lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200408241528.i7OFS6q00484@pop-4.dnv.wideopenwest.com>
From: mvp at joeware.net (joe)
Subject: Windows Update

The client is required. I have sent a complaint to MS though concerning the
idea that the service set to manual but started doesn't allow the updates to
occur. That, I agree, is a bad design choice. 

If the service is set to automatic but not started, it will get started as
soon as you try to actually search for updates. Having it set to auto and
not started just gets you past the initial check. I actually replaced the
service with a quick "do-nothing" service I wrote and the web page gets past
the initial check but then hangs in the search for updates section. I have
no doubt that the client is actually used and needed. 

Once again, I agree requiring the service set to automatic is poor. Again
however, this isn't life threatening or insecure, just a pain. Simply use
something to quickly change the start config for the service before going to
the windows update site and change it back afterward. No big hoo hoo. 

  joe

 

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Barry
Fitzgerald
Sent: Monday, August 23, 2004 4:35 PM
To: mbs@...trealm.com
Cc: full-disclosure@...sys.com
Subject: Re: [Full-Disclosure] Windows Update


It's a little bit more than seriously annoying, though.  It represents a
very poor design choice.

Obviously, if this setting change works, it means that the automatic update
client is not actually necessary to install patches from windowsupdate.  I
could see the service requirement *if* Microsoft were piggybacking the
installation code off of the client in an effort to no longer rely on
installing the code with an ActiveX control, however what this demonstrates
is that the only reason to do this check is strictly to ensure that
automatic updates is running.

This is either a bug or a very poor design choice. 

If the idea is to ensure that everyone has automatic update running, then
it's going fail.  The people who are getting their updates from
WindowsUpdate are not the people you generally need to worry about getting
their patches -- it's the people who don't know about WindowsUpdate and who
don't have automatic update running that you have to worry about.

What I'm saying is that warning people is good; blocking people is bad.

It's kind of like not letting someone get a medical checkup if they don't
check their blood sugar everyday.  It hurts people more than it helps.

             -Barry





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