Microsoft wants Automatic Update for Windows

Edward Dao writes "After the embarassment of last week's blaster worm, Microsoft is weighing the possibility of automatic update. Microsoft not only wants to upload the latest patch on to users' computer but also installing it for them." This will work out really well for everyone I'm sure. Yikes! Can I at least press 'Ok' first?

M$ worm.

[Anonymous Coward]

Wouldn't this clasify as a worm too? I don't want anything installed on my system without my permission too.

Nice to see that M$ is in the worm buiesness too.

Not such a bad idea

[JohnGrahamCumming]

If you RTFA you'd find that Microsoft is only "looking very seriously" at this idea,
that it would not apply to business users of XP (since they want careful control
of the patching of their machines), and that it would be possible to opt-out from
the automatic updates.

So if you are a business user you don't get automatic updates, if you are a home
user of XP that is technically savvy you can turn it off, and if you are a home
user who is not computer savvy then you are going to get automatic updates. This
latter group seems like the ideal set of people to get automatic protection.

John.

imagine...

[borgdows]

if someone breaks into MS WindowsUpdate servers, he could install ANYTHING on millions of computers!

wow... scary...

So what's wrong with this?

[Eric Ass Raymond]

I mean, come on! This article is just a giant honeypot for the unwashed open source masses to bash Microsoft.

So what is it that you really want?

Manual updates? "LOLOLOL! M$ users are so stooopid that they can't do even that!".

Automatic updates? "LOLOLOLOLOL!!! You would let Microsoft to update your systems?! You fool! Why don't you download a Gentoo instead?!"

Systems that are secure and usable out-of-box? No such thing.

A few things Microsoft needs to do...

[forsetti]

1) WindowsUpdate needs to become MicrosoftUpdate. This would scan and offer patches for all MS software (OS, Exchange, SQL, IIS, Office, Visual Studio, ....). Also extend SUS to do the same.

2) Critical Update notification should be done the way OSX does it (with a little configging) -- instead of a tiny little innocuos icon in the system tray, put an obnoxious pop-up in the middle of the screen, with a big "Go Ahead and Install" button, with lots of skull & cross-bone icons.

3) Create patches using their own packaging structure: MSI. This allows for much simpler deployment and management, via Active Directory. No need to pay for SMS simply for patch deployment.

4) Supply MUCH MORE documentation to end users, discussing the importance of keeping one's machine patched.

5) Stop producing such buggy software! =}8v)

Just my $0.02 ...

I can see their point...

[thebruce]

The main problem is people not knowing, or not caring about patching or updating the problems. This isn't something that's directly managable by MS. With an OS so widely used, how can updates be ensured to be installed on everyone's machine to stop spreading of viruses and exploits?

Some will say the user should have the choice... ok, so half the people who couldn't care less will still allow the spreading of the problems...

Some will say automatic background updating is the only solution... ok, so the majority of people still using low speed connections will bog down their systems, let alone major networks suddenly pulling huge bandwidth when every machine receives the command to update simultaneously...

And some still complain that even if the update is pushed and you need to say yes or no, it's still infringing on your privacy your own system...

Is there any way to implement a global, trustworthy, reliable patch service that is accepted by everyone? If not, there's no way to stop the virus spreading, work generating underground from having hay-days at the world's expense...

And this goes for any OS, not just Windows...

Service Packs

[Ratbert42]

Anyone remember NT4 Service Pack 6? The first one? The one that broke tcp/ip?

Re:Not such a bad idea

[fireduck]

how often do MS patches actually break things?

I'm a home user. I've applied every critical update MS puts out. I apply practically everything available on the windows update site (even the beta versions of stuff like movie maker). I have never had a piece of software not work after applying an update. I think I'm a fairly typical home user. MS Office, MS Money, a bunch of games, photo editing software, winamp, random shareware. Stuff most people use. and stuff that has never broken on me.

Software breaking is definitely a problem, but how often does it really happen? I'd imagine that the liklihood of these people getting a virus / worm is greater than the liklihood of an ms patch breaking a piece of software...

Change the EULA and we might have a deal

[Bronz]

Tell ya what Microsoft, you can patch my machine automatically as long as I get to sue you the first time an automagic update foos my bar. Yeah, tough call huh?

You may not know this, but there are a lot of people who don't jump on the latest service packs not because they lazy, but because they are scared.

