Microsoft's Patch Policy Pickle

In the wake of recent widespread worm attacks on the Internet, Microsoft is considering taking an unprecedented step: making automatic download and installation of security updates the default option for Windows and perhaps Microsoft Office. But first, experts say, Microsoft needs to improve the quality of both its patches and the Windows Update system that delivers them.

Despite problems with current patches, many people could be better off with automatic updates as the default (users currently must enable them). A Windows Update download to repair the RPC (remote procedure call) flaw that the Blaster worm exploited had been available nearly a month before Blaster showed up in mid-August, and Blaster didn't affect Windows XP, NT, 2000, and 2003 Server users who installed the patch. But those who don't accept updates probably didn't know about the patch until too late.

Forced Patches?

Trusecure Corporation's self-styled Surgeon-General Russ Cooper--an advisor to corporate clients on Windows security, and a longtime moderator of the NTBugtraq security forum--says businesses don't need to apply every patch Microsoft puts out but recommends that users without specialized security expertise apply all patches as soon as possible. "The vast majority of users don't want to be asked about updates and would love to see it all done for them without their ever being aware," Cooper adds.

Whether they are automated by default or not, updates definitely won't be mandatory, says Greg Sullivan, Windows client division lead product manager. In the meantime, Microsoft's Protect Your PC program has co-ordinated a Web site to urge users to install updates and use firewalls and antivirus software.

Microsoft is also considering strengthening Windows' anemic built-in Internet Connection Firewall and enabling it by default in future Windows versions and service packs. Even without the anti-Blaster RPC patch installed, Windows XP users who managed to locate ICF buried deep within their system's network settings and then enable it were safe from Blaster, though not from the in-box-clogging Sobig worm that followed.

"Since ICF doesn't stop outbound connections, it has no way of preventing things like Sobig," explains Cooper, noting that some free firewall programs, such as Zone Labs' ZoneAlarm, do police outbound data. However, while beefing up ICF could look like unfair competition to Zone Labs and other third-party firewall makers, Cooper deems the risk well worth taking: "Microsoft could make big points with consumers by giving them a really decent firewall and taking the heat from the Department of Justice."

Bitter Medicine

PC users have swallowed security pills before. America Online users have long endured lengthy, mysterious downloads when logging off. Top antivirus utilities rely on automatic signature updates to catch the latest viruses; the best packages enable these updates by default. But outcries over potential privacy issues related to product activation in Windows XP and Office XP show that computer users don't want a software vendor snooping around their PCs--especially when that vendor is Microsoft.

The company would do well to fix its often buggy Windows Update system. Subscribers to Microsoft's Windows Update newsgroup report a litany of glitches that often prevent the patches from installing. Even worse, Cooper says, Windows Update told some users the RPC patch was installed, when in fact it was not. Even experts like Cooper can't easily tell if an update is really installed, due to obscure Registry, file, and log file changes. But, Cooper notes, patches rarely trouble most people--"say, 1 out of every 100 or so."

Privacy consultant Richard M. Smith says that before making updates automatic by default, Microsoft should disable many of Windows' potentially flawed, and often nonessential, component software services. For example, the Messenger service allows network administrators--and spammers--armed only with a PC's IP address to pop up text message windows from any remote computer.

Smith doesn't believe that Microsoft can make its developers as passionate about security as they are about features. "I don't think they have what it takes, culturally, to write more-secure software." Until that changes, Windows users must patch and bear it.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Scott Spanbauer

PC World
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?