Microsoft Monitor Weblog A Jupiter Research Business Weblog
 
Jupiter's Microsoft Monitor Research Service helps vendors prepare for market opportunities created by new Microsoft initiatives. In addition, Microsoft Monitor helps business and enterprise users discover which strategies are most successful in dealing with Microsoft and how to best exploit the customer relationship. The Microsoft Monitor Weblog is a companion to Jupiter's Microsoft Monitor Research Service and provides additional news, analysis and insight relevant to the areas most important for Microsoft's growth in both the business and consumer marketplaces. The content on this Weblog is often based on late-breaking events whose sources are deemed to be reliable. The insight and recommendations represent Jupiter's initial analysis. As a result, our positions are subject to refinements or major changes as Jupiter analysts gather more information and perform further analysis. Feedback is welcome at mm@jupitermedia.com.

Contact Us
More information about Jupiter's Microsoft Monitor Research service is available by contacting Kieran Kelly at researchsales@jupitermedia.com or by telephone at 1-800-481-1212

Blogroll
David Card
Michael Gartenberg
Alan Meckler
David Schatsky

September 2005
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  
Archives
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003

Recent Entries
My PDC Post Morteum
Microsoft Office, the Server Edition, Part Two
Windows Workflow Foundation and Expression
PDC: The Big Day
Windows Vista Sleeper Announcements

September 11, 2003
Microsoft's Security Catch-22

Apparently, Microsoft is considering changing Windows Automatic Update so that it truly automatically downloads and installs patches and security fixes. Right now, users must opt-in for automatic downloads and are prompted before installation. I can understand why Microsoft is considering such a change. After all, one reason Blaster spread so fast and far is because too many consumers or businesses failed to download and apply a security fix. Not only Microsoft but also the Dept. of Homeland Security issued a warning about the flaw eventually exploited by Blaster. The warnings were not enough, apparently.

I view such a response as reactionary and not necessarily appropriate to fixing the problem. My concern: The cure could be worse than the problem. Businesses are often reluctant to rapidly install patches without first checking for compatibility problems. Consumers have every reason to be concerned about compatibility, too.

I'll use myself as an example. Since applying the recent barrage of security patches, I've started to observe some very strange computer behavior. At first, I suspected a virus, worm or spyware. But after a thorough check of my updated Windows XP PCs, I have found none. So, I suspect the patches and changes they may have made to Windows' networking plumbing.

Example: I can no longer send e-mail over Jupiter's corporate network when connected by VPN. The messages simply won't send with Outlook, which warns of a server error. This problem developed almost immediately after Jupiter fought back Blaster and SoBig and I applied new security patches. I can send e-mail just fine on a Mac.

Another: Yesterday, I set up a Microsoft broadband router. The process took two hours instead of the expected 5 minutes. I would get near the end of the process and see a hang-up every time. On two computers. In the end, I began to wonder if the problem was Windows networking related to recent security patches. So I went to my wife's PC, which hadn't been updated in about two months. Set up took the expected 5 minutes. Then I downloaded 27 patches to bring her PC up-to-date.

So, recent security patches give me cause for concern. I suspect them of causing these and other problems. That makes me rather cautious about automatic updates.

On the other hand, my wife's PC is a good example of the kind of problem Microsoft wants to solve with automatic updates. I had set the computer to automatically download updates, but my wife wasn't installing them. If not for the firewall in my router, Blaster almost certainly would have invaded her PC.

Still, I don't think automatic updating is the answer, without some kind of opt-in. Microsoft doesn't need privacy wonks beating on it along with the security hecklers. If the company does nothing, it will get blamed. If it does something, it could still get blamed.

One idea would be to have an opt-in for a fully automatic updated service. Symantec does this through Norton Antivirus' Live Update feature, which can be set to check for updates and download them without user intervention. The customer chooses to use this fully-automated mechanism. Microsoft's risk: Those pesky compatibility problems. Microsoft's challenge will be weighing customer dissatisfaction and potential privacy complaints against improved security.

That said, I have to wonder if Microsoft's possible solution of fully, automatic updates isn't a way of passing a portion of the security problem onto customers.

Posted by Joe Wilcox at September 11, 2003 03:03 PM
Copyright 2004 Jupitermedia Corporation. All Rights Reserved.
Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.