lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 04 Sep 2003 10:57:37 -0400
From: Barry Fitzgerald <bkfsec@....lonestar.org>
To: Paul Schmehl <pauls@...allas.edu>
Cc: Stefano Zanero <stefano.zanero@...e.org>,
	BugTraq <BUGTRAQ@...urityfocus.com>
Subject: Re: Windows Update: A single point of failure for the world's economy?


Paul Schmehl wrote:

> --On Sunday, August 31, 2003 09:01:49 PM +0200 Stefano Zanero 
> <stefano.zanero@...e.org> wrote:
>
>>
>> Enabling a world-wide auto-update feature does indeed seem much of a
>> security risk to me.
>>
> More of a risk than up2date for RedHat or emerge -u system for 
> Gentoo?  Or cvsup for *BSD?
>

I don't think that it's the existance of the autoupdate feature in the 
first place that is the problem, but the fact that they're thinking 
about making it impossible to turn off.  Mandating patches and removing 
the control to stop them from being applied - either from the end user 
or the administrator - is a seriously bad thing.  Having methods of 
easily updating your system, on the other hand, is a good thing.

And I'll be the first to say that any existing mature package management 
system (by this I mean RPM's and DEB files) for *nix systems is far more 
"fault tolerant" than MS Windows' patching methodology.  That's not to 
say that I haven't installed RPMs in the past that have caused me 
trouble - I have.  But, rather, that the issues have been fewer and 
easier to resolve, in my experience.  Try remotely diagnosing an issue 
with RPM roll-out versus an issue with an MS patch roll-out and you'll 
see the difference - it's as clear as day. 

And I'm not just talking about patches which make a system 
non-bootable.  To limit "problems with patches" to mean "making  a 
system non-bootable" is to only consider one of the worst possible 
results of patching.  Patching can have other problematic results that 
don't show up immediately.  That's the problem with having mixed DLLs 
and other files on the system.   Diagnosing problems like this stemming 
from Microsoft released patches can be really troublesome sometimes.  
But, that's just the difference between the way that MS Windows is 
engineered and the way that GNU/Linux is engineered. 

So, yes, I do consider patching MS Windows systems to be more of a risk 
than patching RedHat or Gentoo systems - and by extension an autoupdater 
is also more of a risk.  That's just my experience.

Having said that, I don't allow any of my systems to automatically 
update.  I prefer to have more control than that.

             -Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