lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <004DD5EFF6CAD511871C00805FC7C03701508A1D@gentmail.dmn900000.be>
From: svgn at orbid.be (Serge van Ginderachter (svgn))
Subject: Windows Update: A single point of failure f
	or the world's economy?

This makes me wonder about the differences / similarities to the debian apt
repositories in general and security.debian.org in particular. ("Debian" is
more like an example here, I guess there are a lot of similar other
examples.)

Does Windows update feel dangerous because it's
- Microsoft and that's very big and widely deployed?
- commercial
Does Debian repositories feel safe because it's 
- Open Source, GPL'ed or free as in beer and speech?
- non commercial

Is this basically really all what's to it or would there be other
perspectives?


Some thoughts:
- Debian repositories have a lot of mirrors. "security.debian".org does not
AFAIK
- I do trust Debian patch system far more. I automate it on my servers,
which I'd never dare on Windows servers. Not sure if I can give valid
arguments on this.
- remember that big part of those differences might be more related to the
underlying technology on OS-level (unix parts vs. windows integration) than
to other reasons?
- ...




Serge van Ginderachter



-----Original Message-----
From: Richard M. Smith [mailto:rms@...puterbytesman.com]
Sent: dinsdag 19 augustus 2003 18:47
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Windows Update: A single point of failure for
the world's economy?


Hi,

The Washington Post has an article in today's paper saying that
Microsoft is mulling over making the Auto-Update feature of Windows XP
be turned on by default.  The article can be found here:

   Microsoft Weighs Automatic Security Updates as a Default 
   http://www.washingtonpost.com/ac2/wp-dyn/A11579-2003Aug18

This move by Microsoft sounds pretty scary to me.  I am willing to bet
that if Microsoft proceeds with these plans, the Windows Update Web site
could easily distribute and install new software on hundreds of millions
of Windows computers in a day or two.  

The risk here is that the system could be exploited by a disgruntled
Microsoft employee and become the ultimate malware distribution system.
It seems to me that the Microsoft is in the process of creating a single
point of failure for the world's economy.

I am wondering what sort of security and accounting systems that
Microsoft has in place to prevent an insider attack on the Windows
Update Web site?

As one data point, yesterday I updated my wife's Windows Me laptop at
the Windows Update site to repair the DCOM security hole.  One of the 20
patch files I downloaded was something for DirectX.  This patch file
caused the laptop to blue screen of death in some VxD near the end of
the Windows boot process.  Luckily for me, the system seem to repair
itself after the 4th reboot.  I really didn't relish the idea of
explaining to my wife how I broke her laptop.

Richard M. Smith
http://www.ComputerBytesMan.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030819/64515d45/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