[ISN] Windows Upgrade Causing Campus Headaches

From: InfoSec News (isn@private)
Date: Mon Aug 23 2004 - 23:36:56 PDT


Forwarded from: William Knowles <wk@private>

http://www.washingtonpost.com/wp-dyn/articles/A26111-2004Aug23.html

By Brian Krebs
washingtonpost.com Staff Writer
August 23, 2004

Microsoft Corp.'s decision to release a major upgrade for its flagship
operating system in the same month that hundreds of thousands of
students are reporting to college campuses across the nation is
causing a major headache for the higher education community.

The upgrade, known as Service Pack 2, is designed to patch numerous
gaps in Windows XP, the operating system of choice for an estimated
200 million computer users worldwide. The free update includes
safeguards against spyware and viruses, a hardened Internet firewall
to keep out hackers and upgrades to automate security features and
better alert users to security risks on their personal computers.

Worried that the upgrade could conflict with other applications
running on university networks, and a related concern that thousands
of students attempting to download the software could bring campus
computer networks to a standstill, technology administrators at some
universities have taken steps to block an automatic service that
downloads the software.

"The timing is extremely unfortunate," said Anne Agee, deputy chief
information officer at George Mason University in Fairfax, Va., whose
school is blocking automatic installation of SP2 on all faculty and
staff computers because the update interferes with software that the
university uses to run faculty PCs.

"It wouldn't be so bad if we had gotten this more than a month ago,
because at least then we would have had plenty of time to test it and
make a decision about how we want to correct for this," Agee said.

An extremely large file that could slow networks to a halt if too many
students download it at the same time, SP2 also contains code that
interferes with popular firewall and antivirus programs that many
people run on their computers, according to Microsoft.

Although Windows XP is configured by default to automatically download
the latest patches from Microsoft -- a process that the company turned
on last week -- schools like George Mason are taking advantage of a
Microsoft tool that prevents it from happening.

Alan Paller, research director at the SANS Institute in Bethesda, said
the backlash from schools is somewhat justified.

"The idea that the technology people at these schools view this update
as a threat to their operations is absolutely accurate, as most of
these folks consider forced security upgrades a threat to [network]
reliability and uptime," he said. "This is really a problem of
Microsoft's own design -- not just because of its timing -- but also
because they delivered such unsafe computers in the first place."

While students and faculty can still manually obtain the SP2 download,
blocking the automatic distribution seriously hampers one of the
primary tools Microsoft is using to roll out the security fixes
included in SP2.

Meanwhile, classes at George Mason start the week of August 30, and
university officials are still debating whether to block students from
installing the upgrade. For the time being, Catholic University in
Washington, D.C., has decided to block downloads of SP2, according to
chief information officer Zia Mafaher.

A hundred miles to the south, officials at the University of Richmond
made the same decision.

"Microsoft's timing really couldn't have been worse for us," said
Chris Faigle, a security administrator at the school, where classes
start today. "For the faculty and students, we simply won't be able to
handle all of the additional issues that would almost certainly come
up in addition to just getting the students registered on the
network."

Other schools across the country are taking similar action. The
University of Notre Dame in South Bend, Ind., for example, will bar
its 10,000 students from installing SP2 until it finishes testing the
program on its network, said Gary Dobbins, the school's director of
information. "[We] didn't want SP2 to land on machines here at the
same time the students descend on the campus."

The University of Michigan's medical school is blocking campus
computers from automatically downloading the Microsoft update,
choosing instead to deploy the fix using its own internal computer
servers.

"Our primary concern is the impact this will have on our network and
the length of time it would take to get from Microsoft directly," said
Damon Palyka, a computer security technician at the school.

A number of schools that have built systems to register computers on
their network plan to periodically probe student PCs to ensure they
contain the latest antivirus updates and Microsoft security patches.

But SP2 can interfere with those automatic inspections since it turns
on the Windows firewall, said Jack Suess, chief information officer at
the University of Maryland Baltimore County. So UMBC plans to bar
computers owned by its 4,000 students from automatically downloading
the update until the school is ready to roll out its own tweaks.

