Microsoft is considering changing the way that Windows updates security patches, making the update process automatic by default, following the latest round of security problems for Windows users.
A Microsoft spokeswoman said the company is "giving strong consideration to enabling Auto Update by default in future versions of Windows," though the company has not yet committed to a time frame. If Microsoft decides to go ahead with the change, it could be implemented in Longhorn, the code name for the next version of Windows, which is expected to be completed in late 2004.
Automatic installation of security patches might have helped prevent the recent MSBlast worm, which successfully attacked hundreds of thousands of PCs that had not installed a month-old patch.
Currently, automatic updates are available as an option. Microsoft executives said the company decided not to make the feature a Windows default with Windows XP following customer feedback that suggested users did not want Microsoft controlling their PCs.
Some security experts, even those normally suspicious of Microsoft, said automatic updates might be the best way to secure users' PCs -- particularly those of home users and small businesses. Bruce Schneier, co-founder of Counterpane Internet Security and a well-known Microsoft critic, came out in support of the suggestion, telling the Washington Post that it was a "trade-off that's worthwhile".
Analyst firm Gartner agrees, saying that the move could help average IT users, who generally lack the time and IT knowledge to keep up with the latest patches.
But Gartner suggests that Microsoft must make some changes to its updating system before it can be trusted to install software automatically on users' PCs. Gartner says Microsoft must promise not to use the auto-update feature for anything but security patches, and should allow a security review of the system by outside parties.
"A compromise of this comparatively new feature could have catastrophic results," Gartner's Terry Allan Hicks said in a statement.
Many users, particularly enterprise system administrators, like to evaluate patches before they are applied -- and with good reason, because patches can interfere with other software, or even cause system failures. In a well-known incident, Microsoft's Service Pack 6 for Windows NT crashed thousands of servers.
When the first Windows XP service patch appeared last autumn, critics said the patch's terms of use gave Microsoft the right to check product versions and block some programs, although Microsoft insisted that no personal information would be collected.
This is not the first time Microsoft has mooted the idea of changing its software update mechanism. In June the company said it planned to simplify its patch technology and to expand its automatic update service to include more products.
The software giant identified four areas where it plans to make improvements over the next 12 months: patch quality; delivering information to its customers; broadening the number of applications supported by its automated update technology; and simplifying the way that patches are applied.
CNET News.com's Robert Lemos contributed to this report.
Talkback
Here we go again: A major U.S. firm hops on a crisis of its own troubled doing to further its own business ends, much as private power interests, having overloaded U.S. power grids for profit, now want the public to make up for what they caused in the first place.
Microsoft made the insecure Windows OS; that does not imply a requirement that users be forced to accept patches--patches that in some cases now change the digital rights status of the PC, as is the case in certain Media Player updates.
Governments should instead force Micorosft to fix its extant product, not hand MS holus bolus an excuse toi further tie up the end user.
Considering how long it takes to download and implement some patches, Microsoft will have to go a long way to ensure that both can be done quickly. And it would be so helpful if the instructions were given unambiguosly. I have Norton antivirus and firewall enabled with automatic updates. Does this give me the protection against MSBlast and others, or do I still have to download the Windows patch? I have not seen a single article that even addresses this issue, and it must affect millions of end users.
Whilst there are obvious benefits to this idea, it is not practical. Clearer Firewall and Anti Virus awareness is a better solution.
I have always been prompt regarding updating my anti virus and firewall software, and have never been hit by a virus.
Windows patches on the other hand are different. They are often huge, and the details misleading. Quite often patches which list themselves as 240K forget to mention that this is only the installer which will then try connect to download a further 15M. Before I had broadband I used to wait for MS service packs to be released on magazine coverdisks. This was both for time and phonebill reasons. The ability for home users to download patches once and install them on several machines would be a big bonus.
I am a home user but I have more than one machine. Even now I have broadband I only have autoupdate set to let me know when patches are available. I can then choose to install the patch on one machine and let it run for a few days before I update my others.
This is a ridiculas idea. MS should make the product secure before realease not afterwards.
It would be better to have antivirus and firewall software on by default and only allow internet access when this software is running. That is a much better solution
You want a nice Apple Mac, you do
Windows XP comes with a firewall?? I don't think so!! My router has a more configerable firewall than that piece of rubbish. Get a grip Microsoft and give Windows a decent firewall which works both up at application level and at port/IP address level.
(By the way I run Tiny Personal Firewall 5.x which is quite good).
FAO DAvid Hoare....
The information is available if you look.
your virus scanner will block the virus...eventually. The provider needs time to dissect the virus, write the update, dustribute the update, and you to download it. In the past, this model worked, but the sheer spread speed of these new variants prevents this being effective. An heuristic scanning rarely works.
Your firewall would have blocked the blaster virus....but only if it was configured correctly. A full firewall is very complex to administer fully, and even a 'user' level one is not simple. While the default may block some stuff, I can gaurantee that the virus writes know the default settings for all the scanners and firewalls, and will do their best to get round them.
So....you should be safe, from this particular virus, but long term safety will need better code to prevent exploits, possibly using the auto update, or writing the code more securely to start with.
Great, so we have 5 billion computers trying to download a `much needed patch' all at once, that should sink the M/S site lol
I think this is ridiculous.
I certainly wouldn't want a company that didn't
test its software fully to have access to my PC to install more buggy software. I would rather run the risk of being exposed, and be able to acceptance test software before installing it.
The latest patch for Internet Explorer seems to cause it to crash frequently.
Quite apart from the huge bandwidth/data transfer needed, users would need to be hooked up to the net all the time or suffer lack of access when they did connect.
I think that this behaviour should be enabled by default, as this will mean that the vast majority of home & small office users will be protected. For larger organisations that have an IT/security team, this functionality is controlled via group policy.
I have to admit to being rather nervous about this technology when it first appeared, however I have come to trust it - with *only* one duff patch (that was replaced reasonably quickly) having been issued thus far. I have Auto-update enabled on my home PC as well as the built-in personal firewall enabled and a good anti-virus installed as well and as such have not been affected by any of the recent virus/worm panics, apart from my anti-virus dropping some infected emails, and my firewall logs growing faster than normal.