Microsoft Weighs Automatic Security Updates as a Default

Dom · Aug 20, 2003, 01:09 AM

Microsoft Corp. executives, digging out from the aftermath of an unwelcome Internet worm that wriggled into 500,000 of its customers' computers last week, say that it is time to consider making software updates automatic for home users of the Windows operating system.

The company is "looking very seriously" at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them, said Mike Nash, corporate vice president of Microsoft's security business unit.

"The feedback we got when we did XP a few years ago was 'I don't want Microsoft automatically putting things onto my machine,' " Nash said. "What we're finding now is that through a combination of the availability of broadband and customers wanting to stay up to date with security patches, and, most importantly, considering the kinds of threats out there now, that customers want us to keep them up to date automatically -- not just by downloading the patches for them but installing them as well."

The next version of Windows, which analysts expect to be completed in late 2004, could be the first to let the Auto Update feature download patches from Microsoft without requiring the user's explicit approval. Microsoft is also considering whether to make the Auto Update mandatory earlier, through an interim upgrade known as a service pack.

A final decision to make the feature mandatory for home users has not yet been made, but one Microsoft executive called it "the ideal solution." Microsoft sent out a "critical update" e-mail July 16, alerting its customers to the "Blaster" worm, but many ignored the warning until the worm began spreading rapidly last week. The company has no plans to consider forcing business users to install patches, because most companies are reluctant to do so. Some patches interfere with existing programs.

But even some of Microsoft's staunchest critics say it is probably time to require users to download patches.

"I have always been a fierce enemy of the Microsoft update feature, because I just don't like the idea of someone else -- particularly Microsoft -- controlling my system," said Bruce Schneier, co-founder of Counterpane Internet Security Inc. "Now, I think it's great, because it gets the updates out to the non-technically savvy masses, and that's the majority of Internet users. Security is a trade-off, to be sure, but this is one trade-off that's worthwhile."

Microsoft will need to invest heavily in working the bugs out of the update feature, said Alan Paller, research director for the SANS Institute, a security research and training group in Bethesda. For the most part, the Auto Update feature is deployed only on Windows 2000 and Windows XP systems.

"I like the automated patching system, but the real solution is to make it mandatory except for users who actively take responsibility for securing their systems," Paller said.

Harris Miller, president of the Information Technology Association of America, applauded Microsoft for considering the move.

"People are going to have to accept mandatory updates as part of the warranty process, and that's exactly what Microsoft should be doing," Miller said. "You can't just send out a recall notice and hope that people come into the shop and do their maintenance."

Privacy advocates, however, call mandatory updates unwelcome, and Microsoft officials privately concede that those fears were one of the reasons it made Auto Update optional. Some technology experts fear Microsoft could use mandatory updates to silently upload changes to the operating system that could give the company rights to block access to certain programs or content.

After Microsoft shipped its first service pack to the Windows XP operating system last fall, many users balked, saying the consumer notice included in the patch gave Microsoft the right to check product versions and block some programs. Microsoft said it merely clarified the company's ability to verify product information and provide accurate updates and that no personal information would be collected or stored.

Seth Schoen, staff technologist for the Electronic Frontier Foundation, said Microsoft would need to explain in a clear way exactly what users were downloading and give them a chance to decline.

"The argument for changing the way Auto Update works certainly seems strong, given current events," Schoen said. "But I think a lot of users would no doubt find it very disturbing if their computer was just phoning home each day without having any way of finding out what exactly is being changed."

Microsoft also will begin shipping new versions of Windows XP with the built-in firewall activated by default, said Steve Lipner, director of the company's security engineering strategy.

Current home and business XP editions require users to configure the firewall themselves.