Nothing New?

[AndyFewt]

I thought the Automatic Updating Service in XP Pro already did this. It has the options to download and install, download and let you decide, just tell you there is a patch or of course you can disable it totally... I fail to see how this "new" idea is any different. I thought the XP auto update was set to download and inform by default so perhaps they're just switching the default setting.

Just have a look for yourself. Control Panel > System > Automatic Updates

Re:And we kept wondering ...

[BiggerIsBetter]

Good point. Surely this would blow off any EULA type update licenses. How can you agree to an automatic update you didn't even know about?

patch reliability

[jdvernon1976]

Let's assume for a moment that everyone's fine with Microsoft deciding you need to patch your system. Your home machine downloads the patch and installs it and your machine reboots - you're patched.

Those of us that work as sysadmins/netadmins/DBAs at various companies know that when Microsoft puts a patch out on Windows Update, it's not necessarily tested out to completion. That's part of why patches take so long to proliferate - dependable administrators test them in-house, instead of depending on MS's testers. Let's face it...if Microsofts Quality Assurance team were so sharp (or listened to - it can't ALL be their fault), many of the after-the-fact patches wouldn't be necessary.

Is Microsoft going to take responsibility for auto-installed patches that a) don't work b) make situations worse? Or are they going to take the stance of "The user could've refused our auto-install, but they didn't - they knew the risks."

We all know how hard it can be to opt-out of spam - how difficult will Microsoft make it to opt-out of auto-installed patches...and for those of us that can't/don't, how sure are we that it won't make things worse?

I love home users.

[BoomerSooner]

I have several people who use a web based service from my company that runs on Windows 2000 Server. I check for patches daily and install them as soon as I do a full backup (in case it shits out the whole system).

My users kept calling saying "You have that Blaster Worm on your system because every time I try to connect my computer dies!". So I explain to them my systems have been patched for that exploit for over a month and I have run all the proper testing software to verify. I then ask if they have AntiVirus software installed and their reply is "I don't know.". Lol, I don't know, so it must me my server! I immediately tell them to invest in a copy of Norton Antivirus and Norton Firewall.

Ah, the world of windows.

The funny thing is if these same people were running linux they would be logged in as root and still execute whatever script someone sent them. I'm not too sure Linux would be any more secure than Windows because in windows you can also run as just a User. However, when doing that a significant number of poorly designed programs will not work.

Re:Ideas for auto-up, you forgot a few...

[kaan]

ahem, I think you left a few off...

- Check for Yahoo, AOL, IRC, etc. clients, as well as Jabber and Trillian, disable and cancel the user accounts, and re-enable with the new MSN client. Update registry so that system will no longer boot if MSN is tampered with.

- Check for the presence of Opera, Mozilla, other browsers, disable and delete them, then modify the registry so that their installers will no longer work, then reinstall Internet Explorer with fully idiotic preferences set as defaults, and provide support for a whole new set of web "standards" that only Microsoft will ever use.

- Filter through user's bookmarks and delete any bookmarks that match any of the following criteria: a) bookmark points to competitor's web site, b) bookmark points to web site that sell competitors products, c) bookmark points to site that mentions any competing product, or d) bookmark points to site that employs or otherwise associates with one or more individuals who currently, or have in the past, made use of or considered using a competing product.

- Remove all versions of email clients other Outlook. If user does not have Outlook or any other Office products currently installed, go ahead and continue removing other email clients, but after that's finished force the user to purchase a copy of Outlook because it's the only "safe" email client for Windows

- Check to see if user has updated their system prefs to show file extensions in the Explorer windows. If so, set it to false so that file extensions are no longer shown because that's really more "secure"

Did I get them all?

Re:M$ worm.

[Frymaster]

I don't want anything installed on my system without my permission too.

well, technically you give permission when

1. you agree to the eula
2. you don't activate the opt-out option

i agree that not knowing what's getting put on your machine is irksome, but this idea has sprung from two problems that everyone here is very aware of:

1. people don't do their patches! blaster is all over the news yet a casual poll of my non-geek friends (the windows ones at least) showed that only one had done the patch!
2. joe avg. user doesn't know what half this stuff is anyway? he can get an "agree?" box but he doesn't know what he's agreeing to anyway. the thinking is that the savvy will go for the opt out.

now, having said that, i hate the idea on principle... but i can understand why redmond thinks it's a good idea. they're taking a beating in the press over security and they've determined that the real problem (rightly or wrongly) is the end user - so now they have a "solution"

actually, this won't help, in a larger sense

[Richthofen80]

The major problem with software distrobutions such as windows is that the entire OS thrives on the 'one click' philosophy. One-click update, one-click install, and one click virus infection. People are so used to windows giving them one click 'Ok' windows that they end up clicking Ok and worrying later. 90% of regular office users end up clicking okay to almost anything and installing spyware, viruses, etc.

