lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200408221307.i7MD7dex017810@pop-7.dnv.wideopenwest.com>
From: mvp at joeware.net (joe)
Subject: Windows Update

If that is your stance, you should probably have it for AV updates as well.
There have been various AV updates that have been known to break
functionality and blue screen boxes. I recall one update for one of my
customers that had blown up a good many web servers and local site file and
print servers (hundreds of servers) and this is with an AV Update that was
approved by and placed on the distribution server by central security. 

Anyway, versus completely shutting down WU, you can configure to automatic
download without installation. 

All that being said, actively professionally maintained servers are in a
different boat than most machines that will be running WU. In a large
properly firewalled and protected corporate environment, I don't think the
client support group would really depend on automatic updates from outside
the company, they would use SUS or some other deployment mechanism. If using
some other deployment mechanism, WU would be off. Either way, patches would
be tested before being deployed, it wouldn't be automatic. 

That being said, once you get to x machines with x being a function of your
resources available to do testing, the number of LOB apps you have running,
and how bad the hole is being plugged you will run into occasion where you
can not test everything and simply have to release. One would hope that this
will be less frequent if you have XP SP2 deployed and have the firewall up
and running without turning it into swiss cheese but until we see the next
worm type attack and see if XP SP2 is safer we can't for sure say anything.
If the biggest issues end up requiring some sort of people interaction, then
that is quite a win in and of itself. 

  joe
 

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of ?ber GuidoZ
Sent: Saturday, August 21, 2004 7:56 PM
To: FD
Subject: Re: [Full-Disclosure] Windows Update

Umm, hold on a sec here... 

(snip from "James Tucker"):
> There really should be no reason why you would want to disable the  
>Automatic Updates service anyway, unless you are rolling out updates  
>using a centralised distribution system, in which case you would not 
>need it anyway.

I believe you are missing one fundamental point: SPs and updates are
notorious for breaking something else. (Especially from Microsoft.) Granted,
if fixing a security weakness breaks something you're using, then that
aspect could have been written better. However, that still doesn't fix it
when an entire business network goes down and YOU are the one responsible. I
do not allow ANY automatic updates (except for virus definitions) to run on
ANY networks I am in charge of. I take the time (like every good sysadmin
should) to look over each update before applying it so I know three things:

1. What it's fixing/patching
2. Why it's fixing/patching it
3. What will be the end result of the fix/patch

If you would simply allow updates and SPs to have free reign over your
system(s) without taking any time to look over those updates, you're going
to be one busy and irritated sysadmin. That is, if you still have a job
after a little bit.

~G

P.S. Don't take my word for it. Look here:
 - http://www.infoworld.com/article/04/08/12/HNdisablesp2_1.html
 - http://www.pcworld.idg.com.au/index.php/id;1183008015;fp;2;fpid;1
 - http://www.integratedmar.com/ecl-usa/story.cfm?item=18619
 - http://www.vnunet.com/news/1157279
 - Or, find the other 200+ articles by searching Google News
    for "disable automatic update sp2"  =)

On Sat, 21 Aug 2004 18:51:40 -0300, James Tucker <jftucker@...il.com> wrote:
> Here I found that I can have BITS and Automatic Updates in "manual", 
> Windows Update works fine here. It may be a good idea to refresh the 
> MMC console page, as you will probably find that at time the service 
> had shut down if and when BITS was stopped prematurely (i.e. when it 
> was in use).
> 
> There really should be no reason why you would want to disable the 
> Automatic Updates service anyway, unless you are rolling out updates 
> using a centralised distribution system, in which case you would not 
> need it anyway.
> 
> If you are worried about system resources, you should look into how 
> much the service really uses; the effect is negligable, in fact there 
> is more impact if you select (scroll over) a large number of 
> application shortcuts (due to the caching system) than if you leave 
> Automatic Updates on. If you are worried about your privacy and you 
> dont believe that the data sent back and forth has not been checked 
> before, then you surely dont want to run Windows Updates ever. If you 
> want to cull some real system resources and have not already done so, 
> turn the Help and Support service to manual, that will save ~30mb on 
> boot, up until the first use of XP help; this will stop help links 
> from programs from forwarding to the correct page, until the service 
> has loaded once.
> 
> As for worry over using bandwidth on your internet service, again, you 
> want to check this out as its a trickle service, not a flood. BITS 
> does not stand for Bloody Idiots Trashing Service; it means what it 
> says on the tin.
> 
> On Fri, 20 Aug 2004 14:30:22 -0700, David Vincent
> 
> 
> <support@...epdeprived.ca> wrote:
> > joe wrote:
> >
> > >Yep, this is how it works now.
> > >
> > >You control whether Windows Update is updating or not via the 
> > >security panel in the control panel applets (wscui.cpl).
> > >
> > >
> > To eb complete, I should have mentioned I have Automatic Updates 
> > turned off in the control panel.  I also had the service disabled 
> > before applying SP2 and venturing to Windows Update v5.
> >
> > >Of course if you aren't using automatic update you could always 
> > >disable the service and just reenable when you go to do the update, 
> > >or don't use windows update at all and just pull the downloads 
> > >separately. We are talking about a single command line to reenable 
> > >that service
> > >
> > >
> > Yep.
> >
> > >Is it a pain? Yes, for those who like to run minimal services. Is 
> > >it a security issue or life threatening, probably not.
> > >
> > >
> > Agreed.
> >
> > -d
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


--
Peace. ~G

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