Microsoft is weighing options to encourage more users to
secure their computers, including automatically applying security
patches to PCs remotely.
"We are looking at a range of options to get critical updates on
more systems, from finding ways to encourage more people to keep
their systems up to date themselves to where it is done
automatically by default for certain users," said Matt Pilla,
senior product manager for Windows at Microsoft.
Microsoft does not plan any immediate changes to the way it
delivers security patches, but the company also does not intend to
wait until the release of its next operating system to improve it,
said Pilla.
"This is a priority for us. I think there are a lot of things we
can do during the Windows XP time frame to help people make their
PCs more secure," he said. The successor to Windows XP, codenamed
Longhorn, is expected to be out in 2005 or 2006.
Microsoft already delivers software patches through its Windows
Update website and through update software in Windows XP, Windows
2000 and Windows Me. The software does not download and install
patches by default, but asks a user to select from various options,
including alerts when an update is available.
"Giving the user the ability to control auto update is important
to us," Pilla said. "One of the things we are working on is a
balance between keeping systems up to date and giving users the
control over their systems."
On 16 July, Microsoft issued a "critical" security update that
fixes a serious security vulnerability in Windows. The company
urged customers to patch up, though many apparently ignored the
warning. The Blaster worm that started spreading weeks later was
able to infect hundreds of thousands of computers by taking
advantage of the vulnerability.
Russ Cooper, surgeon general of TruSecure and moderator of the
popular discussion list NTBugtraq, is one of the most outspoken
critics of Windows Update. Nevertheless, he is all for
automatically delivering security updates.
"I think it is a great idea, they should have done it ages ago,"
he said. "We will scrutinise the way they do it. I applaud them for
willing to be put under such a microscope for something they
believe the world does not trust them to do."
Microsoft has no choice, it has to take patching in its own
hands, said Rob Enderle, principal analyst at Enderle Group. "They
absolutely have to create a program where patches are applied
automatically."
People worried about giving Microsoft control over their systems
should weigh the alternative, Enderle said.
"People really don't want to give Microsoft access, but if they
don't then the patches don't get applied timely. It is about
relatives, do folks trust Microsoft more than they trust a
hacker?"
Joris Evers writes for IDG News Service