Windows needs to 'brand' the update procedure; make it so obvious and un-repeatable by other apps, so that users are not duped.

Re:Not such a bad idea

[Jucius Maximus]

"How is this any different then the scheme they're using now? By default, automatic update is enabled for Windows. "

The current scheme requires users to still click OK on the update.

Keep in mind that 99% of users just want to use the computer and not worry about having to keep everything patched up and secure. They just want some sort of 'fire and forget' type solution that they just install and forget about it. This is why crap like Norton CrashGuard and such sells so well.

I think that the automatic updates that don't require any confirmation is actually a good thing for typical end users.

"I didn't see anything anywhere in the article that said business users or technically savvy home users would be given the option of disabling the forced update."

And as to being able to turn it off:

"The company is "looking very seriously" at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them, said Mike Nash, corporate vice president of Microsoft's security business unit." (emphasis mine)

Any user who knows anything will turn it off by some setting in the control panel. But since 99% of users will use the default settings for everything, all the masses will get patched whether they know what that means or not and people like you and me can still turn the cranks manually and remain in control. I have no problem with that. (But I will laugh if some spyware hijacks the auto-updater to download more spyware or spambots or something.)

Lazy sysadmins? The problem is deeper.

[ebuck]

I didn't bother to patch my office machine against MSBLASTER, and why should I?

I've been stripped of most of the permissions to admin my own machine because the internal IT support has been centralized. That means a few people service the rest of us in a way that generally has the good of the company in mind.

That said, if they take away my permission to do it, and they get caught with their pants down, why do they expect us all to run software locally on our own machines to fix the latest problem X? It's because oboviously these people do not have enough resouces support a network of our size.

If it wasn't the veil of "computers" clouding the issue, I bet someone upstairs would have corrected the logic of, "If they can't do their own job, we can get the whole company to waste a bit of time to help them out."

Certain systems require certain amounts of support, but this is not an OS issue. It's just more pronounced in systems that require more man hours to keep on the bleeding edge of security.

make it the default

[mboedick]

I don't think it's a horrible idea to make automatic silent updates the default. After cleaning up some of my relatives' machines after the Blaster worm, I set them all to automatic updates. Yes, there is a chance that an update might break something, but this chance is far less than the chance of another exploit or worm trashing the system.

They just don't understand it at all and as the person who gets called when there is a problem, I'll take any proactive measures that I can to make sure things continue running smoothly.

Re:Not such a bad idea

[crazyphilman]

Well, I'm a developer, and I run Windows 2000 professional at home, with IIS and Visual Studio .Net installed. Wanna talk about patches breaking stuff? Here's my list of woes (noting that Linux has never given me this kind of trouble):

1. If you install the O/S, then patch it, and THEN try to install Visual Studio, the Visual Studio installer crashes. The problem seems to be that if you install Microsoft's updated .Net packages before Visual Studio, Visual Studio can't handle that and it chokes.

2. If you install the O/S, then Visual Studio, then Norton Internet Security (kind of important on a windows 2000 box, which doesn't have an integrated firewall), then try to update Norton and Windows, WHICH OUGHT TO WORK, Norton will update fine, Windows Update will crash several times, and the end result will be your IIS will stop working, so your Visual Studio won't be able to create VS.Net projects. I think this might be related to a recent patch, because it didn't happen before Service Pack 4 came out.

3. If you have a recent copy of Roxio's CD burning software, it'll stop working after you update Windows. The app will start up, but it'll crash as soon as you insert a CD-RW into the drive. I've updated the software from the Roxio site, too, hoping that would help (no luck). It's got to be something in one of the windows patches. So, patch windows or burn CDs! You seem to have to choose one or the other. Older, no longer available copies of Roxio seem to keep working, so if you get a Rio Volt MP3 Cd-player, you can install the older software off of their disk (warning: this might not be true anymore).

