MS XP service pack will automatically download *and* install updates

[Dave Farber <dave () farber net>]

I love the last paragraph. Auto updating has definite dangers from hackers 
and from errors in updates and interference with other programs. (This has 
happened in the past). Auto updates are dangerous  if not protected and I 
don't think we know how to do this yet .

Dave

ps it was my Grand Challenge at the CRA Grand Challenge workshop on 
Security :-)


Microsoft to Automate Windows Security

By Brian Krebs
washingtonpost.com Staff Writer
Thursday, March 4, 2004; 6:41 AM

Microsoft Corp. plans to release a new version of its popular Windows XP 
software that automatically downloads and installs software patches onto 
personal computers, one of the company's most aggressive moves to promote 
Internet safety.

Starting in mid-2004, Windows XP customers will be able to download a new 
"service pack" that includes the automatic installation function. The 
software also will include a stronger Internet firewall, new protections 
against computer viruses and software that blocks Internet pop-up advertising.

The upgrade is meant to make it easier for the millions of home computer 
users who surf the Internet but are not computer security experts.

Security is not something most computer users think about unless there is a 
computer worm or other high-profile threat going around, said Neil Charney, 
Microsoft's director of Windows product management. With the upgrade, 
customers give their consent once and Microsoft will download and install 
patches for them, he added.

The software is one of the first fruits of the "secure computing" project 
that Microsoft Chairman Bill Gates launched in January 2002 in response to 
charges that the software maker was sacrificing security in favor of 
user-friendly features that hackers could easily exploit.

It is also designed to get security patches installed on Microsoft 
computers before hackers can figure out how to take advantage of software 
holes. Microsoft regularly releases software fixes for security flaws but 
those same fixes can provide hackers with a blueprint for attack. Hackers 
usually figure out how to take advantage of a security hole within weeks 
after the patch is released -- and that time period is shrinking.

"The majority of users don't want to have to worry about changing a lot of 
settings and taking the enormous amount of time it takes to secure their 
systems," said Neel Mehta, a security researcher at Atlanta-based Internet 
Security Systems. "This is a far better approach than leaving it up to the 
end users to secure the operating system."

Thor Larholm, senior security researcher at PivX Solutions in Newport 
Beach, Calif., said the changes were long overdue. "I think people would 
have seen Microsoft in a much better light if they had done some of these 
things years ago."

Microsoft's latest attempt to promote heightened Internet security among 
individual Internet users -- most of them not computer experts or even 
computer-literate -- illustrates a perpetual dilemma with no easy answers.

Even the strongest security feature cannot prevent curious computer users 
from opening virus-laden e-mail attachments disguised as free games, naked 
supermodel photos or even security updates. Nearly all of the past year's 
most destructive viruses and worms -- including the "Sobig.F" and recent 
"Mydoom" worms -- succeeded because so many people clicked on the 
attachment and inadvertently spread the infection to friends, family, 
co-workers and business contacts.

As a result, new versions of Windows XP will prevent people who use 
Microsoft's Outlook and Outlook Express e-mail software from opening 
suspicious attachments. Instead, they will have to save the attachments to 
their computer hard drives before opening them.

"We don't want to put customers in a situation where they have to make a 
decision of trust when they don't have all the information they need to 
make that choice, so [with e-mail attachments] we're just not letting it 
happen," said Mike Nash, corporate vice president of Microsoft's security 
business unit.

Microsoft also will configure its Internet Explorer Web browser to block 
"pop-up" ads and messages. Nash said pop-up ads present a heightened 
security threat as fraudsters use them to install harmful programs and 
"spyware," software that lets hackers monitor computer keystrokes and look 
at whatever the legitimate computer user is viewing.

The Windows XP upgrade will contain a new version of its firewall designed 
to block spyware and other programs from transmitting information out of 
the user's computer without permission. Unlike in previous versions of 
Windows, the new firewall will be turned on automatically.

Most worms spread from one vulnerable computer to the next without any 
action by the user. Having the firewall on by default means even users who 
have not downloaded the latest security patches should be insulated from 
Internet worms. E-mail worms would still be able to infect unprotected 
users if they click on a virus-laden attachment, but in most cases a 
firewall will prevent the infected PC from spreading the virus to other 
computers.

Nash said Microsoft is examining ways to prevent hackers from interfering 
with the automatic update system. The second variant of the "Mydoom" worm, 
for example, blocked infected computers from downloading patches and 
communicating with Microsoft's automatic update Web site.

http://www.washingtonpost.com/wp-dyn/articles/A29328-2004Mar4.html

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/