Technicalities: Pushy Pushy

Over at Outside the Beltway, James is blogging about Microsoft wanting to automate security on new Windows machines. Microsoft has been kicking around this idea for quite a while, but they seem to have made up their minds to implement it, letting the chips fall where they may.

Microsoft Corp. plans to release a new version of its popular Windows XP software that automatically downloads and installs software patches onto personal computers, one of the company’s most aggressive moves to promote Internet safety.

James says:

One would think that this would also create an amazing new vulnerability? Still, Microsoft has to do something, I suppose. I’ve been autofed security updates several times over the past few days. Indeed, it’s getting nigh unto ridiculous. If it weren’t for a massive hard drive—not to mention a broadband connection— all these updates would really eat into system resources.

Well, he has it partially right...

Let's get the one good thing out of the way - automating updates would make sure that patches for vulnerabilities were applied. So, worms wouldn't be able to exploit holes on machines of people who haven't got the vaguest idea that there is such a thing as a patch. That being said, let's now look at the problems in getting pushy with patches.

First there is the idea that James puts forward of this creating a huge vulnerability. This is true if and when hackers figure out how to use the auto update to push their own brand of "patches". It may not be that difficult when all is said and done. Patching must be done with Admin privileges, so if a hacker can either con someone into downloading a patch, or hijack the DNS to download a malicious patch... much mayhem could ensue.

But that's not even the biggest problem. One of the things that Microsoft has done over the years is to release BUGGY patches. Most recently SP4 for Win2K caused driver problems for hardware on some machines. Oh, just dandy, you download a patch and now your monitor is hosed up - how great is that. Then there was the buggy patch for Outlook that caused all attachments to be stripped - period. They were just gone. Much annoyance and reinstalling of Outlook had to take place because the patch couldn't be undone. These are just a couple of the many problems patches have caused over the years. Even today I saw somewhere (can't quite recall at the moment where I read it) that the new SP2 for Windows XP has the potential to "break" some software. This is a Microsoft warning - so they already know it's going to cause problems!

In general, if a patch is released, I wait around a bit to see if anyone pops up with any major problems before I install it on my machine. That has saved me quite a lot of grief over the years. Problem patches start to be reported immediately, so it's not like you have to be unpatched for months - several days to a week usually suffice.

Last of all is the problem of how you connect to the net. Not everyone has cable modem or dsl. Those on dialup may be royally screwed as they have to wait forever for a patch to download. Or maybe the download freezes and then nothing works! So, everytime you try to kill the connection and dial in again - Microsoft tries to push the patch at you - whether you want it or not - and you are totally unable to get on the net and do something as simple as retrieving your email. I can see that causing HUGE problems. Not good public relations to have your patches keeping people from getting online and doing what they want to do...

Now Mac users often get a bit smug about this time. They all say - hey if you were using a Mac, this wouldn't happen. Well, true, but if I were using a Mac, I wouldn't be working. There is software I need to run to do my job that doesn't work on a Mac. But Mac users may be facing more significant problems down the road.

The OS X software is Unix based. That means potential problems with worms and virii (and no I don't care if virii is a real word or not) for Linux OS's could end up causing problems for Macs. The greater the distribution of Linux, or rather the more popular it becomes, the more bad things will start to happen. Virus and worm writers like to see some effect for all the labor they put into what they do. Microsoft gives the most bang for the buck right now, but it's possible that Unix based machines will soon be catching up.

Anyone still reading? I thought not.