By Jonathan Yarden
Microsoft has traditionally tried to centralize the software update procedure for Windows. A number of reasons probably exist for this practice, from Microsoft's desire to retain control over the process of applying service packs to concerns about service packs becoming compromised and redistributed.
From the corporate user's perspective, updating Windows isn't always a simple procedure. Even though Internet Explorer includes a direct link to Windows Update, many companies instruct users not to update Windows in this manner.
In addition to concerns regarding compatibility problems between Windows service packs and other software, there's the issue of manually updating hundreds or even thousands of computers in an enterprise. With Microsoft's Software Update Services (SUS), the process of updating Windows 2000 and XP systems becomes a lot simpler for corporations. But what about everyone else?
Although I'm a frequent critic of Microsoft, Software Update Services is certainly a step in the right direction. But I still have more questions than answers.
The license agreement for SUS doesn't specifically note whether ISPs can install and use SUS for their customer base. SUS also doesn't address the ever-present problem of dial-up Internet users not wanting to spend hours online downloading service packs, nor is there any mention of whether ISPs can provide CD-ROMs with Windows service packs to customers.
It's a simple fact that the timely application of service packs for Windows improves security—not just for individual computers using the Internet, but for the Internet as a whole. Corporations using Windows usually have firewall systems already, so they aren't generally a significant source of wide-spread Internet problems.
Vulnerable and exploited Windows systems on broadband networks still remain the single largest threat to Internet security. Hijacked systems menace the entire Internet with distributed denial of service attacks, and compromised Windows systems are probably the single largest source of junk e-mail. A few weeks ago, a Polish company boasted that it has direct control of more than 400,000 compromised computer systems, all of which were open to exploitation because of failure to apply software updates.
When Microsoft announced its Software Update Services, which is basically a localized version of Microsoft Windows Update, one of my first questions was whether ISPs would be able to make use of this service and how they could manage it. Basically, Software Update Services consolidates service packs and critical updates locally, and it allows administrators to prioritize and push software updates to computers using the SUS client program.
This approach makes perfect sense for a corporate environment, where an IT department is responsible for the computer systems. But forcing updates on customers isn't something that many ISPs can do. However, SUS provides the same functionality as Windows Update, and it's accessible using a Web page in a similar manner.
While I applaud Microsoft for finally releasing a tool to decentralize software updates for Windows, I question whether SUS will address the vast majority of compromised and vulnerable Windows systems, which aren't on corporate networks. As of the writing of this article, Microsoft hasn't answered the question of whether ISPs will be able to use SUS for their customers.
Since there are probably several million compromised Windows systems on broadband networks worldwide, I hope ISPs will be able—and even encouraged—to use Software Update Services on their networks.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.