______________________
Source: WashPost

EcPercy · Aug 20, 2003, 05:39 AM

never, never, nerver allow any automatic updates if you are a systems admin... the worst thing that could happen is that you migrate to windows 2003 enterprise server and leave automatic updates on and get a call in the middle of the night that the server is continuously rebooting ... bleh... then 5 hours later after rebuilding the raid array you are back in business... not good

Aug 20, 2003, 01:09 AM	#1
Dom DriverHeaven Extreme Member Join Date: Jun 2002 Posts: 12,940 Rep Power: 0	Microsoft Weighs Automatic Security Updates as a Default Microsoft Corp. executives, digging out from the aftermath of an unwelcome Internet worm that wriggled into 500,000 of its customers' computers last week, say that it is time to consider making software updates automatic for home users of the Windows operating system. The company is "looking very seriously" at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them, said Mike Nash, corporate vice president of Microsoft's security business unit. "The feedback we got when we did XP a few years ago was 'I don't want Microsoft automatically putting things onto my machine,' " Nash said. "What we're finding now is that through a combination of the availability of broadband and customers wanting to stay up to date with security patches, and, most importantly, considering the kinds of threats out there now, that customers want us to keep them up to date automatically -- not just by downloading the patches for them but installing them as well." The next version of Windows, which analysts expect to be completed in late 2004, could be the first to let the Auto Update feature download patches from Microsoft without requiring the user's explicit approval. Microsoft is also considering whether to make the Auto Update mandatory earlier, through an interim upgrade known as a service pack. A final decision to make the feature mandatory for home users has not yet been made, but one Microsoft executive called it "the ideal solution." Microsoft sent out a "critical update" e-mail July 16, alerting its customers to the "Blaster" worm, but many ignored the warning until the worm began spreading rapidly last week. The company has no plans to consider forcing business users to install patches, because most companies are reluctant to do so. Some patches interfere with existing programs. But even some of Microsoft's staunchest critics say it is probably time to require users to download patches. "I have always been a fierce enemy of the Microsoft update feature, because I just don't like the idea of someone else -- particularly Microsoft -- controlling my system," said Bruce Schneier, co-founder of Counterpane Internet Security Inc. "Now, I think it's great, because it gets the updates out to the non-technically savvy masses, and that's the majority of Internet users. Security is a trade-off, to be sure, but this is one trade-off that's worthwhile." Microsoft will need to invest heavily in working the bugs out of the update feature, said Alan Paller, research director for the SANS Institute, a security research and training group in Bethesda. For the most part, the Auto Update feature is deployed only on Windows 2000 and Windows XP systems. "I like the automated patching system, but the real solution is to make it mandatory except for users who actively take responsibility for securing their systems," Paller said. Harris Miller, president of the Information Technology Association of America, applauded Microsoft for considering the move. "People are going to have to accept mandatory updates as part of the warranty process, and that's exactly what Microsoft should be doing," Miller said. "You can't just send out a recall notice and hope that people come into the shop and do their maintenance." Privacy advocates, however, call mandatory updates unwelcome, and Microsoft officials privately concede that those fears were one of the reasons it made Auto Update optional. Some technology experts fear Microsoft could use mandatory updates to silently upload changes to the operating system that could give the company rights to block access to certain programs or content. After Microsoft shipped its first service pack to the Windows XP operating system last fall, many users balked, saying the consumer notice included in the patch gave Microsoft the right to check product versions and block some programs. Microsoft said it merely clarified the company's ability to verify product information and provide accurate updates and that no personal information would be collected or stored. Seth Schoen, staff technologist for the Electronic Frontier Foundation, said Microsoft would need to explain in a clear way exactly what users were downloading and give them a chance to decline. "The argument for changing the way Auto Update works certainly seems strong, given current events," Schoen said. "But I think a lot of users would no doubt find it very disturbing if their computer was just phoning home each day without having any way of finding out what exactly is being changed." Microsoft also will begin shipping new versions of Windows XP with the built-in firewall activated by default, said Steve Lipner, director of the company's security engineering strategy. Current home and business XP editions require users to configure the firewall themselves. ______________________ Source: WashPost

Aug 20, 2003, 05:39 AM	#2
EcPercy HardwareHeaven Senior Member Join Date: Jul 2002 Location: Iraq Posts: 1,535 Rep Power: 64	never, never, nerver allow any automatic updates if you are a systems admin... the worst thing that could happen is that you migrate to windows 2003 enterprise server and leave automatic updates on and get a call in the middle of the night that the server is continuously rebooting ... bleh... then 5 hours later after rebuilding the raid array you are back in business... not good