Enhancement of PC Security Through Microsoft's Software Update Service

In August 2003, the MS Blaster worm got through a known security loophole in Microsoft Windows and attacked millions of computers around the world, resulting in an enormous economic loss. Actually, this disaster could have been avoided if users had applied the security patch MS03-026 released a few months before the attack. However, many users might be too busy to perform Windows Update on time, or hoped that they could luckily survive in the attack.

The damage of the MS Blaster worm was minimal on campus as we only received a few infected cases. However, this did not mean that our users had applied the required security patch beforehand. Actually, the protection came from the virus management system, the Mcafee ePolicy Orchestrator (ePO), which was implemented in year 2002. What will be the consequence if a new worm makes use of the same security loophole to launch an attack later? Obviously, the ultimate solution to this problem is to fix the security loophole by applying Microsoft's security patch. That is why we frequently remind users to perform Windows Update through network announcements. This important operation is simple and usually takes only a few minutes to complete. Unfortunately, according to our collected information, the machines connected to the staff LAN have missed almost 10,000 Microsoft patches and this figure will increase significantly with newly discovered bugs. How bad is the situation? To be pessimistic, more than 1,000 machines are doomed to be attacked by hacker, viruses, and so on. As a result, our campus network is in danger. Therefore, the CSC sees the urgent need to perform Windows Update compulsorily and automatically to reduce the risk of attack and virus infection.

After studying Microsoft's Software Update Service (SUS) product for some time and inviting some departments to participate in the pilot run, we decided to deploy SUS in delivering critical patches to our staff LAN machines (PCs belonging to the CITYUMD domain). Starting from 1 March 2004, all staff LAN machines will automatically download and install newly released or missing critical Windows Updates from our central SUS server. The downloading process will start within a specified time frame, depending on the PC and network conditions. The installation process will be initiated at 1 p.m. everyday. For those PCs which have missed the previous schedule, the installation process will be initiated within 15 minutes after their reboot. When it is done, users may be asked to reboot the machines to make the patch effective. They may decide the most convenient time to reboot their machines, though immediate reboot is recommended.

By the time of publishing this article, the number of missing patches has been greatly reduced by around 90%. The condition will be improved further if machines with outdated Service Packs can be upgraded to the latest versions and machines running Windows 2000 can be upgraded to Windows XP SP1.

Nevertheless, both the ePO and SUS are supplementary tools to help users protect their PCs. It still relies on the users to employ these tools, for example, by following the recommended security practice and ensuring that the patches have been successfully installed. They should note that: