Security News > 2004 > August > Windows Upgrade Causing Campus Headaches
Forwarded from: William Knowles http://www.washingtonpost.com/wp-dyn/articles/A26111-2004Aug23.html By Brian Krebs washingtonpost.com Staff Writer August 23, 2004 Microsoft Corp.'s decision to release a major upgrade for its flagship operating system in the same month that hundreds of thousands of students are reporting to college campuses across the nation is causing a major headache for the higher education community. The upgrade, known as Service Pack 2, is designed to patch numerous gaps in Windows XP, the operating system of choice for an estimated 200 million computer users worldwide. The free update includes safeguards against spyware and viruses, a hardened Internet firewall to keep out hackers and upgrades to automate security features and better alert users to security risks on their personal computers. Worried that the upgrade could conflict with other applications running on university networks, and a related concern that thousands of students attempting to download the software could bring campus computer networks to a standstill, technology administrators at some universities have taken steps to block an automatic service that downloads the software. "The timing is extremely unfortunate," said Anne Agee, deputy chief information officer at George Mason University in Fairfax, Va., whose school is blocking automatic installation of SP2 on all faculty and staff computers because the update interferes with software that the university uses to run faculty PCs. "It wouldn't be so bad if we had gotten this more than a month ago, because at least then we would have had plenty of time to test it and make a decision about how we want to correct for this," Agee said. An extremely large file that could slow networks to a halt if too many students download it at the same time, SP2 also contains code that interferes with popular firewall and antivirus programs that many people run on their computers, according to Microsoft. Although Windows XP is configured by default to automatically download the latest patches from Microsoft -- a process that the company turned on last week -- schools like George Mason are taking advantage of a Microsoft tool that prevents it from happening. Alan Paller, research director at the SANS Institute in Bethesda, said the backlash from schools is somewhat justified. "The idea that the technology people at these schools view this update as a threat to their operations is absolutely accurate, as most of these folks consider forced security upgrades a threat to [network] reliability and uptime," he said. "This is really a problem of Microsoft's own design -- not just because of its timing -- but also because they delivered such unsafe computers in the first place." While students and faculty can still manually obtain the SP2 download, blocking the automatic distribution seriously hampers one of the primary tools Microsoft is using to roll out the security fixes included in SP2. Meanwhile, classes at George Mason start the week of August 30, and university officials are still debating whether to block students from installing the upgrade. For the time being, Catholic University in Washington, D.C., has decided to block downloads of SP2, according to chief information officer Zia Mafaher. A hundred miles to the south, officials at the University of Richmond made the same decision. "Microsoft's timing really couldn't have been worse for us," said Chris Faigle, a security administrator at the school, where classes start today. "For the faculty and students, we simply won't be able to handle all of the additional issues that would almost certainly come up in addition to just getting the students registered on the network." Other schools across the country are taking similar action. The University of Notre Dame in South Bend, Ind., for example, will bar its 10,000 students from installing SP2 until it finishes testing the program on its network, said Gary Dobbins, the school's director of information. "[We] didn't want SP2 to land on machines here at the same time the students descend on the campus." The University of Michigan's medical school is blocking campus computers from automatically downloading the Microsoft update, choosing instead to deploy the fix using its own internal computer servers. "Our primary concern is the impact this will have on our network and the length of time it would take to get from Microsoft directly," said Damon Palyka, a computer security technician at the school. A number of schools that have built systems to register computers on their network plan to periodically probe student PCs to ensure they contain the latest antivirus updates and Microsoft security patches. But SP2 can interfere with those automatic inspections since it turns on the Windows firewall, said Jack Suess, chief information officer at the University of Maryland Baltimore County. So UMBC plans to bar computers owned by its 4,000 students from automatically downloading the update until the school is ready to roll out its own tweaks. "We estimate that between 5 to 10 percent of the student population will have pretty serious problems after installing this update and will require help from us," Suess said. "Add that to inquiries from faculty and staff and allowing this go forward at move-in time could be a real challenge." Microsoft had already delayed a scheduled July release of SP2 so it could fix several other kinks in the upgrade. The company did not want to push the release date back again because of the chance that another severe Internet attack could occur in the meantime, said Matt Pilla, Microsoft's senior product manager for Windows. Averting Another Blaster Computers running Windows XP that are not updated with SP2 will be more susceptible to catching and spreading Internet worms and viruses on the school networks, even in the short span of time it takes to download and install the latest updates. Computer security experts and Microsoft are anxious to avoid a repeat of last August, when computers owned by hordes of college students arriving for the start of the fall semester were infected en masse by the "Blaster" and "Welchia" worms. The worms generated so much Internet traffic that some schools were forced to temporarily kick thousands of students off their networks. Those schools spent much of the last year designing and testing homegrown computer applications to ensure that students and faculty have protections in place on their PCs before they can hook back up to the networks, said Rodney Petersen, security task force coordinator for EDUCAUSE, an information technology association for colleges and universities. The last thing they want, he said, is to introduce a gigantic package of software onto their systems without conducting extensive testing first. Not all schools are so worried. American University in Washington, the University of Virginia in Charlottesville and the College of William and Mary are encouraging students to install the upgrade as soon as possible. "I think some schools are being somewhat unnecessarily paranoid about this," said Carl Whitman, American's executive director of e-operations. "At this point, the bad stuff on the Internet is getting pretty out of hand and we need whatever help we can get." Georgetown University will not block Service Pack 2 downloads either, said spokeswoman Laura Cavender. Elsewhere, schools such as Brown University in Providence, R.I., and Davidson College near Charlotte, N.C., are advising students to hold off installing SP2 for a few weeks, but are not stopping them from doing so. Dan Updegrove, vice president for information technology at the University of Texas at Austin, said his school is advising students to get the update. "We want to get it out there as fast as we can," Updegrove said. "The idea of telling our students to install a patch to block this other patch -- and then in the event that an Internet attack that would have been prevented by SP2 surfaces telling them to then please delete the install anti-patch patch - that strikes me as a little absurd." Hurdles to the CD-ROM Solution Several schools, including Brown and George Mason, planned to circulate SP2 on CD-ROMs, a move that would allow students to install the upgrade without connecting to the Internet. Microsoft, however, last week sent a letter to those schools warning them against duplicating and distributing the patches without buying an expensive license that includes the right to install Microsoft programs on student PCs. "It is a definite possibility that an enterprising hacker hoping to harm companies, campuses or personal assets could compromise the integrity of a disk that has not been created by an Authorized Replicator," Microsoft wrote. "As a result, Microsoft must take special precautions when it comes to security updates and how they are distributed." Distributing the service pack via CD-ROM, according to EDUCAUSE, could help schools speed up installs and diminish the chances of campus-wide Internet sluggishness caused by thousands of student PCs downloading the update simultaneously; downloading and installing SP2 can take anywhere from one to three hours with a high-speed Internet connection. Microsoft has agreed to give schools one service pack disk for every 50 students on campus, with extra disks costing 32 cents each. Microsoft said it has received orders for the CD-ROM from approximately 60 institutions, and that nearly 100,000 CD-ROMs have already been shipped to schools nationwide. Some schools, including American University, will not receive them for another two weeks, though Microsoft said it expects to ship any ordered discs within five to 12 business days. "For the vast majority of institutions that have students returning this week, that's too little too late," said EDUCAUSE's Petersen. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
News URL
http://www.washingtonpost.com/wp-dyn/articles/A26111-2004Aug23.html