Averting Another Blaster
Computers running Windows XP that are not updated with SP2 will be more susceptible to catching and spreading Internet worms and viruses on the school networks, even in the short span of time it takes to download and install the latest updates.
Computer security experts and Microsoft are anxious to avoid a repeat of last August, when computers owned by hordes of college students arriving for the start of the fall semester were infected en masse by the "Blaster" and "Welchia" worms. The worms generated so much Internet traffic that some schools were forced to temporarily kick thousands of students off their networks.
_____On The Web_____
Windows Update Site: The SP2 download is available from Microsoft's Web site.
Those schools spent much of the last year designing and testing homegrown computer applications to ensure that students and faculty have protections in place on their PCs before they can hook back up to the networks, said Rodney Petersen, security task force coordinator for EDUCAUSE, an information technology association for colleges and universities. The last thing they want, he said, is to introduce a gigantic package of software onto their systems without conducting extensive testing first.
Not all schools are so worried. American University in Washington, the University of Virginia in Charlottesville and the College of William and Mary are encouraging students to install the upgrade as soon as possible.
"I think some schools are being somewhat unnecessarily paranoid about this," said Carl Whitman, American's executive director of e-operations. "At this point, the bad stuff on the Internet is getting pretty out of hand and we need whatever help we can get."
Georgetown University will not block Service Pack 2 downloads either, said spokeswoman Laura Cavender.
Elsewhere, schools such as Brown University in Providence, R.I., and Davidson College near Charlotte, N.C., are advising students to hold off installing SP2 for a few weeks, but are not stopping them from doing so.
Dan Updegrove, vice president for information technology at the University of Texas at Austin, said his school is advising students to get the update.
"We want to get it out there as fast as we can," Updegrove said. "The idea of telling our students to install a patch to block this other patch -- and then in the event that an Internet attack that would have been prevented by SP2 surfaces telling them to then please delete the install anti-patch patch that strikes me as a little absurd."
Hurdles to the CD-ROM Solution
Several schools, including Brown and George Mason, planned to circulate SP2 on CD-ROMs, a move that would allow students to install the upgrade without connecting to the Internet. Microsoft, however, last week sent a letter to those schools warning them against duplicating and distributing the patches without buying an expensive license that includes the right to install Microsoft programs on student PCs.
"It is a definite possibility that an enterprising hacker hoping to harm companies, campuses or personal assets could compromise the integrity of a disk that has not been created by an Authorized Replicator," Microsoft wrote. "As a result, Microsoft must take special precautions when it comes to security updates and how they are distributed."
Distributing the service pack via CD-ROM, according to EDUCAUSE, could help schools speed up installs and diminish the chances of campus-wide Internet sluggishness caused by thousands of student PCs downloading the update simultaneously; downloading and installing SP2 can take anywhere from one to three hours with a high-speed Internet connection.
Microsoft has agreed to give schools one service pack disk for every 50 students on campus, with extra disks costing 32 cents each. Microsoft said it has received orders for the CD-ROM from approximately 60 institutions, and that nearly 100,000 CD-ROMs have already been shipped to schools nationwide.
Some schools, including American University, will not receive them for another two weeks, though Microsoft said it expects to ship any ordered discs within five to 12 business days.
"For the vast majority of institutions that have students returning this week, that's too little too late," said EDUCAUSE's Petersen.