Microsoft Sending Security Patches on a CD

In a bid to target a security hurdle rampant with dial-up Internet users, Microsoft has rolled out a security update CD giveaway for users of Windows XP, Windows Me, Windows 2000, Windows 98, and Windows 98 Second Edition (SE).

The Windows
Security Update CD
will ship with all of its “critical” patches released by the software giant through October 2003 and free anti-virus and firewall trial software.

The launch of a CD giveaway with security patches is part of Microsoft’s attempts reach an elusive target: home users on dial-up Internet connections. In the past, narrowband home users have been unable to download and install security patches because of bandwidth limitations.

In a recent interview, Microsoft security program manager Christopher Budd told that the file size and complicated nature of security patches were a “definite hurdle” for dial-up users. “It’s an intractable engineering problem.”

In January this year, Microsoft was forced to release a stripped-down removal tool for the destructive Blaster virus after research showed that home users (mostly on narrowband connections) had been tardy about applying a patch that had been available for several months.

That tool was released as a 317 KB download (about three minutes for dial-up connections) and was designed specially for home users who were still infected and were actively transmitting the Blaster virus.

Security analysts have long called for the company to consider shipping free CDs with security patches to deal with the narrowband conundrum. Microsoft believes that improvements to the patch design process coupled with increased broadband penetration in the U.S. will improve the patch application ecosystem.

However, the latest statistics from Jupiter Research show that only about 30 percent of U.S. households have migrated to high-speed connections. That number is expected to jump to about 40 percent by 2008.

While conceding that continued broadband penetration would help solve the problem, Gartner’s technology security analyst, John Pescatore, said he believes Microsoft should consider
shipping free CDs with its Windows XP Service Pack 2.

“When they put out the next service pack for Windows XP, that’s probably something they should be giving out on CDs. There’s no way you can expect every dial-up home user
to download that service pack,” Pescatore said in a recent interview.

“If home users were downloading every incremental patch release, it won’t be that big a deal for dial-up users. But, the reality is that they download the patches once a year or when a big alert reaches the mainstream media and then you’re looking at tens of megabytes of patches,” Pescatore added.

On bulleting boards and discussion forums Wednesday, Windows users
welcomed the free CDs but lamented the fact that “critical” updates issued after October 2003 were not included. That means that several major patches issued during the last four months would still have to be downloaded from the Internet.

“Microsoft has a responsibility to update these free CDs with the latest patches. Now that they’re releasing patches on a monthly cycle, they should make sure that all the patches are included in the CDs. It’s not that hard to do,” one Windows user posted to a security-themed message board.

Separately, Microsoft rolled out a new Security Guidance Center aimed at helping IT administrators and developers to plan and manage a corporate security strategy. Members of the Security Guidance Center will have access to technical guidance, tools, training on a range of security-centric topics.

Microsoft is also giving away a Security Guidance Kit CD with tools, templates, roadmaps and how-to guides. “The kit is designed to help you implement measures like automating security patch installation and blocking unsafe e-mail attachments to help your organization stay protected,” the company said.

Ryan Naraine
Ryan Naraine
Ryan Naraine is an eSecurity Planet, ServerWatch, and eWEEK contributor.

Top Products

Related articles