Originally created 05/06/04

Computer security experts lament laggardly pace of patches



NEW YORK -- Far fewer computers would have been disabled by the latest Internet worm had their owners configured them to get the latest security fixes automatically.

Sasser's spread began to stabilize Tuesday, but not after infecting hundreds of thousands of computers by exploiting a known Windows flaw which Microsoft Corp. issued a software patch three weeks ago.

Twenty British Airways flights were each delayed about 10 minutes Tuesday due to Sasser troubles at check-in desks, while British coastguard stations used pen and paper for charts normally generated by computer.

On Monday, the worm hit public hospitals in Hong Kong and one-third of Taiwan's post office branches. Major corporations around the world also were infected.

Home users were particularly hit hard, computer security experts say, because they generally lack the know-how to install patches and tend not to have the firewalls needed to keep Sasser from spreading to other computers via the Internet.

Late this summer, Microsoft plans to introduce a Windows XP update that would launch a built-in firewall and automatically obtain and install security patches regularly. Microsoft is currently testing the update.

For now, computer users must manually turn such settings on - through "System" or "Automatic Updates" in Windows' Control Panel - or they must periodically check the company's Web site for new patches.

"Auto update is excellent for the home user, the small networks and the mom-and-pop companies, the ones without the expertise," said Mikko Hypponen, anti-virus research manager at F-Secure Corp.

Of the nearly 200 million downloads of the patch that averts Sasser, three-quarters came through the auto-update tool, said Stephen Toulouse, a security program manager at Microsoft.

Toulouse said automation becomes increasingly critical because virus writers are developing exploits much more quickly after a vulnerability is announced. What used to take months or years now takes weeks, experts say.

Nonetheless, most security experts discourage larger corporations from allowing automated updates. Rather, they say, companies should test patches first.

Bruce Schneier, chief technology officer with Counterpane Internet Security Inc., said home users are less likely to have problems with automated updates because they tend to keep default configurations with which Microsoft already had tested patches.

But home users are not immune, experts say.

Because many users still run pre-XP versions of Windows, Microsoft can only reduce but not eliminate Sasser and other network worms that do not require user activation by clicking on an e-mail attachment, said Russ Cooper, a senior researcher at TruSecure Corp.

And patches do little to stop viruses that rely not on Windows flaws but human behavior - the clicking of an attachment to start a process built into Windows by design.

"We can only protect so much with auto update," Cooper said. "The rest of the way, it's them not sticking their hands into the meat grinder."

On the Net:

http://www.microsoft.com/security/protect/default.asp