Microsoft Corp.'s decision to release a major upgrade for its flagship operating system in the same month that hundreds of thousands of students are reporting to college campuses across the nation is causing a major headache for some universities.
The upgrade, known as Service Pack 2, is designed to patch numerous gaps in Windows XP, the operating system of choice for an estimated 200 million computer users worldwide. The free update includes safeguards against spyware and viruses, a hardened Internet firewall to keep out hackers, and changes to help better alert users to security risks on their personal computers.
The upgrade has received positive reviews for home use, but organizations running large networks have been more cautious, worried the update could conflict with certain applications already in use. Technology administrators at some universities have taken steps to block computers from automatically downloading the software. Not only do they want to conduct more tests on the patch, they fret their networks could slow to a crawl if too many students try to download the large file at once.
"The timing is extremely unfortunate," said Anne Agee, deputy chief information officer at George Mason University. "It wouldn't be so bad if we had gotten this more than a month ago, because at least then we would have had plenty of time to test it and make a decision about how we want to correct for this."
Instead, the Fairfax school is blocking automatic installation of SP2 on all faculty and staff computers because the update interferes with software that the university uses to run faculty PCs. Classes at George Mason start next week, and university officials are still debating whether to block students from installing the upgrade as well.
George Mason is not alone. Catholic University in Washington also has decided to temporarily block automatic downloads of SP2, according to Chief Information Officer Zia Mafaher. Officials at the University of Richmond made the same decision.
"Microsoft's timing really couldn't have been worse for us," said Chris Faigle, a security administrator at the school, where classes started yesterday. "For the faculty and students, we simply won't be able to handle all of the additional issues that would almost certainly come up in addition to just getting the students registered on the network."
Other schools across the country are taking similar action, from the University of Michigan's medical school to the University of Notre Dame in South Bend, Ind.
Notre Dame "didn't want SP2 to land on machines here at the same time the students descend on the campus," said Gary L. Dobbins, the school's director of information security.
College officials concede they cannot stop students from downloading the fixes before they arrive on campus, or attempt to do so manually once they plug into the network. However, some technology officials warn that such attempts may make it difficult for those machines to function properly on university networks.
Part of the problem is that a number of universities have built systems that periodically probe student PCs to ensure they contain the latest antivirus updates and Microsoft security patches. SP2 can interfere with those automatic inspections since it turns on the Windows firewall, said John J. Suess, chief information officer at the University of Maryland Baltimore County, which also is barring students from automatically downloading the update.
"We estimate that between 5 to 10 percent of the student population will have pretty serious problems after installing this update and will require help from us," Suess said. "Add that to inquiries from faculty and staff, and allowing this to go forward at move-in time could be a real challenge."
Microsoft said it chose to release SP2 when it did in part to avoid a repeat of last August, when computers owned by hordes of college students arriving for the start of the fall semester were infected en masse by the Blaster and Welchia worms. The worms, which took advantage of vulnerabilities in Microsoft software, generated so much Internet traffic that some schools were forced to temporarily kick thousands of students off their networks.
Some schools are encouraging their students to patch their systems. American University in Washington, Georgetown University, the University of Virginia in Charlottesville and the College of William and Mary are encouraging students to install the upgrade as soon as possible.
"I think some schools are being somewhat unnecessarily paranoid about this," said Carl Whitman, American's executive director of e-operations. "At this point, the bad stuff on the Internet is getting pretty out of hand, and we need whatever help we can get."
Several schools, including Brown University and George Mason, planned to circulate SP2 on CD-ROMs, a move that would allow students to install the upgrade without connecting to the Internet. Distributing the service pack via CD-ROM, according to Educause, an information technology association for colleges and universities, could help schools speed up installations and diminish the chance of campus-wide Internet sluggishness; downloading and installing SP2 can take an hour or more with a high-speed Internet connection.
Microsoft, however, last week sent a letter to those schools warning them against duplicating and distributing the patches without buying an expensive license that includes the right to install Microsoft programs on student PCs.
"It is a definite possibility that an enterprising hacker hoping to harm companies, campuses or personal assets could compromise the integrity of a disk that has not been created by an Authorized Replicator," Microsoft wrote. "As a result, Microsoft must take special precautions when it comes to security updates and how they are distributed."
Microsoft has agreed to give schools one service pack disk for every 50 students on campus, with extra disks costing 32 cents each. Microsoft said it has received orders for the CD-ROM from approximately 60 institutions, and that nearly 100,000 CD-ROMs have already been shipped to schools nationwide.
Some schools, including American University, will not receive them for another two weeks, though Microsoft said it expects to ship any ordered discs within five to 12 business days.
"For the vast majority of institutions that have students returning this week, that's too little too late," said Rodney Petersen, security task force coordinator for Educause.
Krebs is a staff writer for washingtonpost.com.