Only then do the hackers and virus writers learn about the security hole and how it works — by studying Microsoft’s patch. The problem is that it takes weeks or months for Microsoft’s patch to get distributed to all those millions of customers. (Three weeks after Microsoft releases a patch, only half of all PC users have installed it, according to an expert interviewed by PC World.) The hackers simply beat Microsoft’s fix to your PC’s front door.
The painful part is that Windows XP already contains a mechanism for installing Microsoft’s patches the very day they become available. It’s called Automatic Updates, and it’s an icon in your Control Panel. But at least until Service Pack 2 came along, far too few people had Automatic Updates turned on.
In this month’s PC World magazine, a brilliantly conceived article tracks the life cycle of the Sasser worm that caused millions of dollars of damage last May. Sure enough: a well-meaning researcher found a weakness in Windows and told Microsoft about it. Microsoft released a patch, complete with technical details — that allowed an 18-year-old in Hannover, Germany to write a worm that exploited the hole.
But before the masses install that patch, “reports of the worm’s impact fly in: Operations have been disrupted at companies like Goldman Sachs and British Airways. Computers in half of Taiwan’s post offices have been infectedÂ
The magnitude of the worm’s disruption is staggering: 5000 computer systems and associated X-ray equipment at a hospital in Lund, Sweden, stop responding; 1200 PCs at the European Commission headquarters in Brussels cannot get online; and Sun Trust bank and American Express in the United States lose Internet connectivity entirely for several hours.”
The article poses two important questions. First of all, it took Microsoft six months to write the patch that fixed the Sasser hole. Six months!? Man, it wouldn’t have taken six months if Microsoft weren’t a monopoly, I’ll wager.
Second, this may sound slightly insane, but should Microsoft really be fixing these obscure holes at all? Think about it: the virus writers would never even have known about the hole if Microsoft hadn’t patched it! As the PC World article puts it, “You have to wonder whether this cure is worse than the disease.”
So what’s the answer? (It’s probably a bit much to suggest that corporations switch over to, for example, the Macintosh, for which not a single virus or worm has yet surfaced.)
Microsoft has pinned its hopes on Service Pack 2, which closes dozens of holes, reinforces hundreds of weaknesses, turns on the Windows firewall, makes it harder for amateurs to open up e-mail attachments, and waves bright orange flags in front of your face if you don’t have Automatic Updates turned on.
Even that’s not a perfect solution, though; some of my Windows-geek friends actually leave Automatic Updates turned OFF, so that they can research the reliability of each new Microsoft patch before they install it. (For anyone who’s not a computer professional, though, I think that’s too much homework. Leave Automatic Updates turned on, so you don’t wind up forgetting to install a patch and becoming the victim of the next Sasser.)
For now, then, we’ll have to hold our breaths and hope that the Service Pack solution turns out to be successful. But really, now: if the world’s best and brightest minds do indeed work at Microsoft, it’s a little distressing to see them outsmarted by a teenager from Germany.