Security threats Toolkit

Patch demand briefly downs Windows Update

Tags:
Security,
Hole,
Flaw,
Fix

Published: 15 Apr 2004 08:50 BST

The crush of millions of Windows users trying to patch their computers overwhelmed Microsoft's update service for several hours after new security fixes were made available, the software giant acknowledged on Wednesday.

Immediately after Tuesday's release of four patches that fixed a score of flaws in the company's operating system, traffic to Microsoft's Windows Update site spiked higher than seen during any previous update, reaching a sustained download rate of more then 50GB per second. Past patches have resulted in two million people visiting Microsoft's Windows Update site every hour to download fixes. This time, between three million and four million users came to the site.

As a result, many customers found that the scan didn't work properly and they were not able to download the latest patches.

"When the patches went out yesterday there was a significant wave," said Todd Weeks, director of operations for Microsoft.com. The increase led to delays for users who wanted to immediately download the latest patches from the service. "After about the first four hours, it was essentially resolved."

By Tuesday afternoon, the company had about doubled the ability of the servers to handle requests by adding more servers that had better processors, Weeks said. By Wednesday morning, the software giant's update servers were handling 4 million visitors every hour with no issues, he said.

The events present the latest problem for Microsoft as it continues its two-year-old Trustworthy Computing initiative. Although the software giant has taken major steps to alleviate security concerns, such as delaying its next version of Windows in order to divert developers to its Windows XP Service Pack 2 security update, Microsoft has also had to contend with releases of critical patches to deal with large virus epidemics among customers.

Nonprofit group Pathfinder International encountered delays in updating its Microsoft computers Wednesday, said Kevin Greene, senior network administrator for the group. Pathfinder has servers in the United States, Peru, Brazil, Bolivia, Bangladesh, Egypt, Ethiopia, India, Kenya, Nigeria, Vietnam, Pakistan, Yemen, Tanzania and Uganda. After one of those computers had been infected by the MSBlast worm last August, the group focused on applying patches as soon as possible.

"Microsoft's decision to release updates to 90 percent of the computers on the planet on the same day, coupled with its announced desire for us to all update on the same day, places a considerable burden on Microsoft to ensure it has the bandwidth, equipment and other infrastructure necessary to ensure that we can do that efficiently," Greene said. "My experience this morning, and in the last round of updates in February, indicates that the infrastructure is lacking."

Internet performance measurement service Netcraft noted the problems as well, stating: "A browser request through Internet Explorer eventually raises the site after an extended wait, and in some cases it is possible to successfully download and install updates over a broadband connection."

The flood of users led Microsoft to add the ability to regulate the rate at which Windows Update will try to download patches from the company's servers, Weeks said. The new feature will act as a spigot on the electronic data, evening out the demand for downloads.

The current problems were solved by throwing more computing power at the issue, said Stephen Toulouse, Microsoft's security program manager. He added that -- on the positive side -- the flood of users means more customers are worrying about security.

"People are now just waiting to get the update," he said. "We are pleased (that customers are more aware). We will do whatever it takes to provide these updates to our customers as demand increases."