Well, keep in mind that if they're online, Windows will notify them within 24 hours of its release that they need the patch, and will even go so far as to download it for them and pop up constant annoying speech bubbles in the bottom-right-hand corner saying that critical updates have been downloaded and are ready to install.
I do think home users should be updating every two weeks -- I make sure to check for updates at least once a week -- but just because I think they should doesn't mean that I actually expect them to. However, the automatic download of critical updates seems to be about as agressive as Microsoft can get for forcing people to keep up-to-date. If it weren't for automatic critical update download, I would not find this expectation reasonable, but when all people have to do is click "yes" and wait 5 minutes, my sympathy for them when they fail to update is reduced at least somewhat.
However, you're right that 4 weeks from vulnerability location to exploit use is a very short time. Usually it takes much longer.
Honestly, what was needed to prevent this from becoming widespread is not patching the vulnerability, but rather people not exposing their entire TCP/IP stack to the Internet. Anyone who runs a personal firewall will never even notice this worm's existence, and could run unpatched until the end of time with no adverse effects. The Internet has become so huge that leaving your computer openly on it is dangerous -- hell, it's so large at this point it has weather. A firewall (either on organization boundaries in the case of corporations, or personal firewalls on home systems) is imperative for safe operation these days -- and Windows XP has one built-in; you only have to turn it on. After things like this, I'll bet you that the next version of Windows has it turned on by default, and makes you turn it off if you don't want it.
I agree that it's too bad this affect Windows Server 2003. This has been there since NT 4.0 unnoticed.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
Date: 2003-08-12 08:29 pm (UTC)I do think home users should be updating every two weeks -- I make sure to check for updates at least once a week -- but just because I think they should doesn't mean that I actually expect them to. However, the automatic download of critical updates seems to be about as agressive as Microsoft can get for forcing people to keep up-to-date. If it weren't for automatic critical update download, I would not find this expectation reasonable, but when all people have to do is click "yes" and wait 5 minutes, my sympathy for them when they fail to update is reduced at least somewhat.
However, you're right that 4 weeks from vulnerability location to exploit use is a very short time. Usually it takes much longer.
Honestly, what was needed to prevent this from becoming widespread is not patching the vulnerability, but rather people not exposing their entire TCP/IP stack to the Internet. Anyone who runs a personal firewall will never even notice this worm's existence, and could run unpatched until the end of time with no adverse effects. The Internet has become so huge that leaving your computer openly on it is dangerous -- hell, it's so large at this point it has weather. A firewall (either on organization boundaries in the case of corporations, or personal firewalls on home systems) is imperative for safe operation these days -- and Windows XP has one built-in; you only have to turn it on. After things like this, I'll bet you that the next version of Windows has it turned on by default, and makes you turn it off if you don't want it.
I agree that it's too bad this affect Windows Server 2003. This has been there since NT 4.0 unnoticed.