Windows Patches and the Dial-Up Problem

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,4149,1267897,00.asp

By Larry Seltzer 
September 12, 2003   

During the run-up to Blaster, in the period when we all expected an
exploit to strike any minute, I was visiting friends. They had one
computer, a Windows XP Home box, with only an AOL dial-up line. One
night I went online to check the latest sports scores, my curiosity
got the better of me— and I just had to check Windows Update. Oops!  
Forget anything else, this was going to take a while.

If you don't pay regular attention to patching Windows, then you could
easily find yourself with tens of megabytes of downloads to install.  
And if you have only one phone line, don't expect the phone to be
ringing for a long time. Over two consecutive nights, I set their
machine to download patches until morning and that basically did the
job. Still, a couple of extra downloads were necessary because the
installations needed to be done separately.

At the same time, it's worth noting that there were still options
available on the Windows Update site, such as the .NET Framework, that
I didn't choose to install because these programs are unnecessary for
such users. Now, I knew to make that choice, but I don't think my
friends could have.

While broadband is spreading rapidly, there are still a whole lot of
folks who use dial-up, and many who have no broadband options
available. Because the slow connections make it impractical for
dial-up users to stay up to date on security patches, it's highly
likely that a large percentage of them are out of date. This situation
is a continuing security problem for all internet users and
businesses.

Broadband customers have a plethora of features to customize their
patching experience. Automatic Updates will check for available
updates from Microsoft's site and download them in the background,
letting you know when they are available for installation. You can
even schedule the system to install downloaded updates at some
predetermined time, say 3 o'clock in the morning.

However, there is no way to schedule the system to go out and retrieve
the updates, which can be installed at some point. The closest thing
to a workable solution for dial-up users is to leave the connection on
at all times and then use Automatic Updates to eventually download
what you need.

It occurred to me that one way to make things easier for dial-up
users, and even broadband users in many cases, would be to issue
periodic update CDs. Imagine a disc with all of the updates on it and
a program, it could even be written in Windows Script Host, to check a
system for which updates need to be installed, apply them in the
correct order and even reboot in between. Such a program would not be
hard to write.

Microsoft could charge a trivial amount for the discs but it would be
better just to give them away and encourage users to pass the discs
around when they were done. At that point you'd still need to check
Windows Update for recent additions, but it's unlikely you'd have an
unbearably long download time. In fact, the CD could launch Windows
Update at the end of its script. I often set up computers for testing
and a disc like this would be a great convenience. But think of how
much easier it would make life for dial-up users.

I recently put this suggestion to Microsoft and their response
basically avoided the whole issue. Why wouldn't the company want to
offer such a CD, assuming that's the motivation behind their
stonewalling?

Some might suggest that such an update CD would make it harder for
Microsoft to check if you're running a pirated copy of Windows.  
Perhaps there are better reasons, and I might know them if Microsoft
had offered them.


Security Supersite Editor Larry Seltzer has worked in and written
about the computer industry since 1983.

 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.