RealTime IT News

Microsoft's Narrowband Security Hurdle

Microsoft's recent release of a scaled-down removal tool for the MSBlaster worm was an unprecedented move aimed at reaching an elusive element of the destructive worm: home PC users.

As part of its bid to reach dial-up subscribers who haven't bothered to download a patch that removes the worm, the software giant's security unit stripped out as much as they could from the tool in order to make the patch a faster download.

The scaled-down approach illustrates a persistent problem in patch-management: how to load the patches on home users' PCs.

"It [the Blaster removal tool] was one of the smallest things we've posted to our downloads section in the past few years," said Christopher Budd, security program manager with Microsoft's security response center. "It was designed specifically to go in and look for the Blaster infection. We stripped it down specifically to keep the file size small and to accommodate dial-up users."

Budd told internetnews.com that the file size and complicated nature of security patches are a "definite hurdle" the company faced in its attempts coax users with a dial-up Internet connection to wait through the download and then install the software fix. It is an "intractable engineering problem," Budd said.

"The smaller the patch, the less of a hurdle it will be to reach narrowband customers," he added. "That's the most effective thing we can focus on. I think we can reduce patch sizes and get it to an acceptable level but, it will always be a problem because of the way patches are designed."

He said the Blaster removal tool was released as a 317 KB download (about three minutes for dial-up connections). "We're targeting the residue from the major [Blaster] outbreak from late last year. We've never released a tool like this and once we realized that home users were still infected and were actively transmitting the worm, we had to make the tool specifically for them," Budd explained.

He said the tool was built after consultations with anti-virus partners in the Virus Information Alliance (VIA), which includes companies that work together on battling viruses.

For Gartner analyst John Pescatore, there's no easy answer to the problem of reaching dial-up subscribers. "If home users were downloading every incremental patch release, it won't be that big a deal for dial-up users. But, the reality is that they download the patches once a year or when a big alert reaches the mainstream media and then you're looking at tens of megabytes of patches," he told internetnews.com.

Still, Pescatore believes the biggest problem isn't the size of the patch but the mindset of home users who are unaccustomed to looking for software fixes. "The mom and pop home users don't have IT shops. You can't expect home users to be continually checking for a software patch because they think of it as their car of their TV set. They take the car in for repairs when something breaks or when they get a letter from the manufacturer warning about a recall," he added.

Pescatore believes that continued broadband penetration would help solve the conundrum but, in the meantime, he said Microsoft will have to take a hard look at shipping free CDs to home users to avoid the download problem altogether. "When they put out the next service pack for Windows XP, that's probably something they should be giving out on CDs. There's no way you can expect every dial-up home user to download that service pack."

Microsoft's Budd said there have been some discussions internally about releasing large patches on CDs but he declined to get into specifics. "As we improve the patch process, we need to find ways to make the patches smaller. Eventually, you will see our patches getting smaller and broadband penetration getting bigger and that convergence will improve the patch application ecosystem," he said.

But Gartner's Pescatore said that's at least two years away, and that home users are probably going to be stuck in the meantime. "A lot of home users who went through the pain of downloading the patch find that the installation is too complicated. They download it and assume that the installation is complete and that's a bigger problem. A lot of home users don't even know how to apply a patch," Pescatore added.

Pescatore believes home users will see immediate benefits when the security-centric SP2 for XP ships later this year. "For home users, turning on the software update feature to automatically get fixes is a good idea. It will also turn on the personal firewall by default so there's some relief coming with the service pack."

The Windows XP service pack is now in beta. It comes with a major overhaul of the company's flagship Internet Explorer browser and the ability to monitor browsing, e-mail and instant messaging for malicious attachments or code.

The service pack will also disable unnecessary services that open ports to potential hacks by worms or spam and include protection against buffer overflows, the most common software security flaw. New compiler technology will be added to XP to detect buffer overruns and stop malicious code from running on the computer.

"From a security perspective, the service pack does a lot of good things but Microsoft has to take the extra step to distribute it on CDs. For the next few years, that's the only way they'll be able to reach the dial-up home users," Pescatore said.