Microsoft Corp. plans to release a new version of its popular Windows XP software that automatically downloads and installs software patches onto personal computers, one of the company's most aggressive moves to promote Internet safety.
Starting in mid-2004, Windows XP customers will be able to download a new "service pack" that includes the automatic installation function. The software also will include a stronger Internet firewall, new protections against computer viruses and software that blocks Internet pop-up advertising.
The upgrade is meant to make it easier for the millions of home computer users who surf the Internet but are not computer security experts.
Security is not something most computer users think about unless there is a computer worm or other high-profile threat going around, said Neil Charney, Microsoft's director of Windows product management. With the upgrade, customers give their consent once and Microsoft will download and install patches for them, he added.
The software is one of the first fruits of the "secure computing" project that Microsoft Chairman Bill Gates launched in January 2002 in response to charges that the software maker was sacrificing security in favor of user-friendly features that hackers could easily exploit.
It is also designed to get security patches installed on Microsoft computers before hackers can figure out how to take advantage of software holes. Microsoft regularly releases software fixes for security flaws but those same fixes can provide hackers with a blueprint for attack. Hackers usually figure out how to take advantage of a security hole within weeks after the patch is released -- and that time period is shrinking.
"The majority of users don't want to have to worry about changing a lot of settings and taking the enormous amount of time it takes to secure their systems," said Neel Mehta, a security researcher at Atlanta-based Internet Security Systems. "This is a far better approach than leaving it up to the end users to secure the operating system."
Thor Larholm, senior security researcher at PivX Solutions in Newport Beach, Calif., said the changes were long overdue. "I think people would have seen Microsoft in a much better light if they had done some of these things years ago."
Microsoft's latest attempt to promote heightened Internet security among individual Internet users -- most of them not computer experts or even computer-literate -- illustrates a perpetual dilemma with no easy answers.
Even the strongest security feature cannot prevent curious computer users from opening virus-laden e-mail attachments disguised as free games, naked supermodel photos or even security updates. Nearly all of the past year's most destructive viruses and worms -- including the "Sobig.F" and recent "Mydoom" worms -- succeeded because so many people clicked on the attachment and inadvertently spread the infection to friends, family, co-workers and business contacts.
As a result, new versions of Windows XP will prevent people who use Microsoft's Outlook and Outlook Express e-mail software from opening suspicious attachments. Instead, they will have to save the attachments to their computer hard drives before opening them.
"We don't want to put customers in a situation where they have to make a decision of trust when they don't have all the information they need to make that choice, so [with e-mail attachments] we're just not letting it happen," said Mike Nash, corporate vice president of Microsoft's security business unit.
Microsoft also will configure its Internet Explorer Web browser to block "pop-up" ads and messages. Nash said pop-up ads present a heightened security threat as fraudsters use them to install harmful programs and "spyware," software that lets hackers monitor computer keystrokes and look at whatever the legitimate computer user is viewing.
The Windows XP upgrade will contain a new version of its firewall designed to block spyware and other programs from transmitting information out of the user's computer without permission. Unlike in previous versions of Windows, the new firewall will be turned on automatically.
Most worms spread from one vulnerable computer to the next without any action by the user. Having the firewall on by default means even users who have not downloaded the latest security patches should be insulated from Internet worms. E-mail worms would still be able to infect unprotected users if they click on a virus-laden attachment, but in most cases a firewall will prevent the infected PC from spreading the virus to other computers.
Nash said Microsoft is examining ways to prevent hackers from interfering with the automatic update system. The second variant of the "Mydoom" worm, for example, blocked infected computers from downloading patches and communicating with Microsoft's automatic update Web site.
