Meanwhile back in the Windows ‘verse all the anti-virus and system patches in the world won’t make a bit of difference if no one bothers to actually apply them to their systems. A new malware package known as Conficker has been making sudden gains on systems across the net taking advantage of a vulnerability in Windows that was patched months ago. This prompts Joel Hruska over at ArsTechnica.com to ponder whether critical updates should be forced onto systems:
Microsoft issued a patch for MS08-067 on October 23 and rates the severity of the flaw as “Critical.” for all previous versions of Windows 2000, XP, XP-64, and Server 2003. Windows Vista and Windows Server 2008 are apparently less vulnerable; Microsoft’s aggregate severity rating for these two operating systems is “Important.”
There’s a story within the rise of Conficker that I think is worth exploring. Microsoft appears to have dealt with this issue in textbook fashion; the company issued a warning, released a patch, and (presumably) rolled that patch into November’s Patch Tuesday. A significant amount of time—five to six weeks—has passed since Microsoft released its fix, yet PC World reports Conficker may have already infected as many as 500,000 systems.
It would be extremely fascinating to see data on how a patch spreads throughout the Internet once released by Microsoft as well as information on whether or not the severity of any particular flaw affects how rapidly users move to apply the patch. Events like this this raise the question of whether or not Microsoft should have the capability to push critical security updates out to home users automatically, regardless of how AutoUpdate is configured. I say home users for a reason; businesses and enterprise-class companies may still need to deploy the patch on a specialized timeline in order to ensure servers stay operational.
The idea of mandatory updates is unpopular with a lot of folks, myself included, but there’s a fair argument to be made here. Microsoft takes a lot of shit for having major holes in their OS, but a lot of those holes are patched within a reasonable time upon their discovery. Those patches don’t do any good if they’re not applied and the average PC user is not a technical support guy like me and probably won’t even be aware that he needs to apply patches, but he won’t hesitate to blame Microsoft if he gets infected. At the very least I could see an argument for setting the option for critical updates to be installed automatically as the default with the option to turn it off for folks who know what they’re doing. We already have a number of different software packages, mostly DRM systems, that update themselves automatically whether the user wants them to or not and a lot of folks seem to have no problem living with that situation (the rest of us just don’t use that software). I see a much stronger argument that can be made for Microsoft doing the same with critical updates than any DRM system.
The problem of unpatched systems has gotten bad enough that back in 2005 some ISPs started blocking infected systems from using their services and others have been breaking Internet protocols in controversial ways to try and combat the problem, but the best offense is a good defense and that means individual users keeping their systems patched and running current anti-virus software. The question then becomes: Should Microsoft be allowed to at least force the critical updates on its users?