Windows to remain security risk for years to come

TechWorld.com - LONDON -- Microsoft Corp.'s efforts to limit the ongoing damage from worms such as Blaster will not pay off for several years, according to security experts.
New Windows PCs will begin shipping with security switched on by default for the first time, with the release of Windows XP Service Pack 2 this summer, but it will take five or six years before such basic protections are common on the installed base of PCs, according to a Symantec Corp. executive.
Such unprotected PCs are increasingly being used to spread worms such as Blaster and junk e-mail, usually without the PC owner's knowledge; a recent Symantec survey found that a system will, on average, receive a Blaster-generated packet of data within one second of connecting to the Internet.
"The threat will reduce slowly as we start to have security more widespread," Nigel Beighton, Symantec's director of community defense, said. "The industry has learned it has to ship technology with security switched on. But right now there are millions of Windows 98 users still out there, there is still a huge number of legacy PCs around, and it will take five or six years for that situation to change."
Last week, Microsoft revealed that the various flavors of the Blaster worm had infected at least 8 million PCs since it first appeared in August, based on data from its Windows Update. Security experts say the company is doing the right thing by making Windows PCs secure by default, but say such steps are only a beginning.
A major problem contributing to the ongoing spread of Blaster, Welchia and similar worms is that new PCs are still shipped with the flaws that allow them to spread, such as the Remote Procedure Call (RPC) flaw exploited by Blaster, analysts said.
"The Microsoft operating system ships unpatched," said Thomas Kristensen, CTO of security firm Secunia. "If you go online with a broadband or dial-up connection to get the security updates, it's possible for Blaster to attack and infect your machine."
One solution would be for Microsoft or system manufacturers to add the security patches before selling a machine, but the decentralized, commodified nature of the PC industry would make this strategy difficult, experts said. "Retailers could offer a secured PC with the updates installed, but consumers could always go and find a PC with a lower price where you have to upgrade it yourself," said Beighton. "In a commodity market, the consumer will always look for a bargain."
Rather than try to keep OEMs around the world

Reprinted with permission from

For more enterprise technology news from the U.K., please visit TechWorld.com. Copyright 2006 IDG, all rights reserved.