5. Windows patches keep restoring MS Outlook Express! If I kill it off, it keeps coming back like a friggin' vampire. It's the undead, unwanted email app. Actually, the only easy way I've found to kill it is to change the security on the Outlook Express folder so that no one has read-write priviledges, then boot from a floppy and clean the thing out. This way, Windows can't keep putting the files back (Grr... Windows puts 'em back THREE SECONDS after you delete them, otherwise!).

Ugh. I hate Microsoft. And, I'm a programmer who uses that platform! What does THAT tell you? ;)

Re:Not such a bad idea

[aliens]

I applied all critical fixes to a friend's computer. Suddenly his NIC was not recognized. Uninstalled all critical patches didn't bring it back. It works fine on a base install of XP.

But just imagine, you goto use your computer and boom, no more internet. Now you call your techie friend, he/she asks "What did you install recently?" Nothing that you know of, making both your lives that much more difficult.

Try pushing notices, not patches

[DanMc]

I'm sure these customers didn't know they had a problem with their PCs. That was the first fact that caused the worm to be a problem. The fact that the computers weren't patched was secondary. Instead of pushing the patches, why not be more aggressive about notifying customers, and giving us better tools to patch and scan? Asking millions of users to pull updates ALL THE TIME, or turn on an automatic pull where there are only 3 configuration options is a real lack of choice. There are lots of things in between that can be tried. If I were a home XP user, and I saw a notification, "Message from Microsoft Security: Due to a problem recently found in WinXP, You are at high risk of being hit with an intrusive virus or worm. Here is a web site with details. Here is a 1-800 number with details. To correct the problem now, press Ok." Supposing MS did give home users this easy to use scan, notify, patch utility, the only reason they would not use it is if the EULA were too scary. This is easy to fix. Put a big splash screen with "Absolutely no Information is gathered and Sent to Microsoft. To see how this tool works, click here. Microsoft will never change this policy without your consent. (Like we did with WindowsUpdate)" We shouldn't have to wait long to see an analysis of Blaster, but I am going to guess that the majority of infection vectors came from business or academic Win2000 installations. WinXP systems crashed so much, they weren't efficiently spreading the worm. So corporate tools to fill this middle ground need to be improved. The hard to learn and use tools like IIS lockdown, hfncheck, etc need to be seriously overhauled. At work, I would love to have a non-web-based WindowsUpdate SCANNER, and a separate PATCHER. They'd be easy to use with a GUI, but also have command line options so they could be used in scripts. (SUS isn't what I'm talking about, because it is browser based, and the process is still a pull. The only way you can push an important update is to go to each server, or set the servers auto-pull frequency really high) I also wonder if MS is afraid that making system maintenance too easy might cut in to their SMS server sales?

that's what firewalls are for

[chrismg2003]

simply do an add deny tcp and add deny udp in ipfw on ms's address on your gateway and you don't have to worry about it.

Re:oh yeah?

[killthiskid]

Valid points... but we're talking lesser of two evils here. I would much rather see a single user of a computer have problems (due to firewall, updates) than their unpatched machine causing problems for more than one user.

We can't have it both ways... right now windows is set for ease of use over security... and having auto-updates and a firewall will move them towards the security side of things and away from ease of use... but isn't that what we've been bitching about for years?

Re:I love home users.

[EvilTwinSkippy]

The funny thing is if these same people were running Linux they would be logged in as root and still execute whatever script someone sent them.

I definitely hear that. In fact Lindows operates in precisely this manner.

I am increasingly convinced that our enemy is not Microsoft, or even SCO. Our enemy is cluelessness. If we could somehow impart the masses with an infantessimal fraction of our sense of the big picture most of our problems would disappear.

When I say "our" I mean all computer professionals. I don't give a rat's ass what kind of Guru you are, Networking, Windows, Linux, BSD, Mac, or PDP-11. We all share a chunk of "the clue". It is our duty to impart "the clue" onto others, without bias, and without favoring any particular implementation.

What is the best way? I don't know. I can only shoot off a few half-baked ideas. My front-running suggestion is take an example from Mythology.

Think about it. How many people do you know who never change their oil, yet decorate for Christmas, throw salt over their shoulder after spilling it, and avoid black cats and ladders? Imagine a computer mythology complete with ritual, dogma, and superstition. The masses already have developed their own misguided rituals, we should just go ahead and publish a book on the proper ones.

