It might come as a surprise to you that most Internet attacks don’t occur when online lowlifes discover a hole in Windows’ security. As it turns out, they’re not quite that smart.
Instead, what usually happens is that Microsoft discovers the soft spot. (Actually, some super-brainiac researcher usually finds the hole, and then notifies Microsoft.) Microsoft then puts together a security patch, which it releases to its millions of customers to protect them.
Figure 10-5. If you turn on Windows XP’s auto-update- installation feature—and Microsoft is practically frantic that you do so—you can ask to be notified either before the software patch is downloaded (third choice) or after it’s been downloaded and is ready to install (second choice). You can also permit the updates to be updated and then installed automatically, on a schedule that you specify (top choice).
The hackers and virus writers learn about the security hole by studying the patch. They leap on the information and create some piece of evilware in a matter of days—yes, after Microsoft has already written software that closes the hole.
So how can PCs get infected after Microsoft has already created a patch? Because it takes weeks or months for Microsoft’s patch to get distributed to all those millions of customers. The hackers simply beat Microsoft to your PC’s front door.
The painful part is that Windows XP already contains a mechanism for downloading and installing Microsoft’s patches the very day they become available. It’s called Automatic Updates, and it’s yet another icon in your Control Panel (Figure 10-5).
Now, any patches or updates that Microsoft wants to send your way are also available for do-it-yourself download and installation at http://windowsupdate.microsoft.com (or choose Start→All Programs→Windows Update; if you’re already surfing in Internet Explorer, you can also choose Tools→Windows Update). As a bonus, this site also reports exactly which bugs are fixed in each update, usually using fairly technical language.
Furthermore, whereas Automatic Update offers you only security-related patches, the Windows Update Web page also offers updates that speed up your PC, offers new features, updates Windows Media Player, and so on.
But a patch won’t do you any good if you don’t know that it exists. So Automatic Update presents four options, as you can see in Figure 10-6. They correspond to four levels of trust people have in Microsoft, the mother ship:
Automatic (recommended). Translation: “Download and install all patches automatically. We trust in thee, Microsoft, that thou knowest what thou do-est.” (All of this will take place in the middle of the night—or according to whatever schedule you establish in the control panel—so as not to inconvenience you.)
Download updates for me, but let me choose when to install them. The downloading takes place in the background, and doesn’t interfere with anything you’re downloading for yourself. But instead of installing the newly downloaded patch, Windows pauses to get your permission, as shown in Figure 10-6.
This option gives you the chance to conduct a quick search on Google to see if anyone has had trouble with this particular patch. If the coast is clear, then you can opt to install.
Notify me but don’t automatically download or install them. When Windows detects that a patch has become available, that yellow ! shield icon appears in your system tray, like the one in Figure 10-6. Click the icon to choose which updates to download.
When the downloading is over, the yellow ! shield appears again in your system tray, this time telling you that the updates are ready for installation. From this point on, the cycle goes exactly as shown in Figure 10-6.
Tip
Consider this setting if you’re a laptopper. People who use the fully automated option have been known to grab their laptops and head to the airport, only to discover that they’re midway through a 25-minute Service Pack installation. Leaving your laptop on as you pass it through the X-ray machine is never a good way to make friends with the security staff.
Figure 10-6. The life cycle of an Automatic Update on a PC where “Automatically download and install updates” is not turned on. Top: When Windows finds an update, a notification balloon lets you know, complete with a yellow ! shield icon. Middle: If you click the balloon, you’re offered yet another choice. You can blindly install whatever it is that Microsoft sent you (click Express Install and then Install), which is the busy person’s solution. Or you can click Custom Install (Advanced), which really means “Show me a description of what I’m about to install.” Bottom: In that case, this screen lists the patches Microsoft has sent you. It also offers you a link to a Web page containing really specific technojargon about the patch. In the case of security-hole patches, you’ll even see a Thanks To list of researchers who found the holes to begin with.
Turn off Automatic Updates. Microsoft will leave your copy of Windows completely alone—and completely vulnerable to attacks from the Internet. This choice is preferred by people who like to fully research each patch before installing it (at, for example, http://www.annoyances.org).
Microsoft hates when people choose anything but the first option, because it’s no better than the old system (when hackers attacked after a hole was patched but before people had installed the patch).
And now a few notes:
You don’t get any notifications unless you’re using an administrator-level account (Section 17.3.2).
Some updates require that you restart your PC. (Actually, you can decline Windows’ invitation to restart your machine, but of course the update won’t take effect until you do.)
If Windows XP reveals that an update is ready to be installed, but you choose not to install it, Windows makes the updater invisible on your hard drive (if it has space). If, later in life, you decide that you really would like to have that particular update, just click the “Offer updates again that I’ve previously hidden” link at the bottom of the Automatic Update tab. Then, the next time you install an update, those choices become available once again.
Tip
You can find a record of the updates you’ve installed (and even uninstall them, if you want) in the Start→ Control Panel→Add or Remove Programs program. But in SP2, they’re hidden. (There used to be so many, that people complained that their Add or Remove Programs list was ridiculously cluttered.)
Turn on the “Show updates” checkbox at the top of the dialog box to reveal the new “Windows XP–Software Updates” category, which lists the individual patches and fixes you’ve installed.