The emergence of a new Internet virus targeting a Microsoft Windows security flaw could cause more damage than usual because the company's system for fixing the problem is so complex that many people will not bother to download it, security experts warned.
On Sept. 14, Microsoft released a patch to remedy a problem in the way the company's products process digital image files. That problem could allow attackers to take control of computers running the Windows XP operating system, Server 2003 software and Microsoft Office just by getting people to open an e-mail message or visit a Web site. Microsoft Office is a bundle of products that includes the popular Word, Excel and Outlook e-mail programs.
Microsoft has waged an extensive public relations campaign to convince users to set up their computers to receive software patches through the company's automatic update service, but some experts said that many users do not know that they might need to manually apply other patches at a separate Microsoft Office Update Web site to ensure that their PCs are protected against the threat.
Windows users who receive automatic updates or go to Microsoft's Windows Update site can use a scanning tool that tells them whether they need to visit its Office Update site for other fixes. But patching Office often requires users to take additional steps. For example, users who have not installed any previous Office patches will need to download and install those fixes before their computers will accept the latest patch. The Office site also may require users to have their original Microsoft Office CD-ROM handy.
Computer security experts say those extra steps have proven challenging and time-consuming even for them.
"We talked to [computer network] administrators who thought their systems were patched when all they really did was install these scanning tools," said Russ Cooper, chief scientist at Herndon, Va.-based TruSecure Corp. "I can see this creating confusion and a false sense of security for a lot of average computer users out there."
Patching Microsoft Office can be a relatively painless job or a lengthy chore depending on how the product was installed. For businesses and consumers who installed Office on their computers via the supplied Microsoft CD-ROM, patching Office involves popping the CD into each computer, a labor-intensive and expensive undertaking for small- to mid-sized organizations.
The University of Richmond, for example, faced the job of installing the patch on more than 1,000 faculty and staff computers. The school instead removed Office from the computers and reinstalled the software on every PC through the school's computer network.
Chris Faigle, Richmond's security administrator, said the bigger problem is that many students will not take the manual steps to protect themselves against the flaw.
"When we turned on automatic updates at registration time our intention was that students would get the updates and wouldn't have to mess with any of it," he said. "All we can do for now is get the word out there about the steps people need to take [to deal with] this and hope that our anti-virus tools save us if a worm or virus emerges in the meantime."