Too busy to update your flawed software? Software giant Microsoft Corp. is considering whether Microsoft, flaws and all, should automatically do it for you.

Microsoft said Aug. 19 it is considering whether to sign up users of future versions of its Windows operating system to a service that automatically downloads and installs software fixes on their computers unless customers specifically opt out of the service.

No decisions have been made, but it is one way the company is considering tightening computer security in the future, after the Blaster worm and other variants infected hundreds of thousands of computers around the world earlier this month (see “Computer worm exploits Windows flaw, snarls networks,”

“We think it would help the safety of a lot more customers if they had the benefit of the patching there [automatically],” said Steve Lipner, director of security engineering strategy for the Redmond, Wash., company.

School technology leaders who spoke with eSchool News in the days following the attacks were lukewarm to the idea. But all agreed: Something must be done to simplify the process of ensuring that hundreds of computers across large networks remain protected from future attacks.

‘Protect Your PC’

Besides exploring the idea of automatic updates, Microsoft also has launched a “Protect Your PC” campaign to suggest ways consumers can guard their computers against attacks such as the “Blaster” worm, which has infected hundreds of thousands of computers since Aug. 11.

The new campaign comes after the virus, also dubbed “LovSan,” exploited a flaw in most versions of Microsoft’s Windows operating system and infected computers around the world, slowing networks and causing frequent rebooting.

Other virus variants, including one that attempts to download the patch for vulnerable computers, are also working their way through computer networks, further snarling traffic.

Although Microsoft had posted a fix for the flaw on July 16, tens of millions of people waited until late in August to install it, Microsoft said, based on downloads from its Windows Update web site. The company decided to accelerate plans to promote security by launching its Protect Your PC campaign, said Amy Carroll, director of product management for Microsoft’s Security Business Unit.

Starting on Aug. 19, the company bought ads in several newspapers telling customers about setting up firewalls, visiting Microsoft’s update site, and buying anti-virus software.

It has also set up a new web site (see link below) that offers step-by-step instructions for turning on existing security tools in Windows XP and suggestions for buying anti-virus protection. Microsoft is working on a video as well to post on its web site.

In the meantime, the company is encouraging users of the most current versions of Windows to sign up for Automatic Update, in which Microsoft automatically downloads and installs software fixes for them.

Automatic updates–available now for customers with Windows XP–are one way consumers can keep their software patched, said Craig Schmugar of Network Associates’ anti-virus emergency response team. But many customers might resist that option for a variety of reasons, he said.

Network administrators in large companies or school systems might be reluctant to allow automatic downloads, Schmugar said, because the downloads might interfere with how other programs work. Ideally, they would want to be able to test the software before widely deploying it across their enterprise, he said.

Better solutions needed

School technology professionals who spoke with eSchool News largely agreed with Schmugar. Although they expressed frustration with the current approach to network security–applying piecemeal patches as they are announced–they said they weren’t sure automatic updates are the answer, either.

James Ross, technology coordinator for the St. Elmo Community Unit School District in Illinois, estimated that it took him close to six hours to update only the servers and mission-critical machines in his district with the latest Windows patch. “Good thing I was mostly caught up to start with,” he said.

But Ross said he would be concerned about network traffic becoming clogged if all the computers in his district were downloading patches automatically at the same time.

“If [Microsoft] could make it so the downloads happen in the background, not every machine [downloads a patch] at the same time, I don’t have to reboot until a user is ready, and I don’t have to administer some complicated patching schedule, [then it] would be great,” he said of the idea.

Given the complexity involved in keeping software patches up to date, many ed-tech professionals said they are looking for better solutions to the challenge of network security.

Charlie Reisinger, director of technology for the Penn Manor School District in Pennsylvania, said his district runs a mixed-platform network with Macintosh, Windows, and Linux machines. “Since Macs and Linux computers are immune to Windows viruses, we knew that at least half of our computers would not be affected,” he said.

The Blaster worm demonstrates that the number and intensity of Windows-related viruses will only continue to get worse, Reisiger said.

“Most schools simply do not have the time or personnel to keep up with an endless stream of patches and security holes,” he said. “Imagine if we had to take our automobiles in for a patch or fix with the frequency that we do for our computers.”

He concluded: “It’s getting to the point that any district running an exclusively Windows network does so at its peril. Alternatives to Windows, such as Linux and Macs, are looking better all the time.”


Microsoft’s “Protect Your PC” campaign

Sidebar: New computer virus clogs eMail in-boxes

A new strain of one of the most virulent eMail viruses ever spread quickly Aug. 19, causing fresh annoyance to computer users worn out by the previous week’s outbreak of the Blaster worm.

The virus, which has clogged tens of thousands of computer networks worldwide, underscores the need for school technology professionals to warn all computer users in their communities–including teachers, students, and parents–of the dangers of opening suspicious eMail attachments.

The new virus, named “Sobig.F” by computer security companies, attacks Windows users via eMail and file-sharing networks. It also deposits a Trojan horse, or hacker back door, that can be used to turn victims’ PCs into senders of spam eMail.

MessageLabs Inc., a company that filters eMail for corporations, had blocked more than 1 million copies of Sobig.F by the end of the day Aug. 19, the most it has ever intercepted in a single day. That was one out of every 17 eMail messages the firm scanned.

“That’s just a number we’ve never seen before,” said Brian Czarny, marketing director at MessageLabs. The most widespread virus of all time, “Klez,” at its peak accounted for one in 125 messages scanned.

The previous Sobig.A and Sobig.B variants are both on MessageLabs’ list of the biggest 10 eMail viruses of all time.

The eMail message that carries Sobig.F has the subject line “Re: Details,” “Re: Approved,” “Re: Thank you!,” or another variation, and it contains the message “Please see attached file for details.” If a recipient clicks on the attachment, which can have multiple names ending in the “.pif” file extension, the computer will be infected.

The virus will then send itself out to names found in the victim’s address book and will use one of these names to forge a return address. As such, the infected party might not quickly learn of the infection, while an innocent party might get the blame for helping to propagate it.

Like all the other Sobig viruses, this version is programmed to self-destruct after two weeks, in this case on Sept. 10. But some experts fear this termination date is simply to make way for an update of the virus designed to thwart the safeguards developed for the previous version.

The Blaster worm is still at large. It uses a published flaw in Microsoft’s Windows operating systems to spread via network connections, without using eMail. It slowed down the internet and caused computer restarts worldwide, but the attack it was programmed to carry out against a Microsoft web site on Aug. 16 proved harmless.

Regarding the Sobig virus and similar attacks, internet security firm Symantec Corp. has posted the following advice on its web site:

  • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP (file transfer protocol) server. If these services are removed, blended threats have less avenues of attack, and you have fewer services to maintain through patch updates.

  • If an attack exploits one or more network services, disable–or block access to–those services until a patch is applied.

  • Always keep your patch levels up to date, especially on computers that host public services and are accessible through the firewall.

  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

  • Configure your eMail server to block or remove eMail that contains file attachments that are commonly used to spread viruses, such as “.vbs,” “.bat,” “.exe,” “.pif,” and “.scr” files.

  • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

  • Train students and employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the internet unless it has been scanned for viruses. Simply visiting a compromised web site can cause infection if certain browser vulnerabilities are not patched.

Symantec Security Response: Sobig.F Details and Recommendations