Think about how complete a job all of the Greek god did to explain about weather, war, death, and fate. These are REALLY tough concepts even today. And yet, but putting names on them, giving them personalities, and endowing these creations with a sense of power people bought into it.

Of course, you should encourage those who show a natural aptitude to study computers in the conventional hacker sense. More or less the same way wizards always seemed to be operating on a different level than average folk.

Re:Not such a bad idea

[Dark Lord Seth]

No Updates Were Installed

The following items failed to install. To try installing them again, click Review and install updates, and then click Install Now again.

818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1
330994: April 2003, Security Update for Outlook Express 6 SP1
Security Update for Windows 2000 (823980)
823559: Security Update for Microsoft Windows
816093: Security Update Microsoft Virtual Machine (Microsoft VM)
814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP)
Security Update, February 13, 2002 (MSXML 3.0)

I like to think that I'm the only person where Windows Update consistently fails HORRIBLY but that'd be naive. At least I tried to apply every critical update. It somehow fails to download the files required. Good thing I got a decent firewall up and running because even the MS patching system is horribly shit. Ah well, that's the first thing to break down on a fresh (less then a week old) Win 2000 install.

This also raises another question: How many people were affected by the worm because Windows Update simply fucked up for them? Even if WU would die on updating for even 1% of all users, how many people would it affect then? I only just found another way to manually download the patches to see if that'll work. Oh and this isn't the first time Windows Update fucks up. I've had it crash PCs, screw up installations and I've made it succesfully install the same patch 5 times in a row.

Woot for Windows Update! Adding another weak link in an already fragile chain which is Windows security!

Yes, But Not MS

[4of12]

I think forced immunization of vulnerable open machines on the network is a good idea, under the right conditions.

After public notification of the nature of the vulnerability.

After a patch has been made available and notices posted, sent out.

After a user or sysadmin keeps their machine unpatched and exposed.

After a second warning has been posted, sent that forced patching will occur.

Then, and only then, a worm-delivered patch should be administered.

But it should not be administered by MS, though they were responsible for the vulnerability.

MS is a profit oriented business, whose goals include many actions directed towards increasing their own profit in the long and short term, as well as fixing software that users have bought from them.

No. It should be role of people responsible for network health, because that is the public good that is impacted. As a public, non-profit entity, they would be free of conflict of interest, financial considerations. If MS were to administer remote administration in this way, they would be opening themselves up to conflicts of interest, particularly because of the monopoly market position they hold.

Re:Not such a bad idea

[bourne]

So who is held accountable when the latest patch breaks something and causes loss of data?

The same someone who is held accountable when the default OS installation is insecure and the system is compromised by a 2-bit, brain-dead worm.

That would be... um... hmm... lessee... ah... tumbleweeds blow by in the hot desert wind... nobody, and certainly not Microsoft.

You can be sure that whatever legalese is in the EULA puts the responsibility squarely on the administrator, where it belongs. If they don't choose to disable auto-patch, then they undertake that risk voluntarily.

Re:M$ worm.

[SmallFurryCreature]

People undertake training and a test to verify that they can drive a car. How many people die on the road each year due to people being incapable of handling their car? So much for testing people.

What I find really odd is that we threat computers so differently from the real world. If a real product is found to have a defect then a recall notice is published in all major newspapers (in europe don't know about rest of world) and you can return the faulty product for either a replacement or your money back.

Granted if software companies had to do it this way they would all have gone bust. Or maybe they would invest in real testing. Real testing is not to see if something works but to see if you can break it. When I hear excuses like people using the product wrong as an explantion for bugs I get pissed off. You are not supposed to bite the nose of a teddy bear and then swallow it. Nonetheless this is exactly what is tested against. A product should be safe to use or clearly labelled to indicate who it shouldn't be used by.

I think it says it all that unlike almost everything we buy in the netherlands, software is not tested by a goverment/indepedent organisation. Everything else is. Clothes, cars, books, movies, toys, furniture, food etc etc. But software and hardware are not.

Think this is a strange notion to test software by a central organisation? This what all the consoles do for their software. Oh and please don't mention MS certification, this are just logos you can buy.

Two good examples

[TheConfusedOne]

SP 6 broke Lotus Notes servers thus 6a came out.

