Having a non-patched Windows connected directly to the Internet (through a modem/ADSL/cable connection) is dangerous. A lot of people, unfortunately, are completely unaware of that. Without Microsoft’s service packs and security fixes, it’s estimated that a Windows XP PC can be infected with worms (which can, among other things, install viruses and spyware, and turn your PC into a “spam zombie”, which will be used to send gigabytes of spam - and guess who’ll pay the bill?) in minutes, if not seconds.
The problem here is that a recently installed Windows (unless it was some kind of installation CD which already included service packs and updates - but most “normal” users don’t have those) is an unpatched Windows. Now, to update it (by going to Windows Update, the only thing one should ever use Internet Explorer for), you must be connected to the Net. See the problem? Chicken and egg - you must connect it to update it, but you mustn’t connect it if it’s not updated.
How to solve this problem, then?
The solution itself is relatively obvious: you must update it without it being directly connected to the Internet. The keyword is “directly“.
Two of the best ways are:
- Take it to your work place, assuming it has a firewall, and that you have to connect there using a proxy server. Ask your system/network administrator for help if necessary. Be sure that your PC is freshly installed - that is, that it’s never been connected directly to the Net before. If it was, it may already be infected - and connecting it to your office’s internal network can infect other PCs there, which may lead to you being fired or at least harshly reprimanded.
- Ask a “geek” friend of yours (I’m assuming you’re not one - if you were, all of this article would be common knowledge to you), who has a small protected network at his home, to update your Windows there. I’ve done it for several friends and family members, myself. Again, be sure that your Windows is freshly installed.
Does this seem like a lot of work? Tough. Blame Microsoft. 
Don’t, however, fool yourself into thinking you can avoid doing this. Trust me: it’s very likely that your PC will be infected while it is updating itself to be resistant to infections.
Oh, and don’t trust software firewalls too much. Unless you really know what you’re doing, you can’t use one to make a non-patched Windows “safe”.
Related posts:
RSS feed
The best way is to install Linux on a small/old machine with two ethernet cards, use it as a nat/firewall and connect the XP machine through it and update.
– MV
That’s mostly what I have at home, except that it’s OpenBSD instead of Linux.
The problem here isn’t Windows security flaws properties - that will ever exist - , it’s the hardware
- USB modems suck real hard. E.g.: They dont have any kind of firewall embedded.
- Any “normal” router do have firewall, DDoS and SPI properties.
- All routers from ISP’s should have firewall enabled.
So, if you;
1) Enabled Windows Firewall, and
2) Use a router with firewall
Then you can do Windows Update safely.
Yes, a router with a firewall could solve this - NAT, forwarding only from the inside to the outside, no port redirection from the outside to the inside unless manually configured. But we’re not there yet. And I don’t know whether it’s a good idea to force that on ALL users - I much prefer having my own OpenBSD gateway, directly connected to the Net, and with the Windows games machine behind it.
My point is still valid: if you have a normal modem/cable/ASDL connection (meaning that your PC will get a public Internet address), you should really take your PC somewhere where it will not be directly connected, and update it there.
“My point is still valid: if you have a normal modem/cable/ASDL connection (meaning that your PC will get a public Internet address), you should really take your PC somewhere where it will not be directly connected, and update it there. ”
Or… you should activate windows firewall.
That solve 90% of the common problems. The other problems derivate from the IE use, that should be only used _after_ windows update.
I admit I have little experience with the Windows Firewall, as I’ve never needed it, but I heard about worms and viruses that were able to disable it, at least with the pre-SP2 version. And, to install SP2… chicken and egg again.
Anyway, activating a software firewall is something that a newbie can very well do wrongly, which may lead to a false sense of security. Having it behind “something”, with a NATted address, is (other than nuking the site from orbit :)) the only way to be sure.