The ability of the MSBlast worm to spread has underscored the view that today's methods of patching security flaws, while necessary to lock down specific computers, is too time-consuming to react to critical vulnerabilities. The result has been that the MSBlast worm, which by most accounts is poorly programmed, has quickly propagated across the Internet.
The worm has infected at least 100,000 computers and has caused internal disruptions for many companies and Internet service providers.
The University of Florida, for instance, has had hundreds of systems infected due to a compromised PC connected to its network via a dial-up line. The incident happened despite a broad initiative by the school to lock down its systems with patches, said Jordan Wiens, a network security engineer for the university.
"It's simply not as easy (to patch) as people would like, given the resources of many small departments," Wiens said.
Microsoft has attempted to step up user education and automation to convince more consumers and enterprise customers to update their systems with the latest patch for this security flaw. However, the efforts have still left many PC users in the dark about their computer's insecurities.
The Computer Emergency Response Team (CERT) Coordination Center has found that as many as 1.4 million unique Internet addresses appear to be the sources of infections on the network. The number is likely inflated by dial-up and broadband users that receive a different address every time they connect to their provider's network.
Security firm Symantec offered a more conservative number, based on its intrusion detection network. It found that more than 100,000 computers appear to have been infected in the past 36 hours.
The lesson: Patching can't be relied on to keep computers secure.
"There is no one single answer," said Stephen Toulouse, security program manager for Microsoft. "We encourage defence-in-depth, but we also encourage customers to deploy the patch."
Only about 50 percent of Windows computers have had the patch applied in the last month, a fairly typical representation, said Gerhard Eschelbeck, chief technology officer for vulnerability assessment firm Qualys.
"We are already seeing the number of systems that are vulnerable on the Internet trailing down," he said.
In a study announced in July, Qualys found that half of all vulnerable systems are patched in the first month after a fix is available.
Home users typically patch their systems least often, said Jack Bates, network engineer for Internet service provider BrightNet Oklahoma. He estimated that as much as 20 percent of BrightNet's user base had been infected.
"Home users do not actively keep up with Windows Update," he said. "Some are not even aware that it exists."
Instead of relying on its clients to patch their systems, the regional ISP has blocked traffic to the vulnerable software addresses, or ports, and e-mail alerts will be sent to infected users. "This will require extensive man-hours of our personal as well as our customer's time," he said.
Companies often do not patch their systems immediately, because they need time to test the fixes, said Brian Burns, manager of security operations for network device maker NetScreen.
"Microsoft patches don't receive enough QA (quality assurance) as they should," he said. "There have been times that a patch has been applied and then the administrator has to spend hours rolling it back, because it has crashed the machine."
Until companies start thinking about network security when designing their infrastructure, patching will be a difficult task, Qualys's Eschelbeck said.
"For the next four years, we are going to be stuck where we are now, because we have to pay for the sins of the past," he said.
Another problem with software patches is that they sometimes modify business applications in unexpected ways, said Rick Beers, director of supply chain technology at Corning, Inc., a US$6 billion manufacturing company based in Corning, New York.
That calls for a better explanation from technology makers of what might be unintended consequences of installing patches. "Other than a magic technology solution, the only solution is much more thorough documentation from the vendor," Beers said.
News.com's Mike Ricciuti contributed to this report.
4%
4%
what can I say?
apt-get upgrade
:)