Even worse, SP 2 installed over a network failed. Failed badly. It did something horrible to the ntfs.sys file IIRC. This meant that the box would blue screen on boot and be irrecoverable if you had an NTFS partition.

Uptime

[ka9dgx]

I remember the last big M$ push when they were saying how great their Uptime was. 99.9999%?

If I have to reboot my servers every time a major bug hits (3 times/year) for 5 minutes, that's bad enough. (99.9971% availability) If I have to reboot the servers every week, now we're down to 99.95% uptime.

This, of course, doesn't count downtime or technical support issues caused by workstations missing their server connections, or the patches that didn't happen in time, or any of the various other factors that help kill capitalism, and endanger our National Security.

--Mike--

Re:M$ worm.

[i_really_dont_care]

I don't want to stick up for MS or anything but the problem is the user. If there is a patch availiable and the user doesn't install it then it is the user's fault (even if the user is ignorant).

Wrong. There is absolutely no excuse for

a) opening this port AS DEFAULT for Internet connections (remember, this port is NEVER used for ANY legitimate service)
b) this buffer-overflow (do they have a QM department or what??)

The problem with Microsoft is that everything is very insecure _and_ activated by default. RPC port, SMB protocol, HTML mail, ActiveX, you name it.

If you pick up a CD of Windows 2000 from a local retailer, it is expected from you that you install the latest service pack (which will produce more problems -- remember the XP service pack which slowed the whole system down?), about 20 hotfixes (which may or may not really fix the problem -- remember the story about Windows Update saying a fix was installed when it really isn't?), a virus scanner, a firewall and whatever. And, it is additionally expected that you repeat this procedure at least every month or so. And all this just to surf the net, read mails and write letters!

If I buy a TV and I had to check all the wires every month or so to make sure it doesn't implode or start burning, I'd sure return it to the manufacturer.

I'm a programmer myself. I'm coding software for industrial machines. When the machine behaves wrongly and people are injured, I'm responsible. Personally. By my private property. And that's fair. Period.

Re:oh yeah?

[markalot]

This is a prime example of blind hatred.

For years slashdotters have been spouting how Microsoft defaults were wrong. How in Linux you have full control but it defaults to a safe mode. Now Microsoft wants to do the same thing and everyone gets all FUD'ed about it.

Credibility is important, RTFA, think, then post.

Re:M$ worm.

[Pepebuho]

Sorry, but I do not agree.

A better suggestion is the Gator way. Make the updater/installer Nagware that in case of a critical update will not simply let you go until you apply the patch.

If you tell it NO, it should print a DIRE WARNING of DOOM that makes you pay notice.

People are not fools, and proper disclosure of the dangers they face should be enough. If i am reckless/fool enough to disregard due notice, then I am to blame, not Microsoft. Taking away my right/ability to control what goes into my computer is not the solution.

Re:oh yeah?

[zentigger]

Isn't that pretty much how Windows(TM) Update(TM) works already. I can enable automatic updates, or I can shut it off. Win2K comes with it turned on by default.

Perhaps a better solution would be for any "home" version to have an automatic updater that pops up a big red warning box into the middle of the screen telling users they need to patch and a little sliding theremometer scale to show the severity of the patch.

Re:Not such a bad idea

[Psiren]

Too dumb? How about just not interested? Many people just want their computer to work, the way their car and dishwasher "just work".

Sorry, I don't agree. I still have to fill my car with diesel, check the oil and water, pressure on the tyres etc. This is all essential end user maintenance. Granted, I don't poke around in the engine when something mechanical goes wrong. The same goes for computers. It's a general purpose machine. It is complicated, and that will always be the case.

Re:Not such a bad idea

[Dog and Pony]

If people are too dumb to patch their system with the existing Window Update, how in the hell are they going to diagnose problems when its being done without their knowledge?

You make it sound like they would ever be able to diagnose a problem.

A user of this class will not be able (or even try) to diagnose the problem, whether they have a machine that has never been patched, or if they now-and-then click through windows update (they never read any of the information there anyways) or if the patches are installed without them knowing.

All they know is that the computer behaves odd or stops working. Then they call someone.

Maybe some patches will break their computers. I'd rather have that then another stupid worm running around hogging my precious bandwidth. ;)

What else should they do?

[prozac79]

Lets look at the series of events here:
1. Microsoft releases a patch a month before a virus hits.
2. People do not install the patch.
3. The virus hits affecting thousands of machines.
4. Microsoft comes under heavy criticism.
5. Seeing that a lot of people won't install patches manually, they look into automatic updates so that they can avoid wide-spread virus infections in the future.

Seems like MS is in a catch 22. People will criticize them for having manual patches available or for automatic updates. It seems like they would have to create the world's first flawless OS for everyone to be happy.

All OS's require security patches at some time or another. It just so happens that Windows has such a large customer base that their viri have a wide-spread effect while viri for another OS might not be as major. So I ask, what can MS do realistically to announce and distribute security patches?

Re:M$ worm.

[Paleh0rse]

Not at all, and I apologize if I gave that impression. All I am saying is applications/operating systems/etc... should be disigned and set up so that "Joe-Average-user" should need to learn about the applications they are trying to configure before they can sabotage themselves.

Think of it this way: Bob, a "Sys-admin" (at least on paper), buys a computer at retailer-X for his company which he turns into a webserver with some "a-little-too-easy-to-configure-and-set-up" MS software.

Bob has more or less no idea about the underlying technologies and back-end systems that go into making his "server" work and he puts it directly on his 1.5/1.5 SDSL circuit with no protection. (He doesn't know any better, he got his MCSE from the back of a box of Captain Crunch [WAIT!, they did give away that whistle a while back, maybe that is a good place for budding techies to start])

Anyway, OS flame wars aside, to Bob, service packs, bug fixes, and security bulletins mean nothing (patches?! we don't need no stinkin' patches!)

Anyway, so Bob thinks he's the schitt because he set up his "server" all by himself and it works. For now, at least...

Three months later Bob's server contracts a Worm something big time and starts becoming a liability on the Internet and his company's LAN/WAN/etc.

So, if Bob had been forced to RTFM in order to set things up insecurely that might have alerted him to the fact that he was making himself vulnerable! Call me a romantic, but I don't think users make themselves vulnerable on purpose. At the very least, Bob would have ended up setting up his Web server with standard configuration, which I am suggesting should be a highly protected and locked down config by default.

Want to unlock things and make your systems unsecure? Learn the hows and whys of the systems first! It doesn't really effect the REAL techies out there because we know how to, and even enjoy, doing things like READING DOCUMENTATION and learning how to secure our systems. OK, I'm rambling now because I have to go out on a call on Wall Street but, I hopw I got my point across.

I don't want to take away anything from the user, I only want to hand them a box off the shelf that isn't a ticking time-bomb of unsecured services and daemons.

Cheers!
Erich

Mandatory Security Updates

[TechStuff.ca]

The current "Automatic Updates" system in Windows XP downloads automatically, but requires the user's permission to install the updates. Many users simply ignore the nag messages and never update their system. (Apple's "Software Update" system has a similar design: users are notified of new updates, which they can accept or reject.)

If the software update is a new version of Windows Messenger or iTunes, users should be able to say no. But what if the update prevents your computer from attacking other machines? Maybe your right to ignore software updates ends when your PC attacks my network!

At some point, we're going to have to make security updates mandatory. They would be downloaded and installed automatically, whether the user wants them or not.

The user might be able to say, "Not right now," but should not be permitted to reject security updates altogether. After a reasonable period of time, the system could be programmed to prevent all network access except to get the security update.

I'm not entirely comfortable with this idea, but I suspect that's where we're headed. I have no doubt that Microsoft will introduce something like this in the next XP service pack (or sooner).

Here's what's needed to make such a system succeed:

1. Version 3.0 Quality
   Most users and sysadmins have been burned at least once by beta-quality patches that do more harm than good. Every "Security Update" should be thoroughly tested before it's released. If a crisis makes a quick-and-dirty security fix necessary, a high quality fix should follow ASAP.
   
2. No Tricks!
   Any mandatory update system will fail if the updates are perceived to be unnecessary, unreliable or self-serving for the OS vendor.
   In the past, Microsoft has used the Windows Update system to force unwanted Microsoft software on users. (If I remember correctly, IE6 was released as a "Critical Update" to IE5.) No more.
   Also, system updates must be kept separate from application updates. (i.e. Disabled versions of Messenger should not mysteriously reappear after a system update.)
   
3. Updates For All
   If one machine is insecure, we're all insecure. If Microsoft adds a security update system to Windows XP (or introduces this as a feature in "Longhorn"), a compatible system must be made available for older systems, including (at least) Windows 2000, Win98 and WinMe.
   
4. CD Distribution
   Although software downloads are relatively cheap and convenient for the OS vendor and for high-speed Internet users, dial-up users should be able to get the latest software updates on CD promptly, for a nominal fee.
   

I don't have much confidence in Microsoft's ability or desire to make a system that works this way, but I think that's what is needed.

Maybe there's a viable alternative to mandatory security updates, but I don't see one. Clearly, the current system doesn't work, and it's costing us all time and money.

Re:I love home users.

[greenhide]

I am increasingly convinced that our enemy is not Microsoft, or even SCO. Our enemy is cluelessness. If we could somehow impart the masses with an infantessimal fraction of our sense of the big picture most of our problems would disappear.

No, actually our enemy is the script kiddies and virus software writers whose goal is to shut down the whole system.

Whether they do it for fun or ...Profit?!?, what they're doing is morally wrong, invasive, etc.

And yet, it seems many here at Slashdot place all the blame on the users, and never on the virus writers. Heck, we've even deified some of these people and bitch and moan when virus writers are caught and put into jail.

This is like blaming people for leaving their doors unlocked, rather than blaming the thieves who are actually doing the stealing.

Obviously, it is our responsibility as slightly-more-savvy-than-average computer users to secure our own computers, and to encourage others to do the same.

But the truth is, computers should be easy. If I use a fork, I shouldn't have to worry about tine alignment or upgrade its metallacity or whatever. Computers are more complex than forks, obviously, but users shouldn't have to worry about the inner workings of their computers in order to use them to do they work that they *want* to do.

That being said, I still think that there should be a special circle of hell reserved for those idiots who actually buy things from spammers and who open any attachment they receive. Those people are just being very, very stupid. So maybe we could spread a myth that if you respond to any SPAM or open an attachment that has a virus, your computer will melt. I don't think that most users are impressed by the warnings that say things like, "If you open this attachment, there will be a bad file on your system, it will get sort of slower and might crash." That's pretty much an everday occurrence for many users anyway.

Re:Not such a bad idea

[crazyphilman]

I beg your pardon!

I don't "hate" windows because of WFP. I merely find WFP aggravating. I hate windows because windows doesn't work predictably, and frequently chokes on things it shouldn't choke on, like patches and updates. FOR EXAMPLE, I find it irritating that A) the installation of service pack 4 crashed, and B) that my IIS immediately stopped working afterwards, and C) because I now have no IIS, I can't create new Visual Studio .Net projects, so D) I can't bring work home, which E) was the only reason I set up that infernal Windows box in the first place!!! Please, explain to me why exactly windows' failure to survive this chain of events relates to a lack of knowledge or ability on my part. I promise I will pretend to find your explanation fascinating, and I'll even drink a double expresso and stay awake for the whole thing. No promises though.

Re:I love home users.

[shamino0]

That's easy: Require a license to connect to the Internet.

Actually, you're not that far off from a workable solution.

Have ISP's proxy everything. Most users don't do more than web and mail. Add in SSH, FTP, news, a few streaming media protocols, and a few chat protocols and you've got just about everything that most people use. With the possible exception of SSH, all of these can be proxied. Block everything you're not proxying.

When you block any and all direct connections between users and their servers, you block the spread of anything that uses an unsupported protocol (e.g. NetBIOS or RPC). Anything that tries to use the proxy to spread itself can be blocked by that very same proxy.

Of course, a lot of the more technically savvy users would balk at this, but that's where something resembling a license can come in. Those who prove that they have a clue can have the blocks removed to allow direct connections. If they prove that they really don't have a clue (say, by being slammed by a worm that could've been fixed by installing a month-old OS patch) then the blocks can quickly be put back again.

Optional Automatic Update

[Anonymous Coward]

Why should ANYONE be forced to update? It's ok to ask (hey, blaster's out - should we install this security fix? etc.)

However, I have re-installed Windows 2000 on my machine several times. I can tell you that every time I install the patches, it runs NOTICEABLY SLOWER. So I don't install the fixes but I do license firewall and virus software - and to date have had no viruses or trojans!!

Let's stop with the "we must" crap and get back to reality. Choice. It makes the world go around.

AC