Microsoft’s Narrowband Security Hurdle

Microsoft’s recent release of a scaled-down removal tool for the MSBlaster worm was an unprecedented move aimed at reaching an elusive element of the destructive worm: home PC users.

As part of its bid to reach dial-up subscribers who haven’t bothered to download a patch that removes the worm, the software giant’s security unit stripped out as much as they could from the tool in order to make the patch a faster download.

The scaled-down approach illustrates a persistent problem in patch-management: how to load the patches on home users’ PCs.


“It [the Blaster removal tool] was one of the smallest things we’ve posted to our downloads section in the past few years,” said Christopher Budd, security program manager with Microsoft’s security
response center. “It was designed specifically to go in and look for the Blaster infection. We stripped it down
specifically to keep the file size small and to accommodate dial-up users.”

Budd told internetnews.com that the file size and
complicated nature of security patches are a “definite hurdle” the company
faced in its attempts coax users with a dial-up Internet connection to wait through the download and then install the software fix. It is an “intractable engineering
problem,” Budd said.

“The smaller the patch, the less of a hurdle it will be to reach
narrowband customers,” he added. “That’s the most effective thing we can focus on. I
think we can reduce patch sizes and get it to an acceptable level but, it
will always be a problem because of the way patches are designed.”

He said the Blaster removal tool was released as a
317 KB download (about three minutes for dial-up connections). “We’re
targeting the residue from the major [Blaster] outbreak from late last year.
We’ve never released a tool like this and once we realized that home users
were still infected and were actively transmitting the worm, we had to make
the tool specifically for them,” Budd explained.

He said the tool was built after consultations with anti-virus
partners
in the Virus Information Alliance (VIA), which includes companies that work together on battling viruses.

For Gartner analyst John Pescatore, there’s no easy answer
to the problem of reaching dial-up subscribers. “If home users were
downloading every incremental patch release, it won’t be that big a deal for
dial-up users. But, the reality is that they download the patches once a
year or when a big alert reaches the mainstream media and then you’re
looking at tens of megabytes of patches,” he told
internetnews.com.

Still, Pescatore believes the biggest problem isn’t the size of the patch
but the mindset of home users who are unaccustomed to looking for software
fixes. “The mom and pop home users don’t have IT shops. You can’t expect
home users to be continually checking for a software patch because they
think of it as their car of their TV set. They take the car in for repairs
when something breaks or when they get a letter from the manufacturer
warning about a recall,” he added.

Pescatore believes that continued broadband penetration would help solve the
conundrum but, in the meantime, he said Microsoft will have to take a
hard look at shipping free CDs to home users to avoid the download problem
altogether. “When they put out the next service pack for Windows XP, that’s probably
something they should be giving out on CDs. There’s no way you can expect every
dial-up home user to download that service pack.”

Microsoft’s Budd said there have been some discussions internally about
releasing large patches on CDs but he declined to get into specifics. “As
we improve the patch process, we need to find ways to make the patches
smaller. Eventually, you will see our patches getting smaller and broadband
penetration getting bigger and that convergence will improve the patch
application ecosystem,” he said.

But Gartner’s Pescatore said that’s at least two years away, and that home users are probably going to be stuck in the meantime. “A lot
of home users who went through the pain of downloading the patch find that
the installation is too complicated. They download it and assume that the
installation is complete and that’s a bigger problem. A lot of home users
don’t even know how to apply a patch,” Pescatore added.

Pescatore believes home users will see immediate benefits when the security-centric SP2 for XP ships later this year. “For home users, turning on the software update
feature to automatically get fixes is a good idea. It will also turn on the
personal firewall by default so there’s some relief coming with the service
pack.”

The Windows XP service pack is now in beta. It comes with a major
overhaul
of the company’s flagship Internet Explorer browser and the
ability to monitor browsing, e-mail and instant messaging for malicious
attachments or code.

The service pack will also disable unnecessary services that open ports
to potential hacks by worms or spam and include protection against buffer overflows, the most common software security flaw. New compiler
technology will be added to XP to detect buffer overruns and stop malicious
code from running on the computer.

“From a security perspective, the service pack does a lot of good things
but Microsoft has to take the extra step to distribute it on CDs. For the
next few years, that’s the only way they’ll be able to reach the dial-up
home users,” Pescatore said.

News Around the Web