In my last commentary ( http://www.windowswebsolutions.com/articles/index.cfm?articleid=38138 ), I covered Slammer or Sapphire, a worm that targets systems running either Microsoft SQL Server 2000 or Microsoft SQL Server Desktop Engine (MSDE). Slammer crippled the Web for a long time and affected all Internet users in some way. I also focused on what happened behind the scenes at Microsoft after the worm appeared and the black eye that Slammer gave to the already battered Microsoft security effort. I boldly predicted that as a result of Slammer, every Microsoft product will become a part of Windows Update within the next 6 months. Time will tell how that prediction shakes out, but since my commentary, I've talked to numerous Microsoft employees who have validated my prediction as a good idea--and one that Microsoft is discussing.
I asked you to email me your comments, and I received many interesting and intelligent responses. I stated that many administrators don't install patches and, because of that, IIS 6.0 in Windows Server 2003 is shipping completely locked down with automatic patching enabled. The patch that eliminated the security vulnerability that Slammer exploited was available 6 months before the worm appeared.
I also stated some reasons why administrators don't patch, but I was remiss because I failed to identify one major reason why they don't: the lack of resources to be able to effectively set up a patch-testing environment. Many administrators are afraid of the side effects they often suffer after blindly installing patches without first testing the patches in the proper environment. But testing requires much time and effort--too much, for many overworked administrators. Some administrators have also had a service pack or a patch break something and wreak havoc on their servers and applications. Another factor that causes some administrators not to patch as often as they should is the economy: Downsized support staffs mean that many tasks aren't handled, leaving networks vulnerable to attacks.
Windows Web Solutions UPDATE reader Tariq Hamirani pointed out that another reason administrators don't patch is for fear of Microsoft taking on the role of Big Brother. Hamirani told me about administors' fear of automatic updates sending information to vendors about the machines being updated and their configuration. Hamirani said, "Microsoft may collect information on installed software that might simply have a common key or is flat-out illegal." I don't believe in this particular fear--Microsoft is forthright about what information it collects and when it's collected. Further, I think that companies that run unlicensed software don't have any right to complain about that software.
Anthony Paulina, a network systems architect for CherryRoad Technologies, said, "If your prediction turns out to be true that 6 months from now, all Microsoft products can be updated via Windows Update, my humble opinion is this: It is about bloody time! Currently, Microsoft is underutilizing a really good method of providing fixes for their software. If they provided checks for the other product lines that would be great. Ideally I'd like to see it as a one-stop Web site, unlike today, where you have to go to Office Update for Office and Windows Update for Windows." Richard Rosenheim, CEO of Intelligence Research Systems, agrees: "The idea of having Windows Update handle all the Microsoft updates and patches sounds good to me. In the same vein, I would also like to see SUS \[Software Update Services\] handle everything (not just critical updates)."
Of course, the Windows Update route might not be as easy as it sounds. Andrew Brust, president and founder of Progressive Systems Consulting, wrote, "One issue with Windows Update is that using it from servers may be tough. Microsoft may need to create a remote console that allows monitoring of pending updates on a collection of servers and applying them via some RPC \[remote procedure call\]. Otherwise, you have to Terminal Service into each box, log in as an administrator, and click Update. This will just result in more patches not getting applied."
Clearly, Microsoft intends to fix the process problem. Mike Nash, who is vice president of the security business unit at Microsoft and has responsibility for the security component of Trustworthy Computing, said, "The key lesson of Slammer--maybe it's a re-lesson of Slammer--is our work is not done when the patch is available. Our work is done when the patch is installed on the majority of customers' systems." We can glean from his statement that Microsoft acknowledges it's just not there yet. One can only hope it gets there soon.
