On July 24, 2002 Microsoft released Microsoft Security Bulletin MS02-039. It related to three security vulnerabilities in Microsoft SQL Server 2000 – the most serious of which could lead to an attacker gaining complete control of the SQL Server machine. On January 25, 2003- almost exactly 6 months later- the SQL Slammer worm spread around the world in under an hour and crippled the Internet by infecting and propagating to unpatched SQL Server systems. With six whole months to apply the patch there were still tens of thousands of vulnerable machines ripe for the worm to infect.

On July 16, 2003 Microsoft released Microsoft Security Bulletin MS03-026 which related to a buffer overrun flaw affecting ALL versions of Microsoft Windows which could allow an attacker to execute anything they would like on the vulnerable system. Less than a month later- on August 11, 2003- the MSBlast worm hit the Internet and bogged things down as it spread throughout the world infecting unpatched systems.

Infecting an unpatched system was taking on average approximately 30 seconds once the machine was connected to the Internet. On a 56k dial-up connection it would probably take about 5 minutes to download the necessary patch to protect the system. However, applying the patch required certain minimum service pack levels. For instance, the patch for Windows 2000 could only be applied on Windows 2000 Service Pack 2 or higher. Many home users may not have ever applied Service Pack 2 because it is a 100Mb file. Downloading SP2 on a dial-up connection could take more than 4 hours.

Therein lies the problem with expecting the home user market to take responsibility. First, most home users have little to no clue about vulnerabilities or security risks. Many use their computers like they do their toaster or their VCR or any other appliance in their house. But, because the majority of the home user market is still on 56k dial-up connections it is unreasonable to think they can keep current with patching even if they wanted to when some service packs and security updates are as large or larger than the application they are patching.

Generally, corporations are more able to download and apply patches in a timely manner because they have high-speed connections. That same Windows 2000 SP2 that takes almost four and a half hours to download on a 56k dial-up connection takes less than 10 minutes on a T1 line. Combine that with the fact that most corporations have some control over their routers and the knowledge to implement steps to mitigate the risks by blocking the ports used by the worms and it seems that most corporations should be able to protect themselves.