There’s an article over at New Scientist about a “new” technique Microsoft is looking at for delivering patches. Researchers are looking into distributing patches through a network similar to that of a worm. These ‘friendly’ worms would use advanced strategies to identify and ‘infect’ computers on a network, and then install the appropriate patches into that system.
On one hand, this looks like it may be a good idea. In theory, it reduces load on update servers, and it may help to patch computers that would otherwise go un-patched. Microsoft claims that this technique would spread patches faster and reduce overall network load.
Back in 2003, the now infamous Blaster worm was released. Blaster took advantage of a buffer overflow in Microsoft’s implementation of RPC. Once infected, the computer was set to perform a SYN flood attack against Microsoft’s update site, windowsupdate.com.
Shortly after the release of Blaster, a different sort of worm was released, Welchia. Welchia, like Blaster, took advantage of the RPC bug. Unlike blaster, however, Welchia attempted to patch the host computer with a series of Microsoft patches. It would also attempt to remove the Blaster work, if it existed. Finally, the worm removed itself after 120 days, or January 1, 2004.
Unfortunately, the overall effect of Welchia was negative. It created a large amount of network traffic by spreading to other machines, and downloading the patches from Microsoft.
The Welchia worm is a good example of what can happen, even when the creator has good intentions. So, will Microsoft’s attempts be more successful? Can Microsoft build a bullet-proof worm-like mechanism for spreading patches? And what about the legality aspect?
In order to spread patches this way, there needs to be some entry point into the remote computer system. This means a server of some sort must be running on the remote computer. Is this something we want every Windows machine on the planet running? A single exploit puts us back into the same boat we’ve been in for a long time. And Microsoft doesn’t have the best security track record.
Assuming for a moment, however, that Microsoft can develop some sort of secure server, how are the patches delivered? Obviously a patch-worm is released, likely from Microsoft’s own servers, and spreads to other machines on the Internet. But, many users have firewalls or NAT devices between themselves and the Internet. Unless those devices are specifically configured to allow the traffic, the patch-worm will be stopped in it’s tracks. Corporate firewalls would block this as well. And what about the bandwidth required to download these patches? Especially when we’re talking about big patches like service packs.
If the patch-worm somehow makes it to a remote computer, what validation is done to ensure it’s authenticity? Certificates are useful, but they have been taken advantage of in the past. If someone with malicious intent can hijack a valid session, there’s no telling what kind of damage can be done.
How will the user be notified about the patch? Are we talking about auto-install? Will warning boxes pop up? What happens when the system needs to be rebooted?
And finally, what about the legal aspects of this? Releasing worms on the Internet is illegal, and punishable with jail time. But if that worm is “helpful”, then do the same rules apply? Network traffic still increases, computer resources are used, and interruptions in service may occur as a result.
All I can say is this: This is *my* computer, keep your grubby mitts off it.