"We estimate that between 5 to 10 percent of the student population
will have pretty serious problems after installing this update and
will require help from us," Suess said. "Add that to inquiries from
faculty and staff and allowing this go forward at move-in time could
be a real challenge."

Microsoft had already delayed a scheduled July release of SP2 so it
could fix several other kinks in the upgrade. The company did not want
to push the release date back again because of the chance that another
severe Internet attack could occur in the meantime, said Matt Pilla,
Microsoft's senior product manager for Windows.


Averting Another Blaster

Computers running Windows XP that are not updated with SP2 will be
more susceptible to catching and spreading Internet worms and viruses
on the school networks, even in the short span of time it takes to
download and install the latest updates.

Computer security experts and Microsoft are anxious to avoid a repeat
of last August, when computers owned by hordes of college students
arriving for the start of the fall semester were infected en masse by
the "Blaster" and "Welchia" worms. The worms generated so much
Internet traffic that some schools were forced to temporarily kick
thousands of students off their networks.

Those schools spent much of the last year designing and testing
homegrown computer applications to ensure that students and faculty
have protections in place on their PCs before they can hook back up to
the networks, said Rodney Petersen, security task force coordinator
for EDUCAUSE, an information technology association for colleges and
universities. The last thing they want, he said, is to introduce a
gigantic package of software onto their systems without conducting
extensive testing first.

Not all schools are so worried. American University in Washington, the
University of Virginia in Charlottesville and the College of William
and Mary are encouraging students to install the upgrade as soon as
possible.

"I think some schools are being somewhat unnecessarily paranoid about
this," said Carl Whitman, American's executive director of
e-operations. "At this point, the bad stuff on the Internet is getting
pretty out of hand and we need whatever help we can get."

Georgetown University will not block Service Pack 2 downloads either,
said spokeswoman Laura Cavender.

Elsewhere, schools such as Brown University in Providence, R.I., and
Davidson College near Charlotte, N.C., are advising students to hold
off installing SP2 for a few weeks, but are not stopping them from
doing so.

Dan Updegrove, vice president for information technology at the
University of Texas at Austin, said his school is advising students to
get the update.

"We want to get it out there as fast as we can," Updegrove said. "The
idea of telling our students to install a patch to block this other
patch -- and then in the event that an Internet attack that would have
been prevented by SP2 surfaces telling them to then please delete the
install anti-patch patch - that strikes me as a little absurd."


Hurdles to the CD-ROM Solution

Several schools, including Brown and George Mason, planned to
circulate SP2 on CD-ROMs, a move that would allow students to install
the upgrade without connecting to the Internet. Microsoft, however,
last week sent a letter to those schools warning them against
duplicating and distributing the patches without buying an expensive
license that includes the right to install Microsoft programs on
student PCs.

"It is a definite possibility that an enterprising hacker hoping to
harm companies, campuses or personal assets could compromise the
integrity of a disk that has not been created by an Authorized
Replicator," Microsoft wrote. "As a result, Microsoft must take
special precautions when it comes to security updates and how they are
distributed."

Distributing the service pack via CD-ROM, according to EDUCAUSE, could
help schools speed up installs and diminish the chances of campus-wide
Internet sluggishness caused by thousands of student PCs downloading
the update simultaneously; downloading and installing SP2 can take
anywhere from one to three hours with a high-speed Internet
connection.

Microsoft has agreed to give schools one service pack disk for every
50 students on campus, with extra disks costing 32 cents each.  
Microsoft said it has received orders for the CD-ROM from
approximately 60 institutions, and that nearly 100,000 CD-ROMs have
already been shipped to schools nationwide.

Some schools, including American University, will not receive them for
another two weeks, though Microsoft said it expects to ship any
ordered discs within five to 12 business days.

"For the vast majority of institutions that have students returning
this week, that's too little too late," said EDUCAUSE's Petersen.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Tue Aug 24 2004 - 00:54:18 PDT