lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <412A54D7.8010309@sdf.lonestar.org>
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: Windows Update

Michael Schaefer wrote:

> It looks like windows update requires Automated Updates to be set to 
> automatic startup, but does not require the process to actually be 
> running...
>
> So the statement that they are "required" is obviously false.
>
> As a work around, I can manually change the startup status, do the 
> windows update, then change the startup status back to manual.
>
>
> Seriously annoying, but doable.
>
>
It's a little bit more than seriously annoying, though.  It represents a 
very poor design choice.

Obviously, if this setting change works, it means that the automatic 
update client is not actually necessary to install patches from 
windowsupdate.  I could see the service requirement *if* Microsoft were 
piggybacking the installation code off of the client in an effort to no 
longer rely on installing the code with an ActiveX control, however what 
this demonstrates is that the only reason to do this check is strictly 
to ensure that automatic updates is running.

This is either a bug or a very poor design choice. 

If the idea is to ensure that everyone has automatic update running, 
then it's going fail.  The people who are getting their updates from 
WindowsUpdate are not the people you generally need to worry about 
getting their patches -- it's the people who don't know about 
WindowsUpdate and who don't have automatic update running that you have 
to worry about.

What I'm saying is that warning people is good; blocking people is bad.

It's kind of like not letting someone get a medical checkup if they 
don't check their blood sugar everyday.  It hurts people more than it helps.

             -Barry






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