It’s not a particularly new idea. Microsoft even got into some hot water a couple days ago for this very thing. Can something as inherently malicious (or eeeeevil) as an Internet worm be used for good? It’s kind of like the One Ring. The bearer of the worm would want to use the power to do good, but by the very nature of the worm it would simply compel the bearer to use the power to spread evil throughout the lands. Anyone with me on that?

Geeky comparison aside, could a worm really be used to hop from vulnerable machine to vulnerable machine patching up their holes along the way? Despite the fact that it’s still illegal no matter how virtuous your intent, is it a good idea?

It would definitely accomplish the goal. A worm going from machine to machine could easily spread in the same way that malicious worms spread and could patch them up to prevent any baddies from getting in. However, what this leaves out is the user. The user doesn’t get to give their consent or even notified that anything is going on as Bruce Schneier points out:

And that’s exactly why it’s a terrible idea. Patching other people’s machines without annoying them is good; patching other people’s machines without their consent is not. A worm is not “bad” or “good” depending on its payload. Viral propagation mechanisms are inherently bad, and giving them beneficial payloads doesn’t make things better.

I agree with him in principle. Not letting the user consent to the fix isn’t good no matter how you spin it. I wouldn’t want my system unwillingly (and unknowingly) patched. I wouldn’t know if the patch was good, if it came from a reputable source or even if the patch might introduce any other vulnerabilities, holes or simply any other functionality that I might not want…

But let’s get real.

Users just don’t patch their computers. Regular users don’t keep their systems up to date. They don’t regularly patch their machines. Heck, they don’t even maintain their systems well. How many times have you acted as the family IT guy and tried to fix a relative’s computer that had never been defragmented, had tons of unknown or never used applications installed and was last patched not weeks ago, and not months ago, but years ago? Most users either don’t know how to patch, don’t want to learn, don’t care or can’t keep up. Worms, viruses, trojans and lots of other malware are still floating around the web that exploit vulnerabilities that have been patched for years. Yes, years. These infected systems just aren’t being maintained.

So has the time come to force patches upon users?