Part of the problem is that a number of universities have built systems that periodically probe student PCs to ensure they contain the latest antivirus updates and Microsoft security patches. SP2 can interfere with those automatic inspections since it turns on the Windows firewall, said John J. Suess, chief information officer at the University of Maryland Baltimore County, which also is barring students from automatically downloading the update.
"We estimate that between 5 to 10 percent of the student population will have pretty serious problems after installing this update and will require help from us," Suess said. "Add that to inquiries from faculty and staff, and allowing this to go forward at move-in time could be a real challenge."
Microsoft said it chose to release SP2 when it did in part to avoid a repeat of last August, when computers owned by hordes of college students arriving for the start of the fall semester were infected en masse by the Blaster and Welchia worms. The worms, which took advantage of vulnerabilities in Microsoft software, generated so much Internet traffic that some schools were forced to temporarily kick thousands of students off their networks.
Some schools are encouraging their students to patch their systems. American University in Washington, Georgetown University, the University of Virginia in Charlottesville and the College of William and Mary are encouraging students to install the upgrade as soon as possible.
"I think some schools are being somewhat unnecessarily paranoid about this," said Carl Whitman, American's executive director of e-operations. "At this point, the bad stuff on the Internet is getting pretty out of hand, and we need whatever help we can get."
Several schools, including Brown University and George Mason, planned to circulate SP2 on CD-ROMs, a move that would allow students to install the upgrade without connecting to the Internet. Distributing the service pack via CD-ROM, according to Educause, an information technology association for colleges and universities, could help schools speed up installations and diminish the chance of campus-wide Internet sluggishness; downloading and installing SP2 can take an hour or more with a high-speed Internet connection.
Microsoft, however, last week sent a letter to those schools warning them against duplicating and distributing the patches without buying an expensive license that includes the right to install Microsoft programs on student PCs.
"It is a definite possibility that an enterprising hacker hoping to harm companies, campuses or personal assets could compromise the integrity of a disk that has not been created by an Authorized Replicator," Microsoft wrote. "As a result, Microsoft must take special precautions when it comes to security updates and how they are distributed."
Microsoft has agreed to give schools one service pack disk for every 50 students on campus, with extra disks costing 32 cents each. Microsoft said it has received orders for the CD-ROM from approximately 60 institutions, and that nearly 100,000 CD-ROMs have already been shipped to schools nationwide.
Some schools, including American University, will not receive them for another two weeks, though Microsoft said it expects to ship any ordered discs within five to 12 business days.
"For the vast majority of institutions that have students returning this week, that's too little too late," said Rodney Petersen, security task force coordinator for Educause.
Krebs is a staff writer for washingtonpost.com.
Get paid for your H I P I M P L A N T troubles.>>