lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: avalon at cairo.anu.edu.au (Darren Reed)
Subject: Windows Update

In some mail from Security List, sie said:
> 
> Went to windows update last night w/ XP Pro. 
> Redirected to the v5 version.  I was asked to install
> the new Windows Update software...downloaded the WU
> software...copied the files...then saw
> registering...kinda thinking that it was checking for
> a valid registration or license.  No updates needed
> according to WU.  XP SP2 is not available via WU for
> XP Pro yet.
> 
> Now, I checked the Automatic Update service to see if
> it was turned back start automatic as I always have it
> disabled.  Yup, it was set to automatic and it was
> started.  I stop and disable automatic update service,
> and try WU.  Get error stating that the automatic
> update service must be enable to use WU now.  Has
> anybody else head of this?  Once again, we must have
> services that we do not want enable.  I can not
> believe that they are forcing user to turn on the
> service to use WU.

I discovered this when testing out v5beta and had to do a checkpoint
recovery to restore version 4.  If you don't install the latest
Windows Update software (if, for example, you have all Active X stuff
set for prompting and you say "no") then you don't even get to 1st
base and Windows Updates (via a convienient mechanism) are not available.
IMHO, this sucks big time.

What I see Microsoft as doing is pretty much forcing everyone to turn
on Automatic Windows Update.  Why leave it as a control panel option,
I've no clue.  Same with BIT (Background Intelligent Transfers.)
For the millions of users out there that are likely subject to viruses,
etc, I'm sure it will help make things better, but for people who would
fit into the "power user" class, it's a real pain in the arse.

I really object to this philosophy because it does not let a person
plan the downloading and installation of updates - some of which will
require a reboot.

What do large corporate installations of Windows do here?
Do they run their own caches of the Windows updates?
Push out updates from servers rather than have clients pull?
Is it all done with SUS?
Is SUS usable on a single node, in place of WU?
The help for the "Windows Update" web site suggests that it is
possible to get updates without Automatic Updates.  Is the help
out of date or is there a way to still do it without AU on ?

If you were a conspiracy theorist, you'd say this was Microsoft's way
of being able to do more automatic updates before announcing a security
vulnerability and mitigate the impact of 0-day exploits (developed through
reverse engineering of changes.)

Darren

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