New PCs Must Be Protected, Patched

Consumers buying PCs as holidays gifts and businesses purchasing new systems to squeeze capital expenditures under the tax wire may be putting themselves at risk as soon as they unwrap the machines, a security analyst said Monday.

"When you're buying a new PC, it's impossible to know how up-to-date its patches are," said Chris Belthoff, a senior security analyst with anti-virus vendor Sophos. "There's an assumption that a computer straight off the shelf will be ready to go, but I've seen people have to download a staggering 38MB of security patches onto a brand-new PC, a job that can take from dusk 'til dawn via a modem."

The problem with new PCs is that they might not be all that new, particularly their operating system. "Who knows how long it's been sitting in the warehouse?" he said. Because most computer makers only install the most recent service pack of Windows -- the OS on the vast majority of newly-purchased PCs -- there is a slew of fixes, those released since the last service pack, that are probably not on the new system.

"The last thing on buyers' minds is 'Are my patches up to date? Is my anti-virus up to date? Do I have a firewall?'" Belthoff said. Instead, users -- both those at home and in business -- are too eager to simply plug their machines into the Internet.

A new PC that's not been properly patched and secured with a firewall and up-to-date anti-virus software runs the risk of being the target of fast-moving exploits, some of which debuted months ago but are still circulating on the Web.MSBlast, for example, which rolled through the Internet this August and onto thousands of machines, is still pervasive, and a new Windows-based PC that's not been patched can be infected just seconds after it's jacked into a broadband modem.

The first thing a user of a new Windows XP machine should do, Belthoff said, is to engage the operating system's built-in firewall to protect the machine while it downloads the necessary security patches from the Microsoft Web site.

"It's not the best firewall in the world, but it's an additional level of protection," he said.

Microsoft, which seconds Belthoff's recommendation, offers instructions on its 'Protect your PC' Web site that details the steps needed to turn on the firewall, which is disabled by default. (Microsoft has said its Windows XP Service Pack 2, or SP2, will come with the firewall already engaged, but SP2, while just released into beta testing, won't officially debut until sometime in the first half of 2004.) Users who have purchased a non-Windows XP PC should buy and install a personal firewall before they do anything else.

Once that's taken care of, the next steps are to visit the WindowsUpdate Web site to download and install all the recommended patches, then acquire an anti-virus program, or if one comes pre-installed on the machine, immediately update its virus definitions."They should also turn on the automatic update feature of the anti-virus program, if it has one," Belthoff said. That will protect the PC against the hundreds of new threats that hit the Internet each month.

Although consumer-purchased PCs may account for the majority of end-of-the-year systems, businesses deploying new machines also need to make sure that a firewall's installed, updates are downloaded, and anti-virus software is up-to-date.

"The same cautions apply to them as well, perhaps even more so, since these machines will be used for critical business functions," Belthoff said.