention to patching Windows, then you could
    easily find yourself with tens of megabytes of downloads to install.  
    And if you have only one phone line, don't expect the phone to be
    ringing for a long time. Over two consecutive nights, I set their
    machine to download patches until morning and that basically did the
    job. Still, a couple of extra downloads were necessary because the
    installations needed to be done separately.
    
    At the same time, it's worth noting that there were still options
    available on the Windows Update site, such as the .NET Framework, that
    I didn't choose to install because these programs are unnecessary for
    such users. Now, I knew to make that choice, but I don't think my
    friends could have.
    
    While broadband is spreading rapidly, there are still a whole lot of
    folks who use dial-up, and many who have no broadband options
    available. Because the slow connections make it impractical for
    dial-up users to stay up to date on security patches, it's highly
    likely that a large percentage of them are out of date. This situation
    is a continuing security problem for all internet users and
    businesses.
    
    Broadband customers have a plethora of features to customize their
    patching experience. Automatic Updates will check for available
    updates from Microsoft's site and download them in the background,
    letting you know when they are available for installation. You can
    even schedule the system to install downloaded updates at some
    predetermined time, say 3 o'clock in the morning.
    
    However, there is no way to schedule the system to go out and retrieve
    the updates, which can be installed at some point. The closest thing
    to a workable solution for dial-up users is to leave the connection on
    at all times and then use Automatic Updates to eventually download
    what you need.
    
    It occurred to me that one way to make things easier for dial-up
    users, and even broadband users in many cases, would be to issue
    periodic update CDs. Imagine a disc with all of the updates on it and
    a program, it could even be written in Windows Script Host, to check a
    system for which updates need to be installed, apply them in the
    correct order and even reboot in between. Such a program would not be
    hard to write.
    
    Microsoft could charge a trivial amount for the discs but it would be
    better just to give them away and encourage users to pass the discs
    around when they were done. At that point you'd still need to check
    Windows Update for recent additions, but it's unlikely you'd have an
    unbearably long download time. In fact, the CD could launch Windows
    Update at the end of its script. I often set up computers for testing
    and a disc like this would be a great convenience. But think of how
    much easier it would make life for dial-up users.
    
    I recently put this suggestion to Microsoft and their response
    basically avoided the whole issue. Why wouldn't the company want to
    offer such a CD, assuming that's the motivation behind their
    stonewalling?
    
    Some might suggest that such an update CD would make it harder for
    Microsoft to check if you're running a pirated copy of Windows.  
    Perhaps there are better reasons, and I might know them if Microsoft
    had offered them.
    
    
    Security Supersite Editor Larry Seltzer has worked in and written
    about the computer industry since 1983.
    
     
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Sep 17 2003 - 04:01:01 PDT