Patches Could Have Lessened Latest Worm

Sasser's spread began to stabilize Tuesday, but not after infecting hundreds of thousands of computers since Friday by exploiting a known Windows flaw for which Microsoft issued a software patch three weeks ago.

Twenty British Airways flights were each delayed about 10 minutes Tuesday due to Sasser troubles at check-in desks, while British coastguard stations used pen and paper for charts normally generated by computer.

On Monday, the worm hit public hospitals in Hong Kong and one-third of Taiwan's post office branches. Major corporations around the world also were infected.

Home users were particularly hit hard, computer security experts say, because they generally lack the know-how to install patches and tend not to have the firewalls needed to keep Sasser from spreading to other computers via the Internet.

Late this summer, Microsoft plans to introduce a Windows XP update that would turn on a built-in firewall and automatically obtain and install security patches regularly. Microsoft is currently testing the update.

For now, computer users must manually turn such settings on , through "System" or "Automatic Updates" in Windows' Control Panel, or they must periodically check the company's Web site for new patches.

Where many had not, Sasser exploited the Windows flaw.

"Auto update is excellent for the home user, the small networks and the mom-and-pop companies, the ones without the expertise," said Mikko Hypponen, anti-virus research manager at F-Secure.

Of the nearly 200 million downloads of the patch that averts Sasser, three-quarters came through the auto-update tool, said Stephen Toulouse, a security program manager at Microsoft.

Toulouse said automation becomes increasingly critical because virus writers are developing exploits much more quickly after a vulnerability is announced. What used to take months or years now takes weeks, experts say.

Nonetheless, most security experts discourage larger corporations from allowing automated updates. That's because such companies tend to have special computer configurations that may pose conflicts. Rather, they say, companies should test patches first.

Though such conflicts are rare, "if you happen to be one of those people ... then you're going to cry foul," said Jimmy Kuo, a security fellow at Network Associates.

Hypponen said one bank hit by Sasser had rejected the patch because it did not work properly with custom software.

Because many of the updates require computers to reboot, some financial institutions can only schedule changes for mission-critical computers once or twice a year, said Chris Rouland, vice president of the X-Force research team at Internet Security Systems.

Bruce Schneier, chief technology officer with Counterpane Internet Security, said home users are less likely to have problems with automated updates because they tend to keep default configurations with which Microsoft already had tested patches.

But home users aren't immune, Rouland said.

For instance, he said, a patch to the Internet Explorer browser might change how users view Web sites, thus affecting how Web-based applications work.

The auto-update tool checks for all security patches for Windows and programs that ship with it, including Internet Explorer and the Outlook Express e-mail program.

Users can choose to be notified before any download or installation begins, but current plans call for the upcoming Windows XP update to skip those prompts by default. Users still would be notified of a need to reboot and have the option to delay it.

Owners of computers with Windows 2000 or ME will still have to turn on the auto-update tool manually. The tool is not available for older versions of Windows.

Because many users still run pre-XP versions of Windows, Microsoft can only reduce but not eliminate Sasser and other network worms that do not require user activation by clicking on an e-mail attachment, said Russ Cooper, a senior researcher at TruSecure.

And patches do little to stop viruses that rely not on Windows flaws but human behavior , the clicking of an attachment to start a process built into Windows by design.

"We can only protect so much with auto update," Cooper said. "The rest of the way, it's them not sticking their hands into the meat grinder."

Copyright © 2004 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press.