RE: [Full-Disclosure] SQL Server patch - why doesn't Windows upda te help?

From: David Vincent (david.vincent@mightyoaks.com)
Date: 01/30/03

  • Next message: Richard M. Smith: "[Full-Disclosure] Question about the new Xupiter toolbar" 
    From: David Vincent <david.vincent@mightyoaks.com>
To: "'Darren Reed'" <avalon@coombs.anu.edu.au>, full-disclosure@lists.netsys.com
Date: Thu, 30 Jan 2003 09:14:10 -0800

    ...because it's "Windows" update. not "SQL" update. that's why there's
    also "Office" update and the "Platform SDK" update.

    http://v4.windowsupdate.microsoft.com/en/default.asp
    http://www.microsoft.com/msdownload/platformsdk/sdkupdate/
    http://office.microsoft.com/productupdates/

    i'm sure we'd all love it if there were an "SQL" update site. but as anyone
    with experience knows Windows Update DOESN'T WORK. sure, it'll identify
    patches and install 'em. but it really has a hard time getting your machine
    actually up to date.

    it doesn't look at sql, exchange, or mdac afaik. it does look at the core
    components home users would be interested in like internet exploder and the
    media plunderer.

    for quite a while it didn't have the patch for MS02-050
    (http://www.microsoft.com/technet/security/bulletin/MS02-050.asp) and even
    now HFNETCHK says my MS02-055 isn't installed properly, though WindowsUpdate
    misses it and so does QCHAIN.

    this is why ms offers their Corporate Windows Update now called the Windows
    Update Catalog.
    http://v4.windowsupdate.microsoft.com/catalog/en/default.asp

    they know their *** website is really only there to give home users a warm
    feeling when it scans their system and says "there are no updates available
    at this time" (and i can't count the times i've gone to a home to "fix" a
    computer issue only to find the pc has been running for three years with no
    updates and no firewall while connected to adsl or cable. and they act so
    surprised then i show them the windows update icon on the top of their start
    menu - dumbasses! anyways, back to the topic....).

    in the industry, we all know you must test patches not only for issues they
    may introduce to the system (instability, functionality changes, etc.) but
    also for how they install if they even do that correctly. you can't 100%
    trust any vendor to do it right, there are always unique issues for your
    workplace which they could not have anticipated.

    -d

    -----Original Message-----
    From: Darren Reed [mailto:avalon@coombs.anu.edu.au]
    Sent: January 30, 2003 7:30 AM
    To: full-disclosure@lists.netsys.com
    Subject: [Full-Disclosure] SQL Server patch - why doesn't Windows update
    help?

    I was just thinking to myself, hmmm, I have SQL Server something*
    installed on one of my Win2K boxes (service is turned off), I wonder
    if I have this patched as I do regular checkups with "Windows Update"...

    Well, either I haven't or I have and the "Windows Update" web site is
    lieing and "Add/Remove Programs" is in league with it.

    Strange. I do a scan with "Windows Update" and it still doesn't pick
    it up.

    It doesn't show up under "Office Update" either.

    What gives ?

    I ask myself have I been deceived into thinking that this "Windows Update"
    was not doing as I expected and is in fact doing far less ? I wonder how
    many other people do regular updates, using "Windows Update" and expect
    it to catch all of the patches required for their system(s) and don't
    give it much further thought ?

    The catch I now find myself in is if "Windows Update" doesn't know it
    should have installed the hotfix for SQL Server, how the hell am I
    (or anyone else for that matter) meant to now work out what has and
    hasn't been applied that is relevant ? How much trust can I now put
    in the "Windows Update" service to deliver me the correct patches that
    my system needs ? I wonder if I would have been one of the unsuspecting
    masses that got infiltrated if I had of been trusting "Windows Update"
    to keep my 'net exposed SQL servers up to date ?!

    Maybe this is a "known bug" or "caveat" with "Windows Update" but if
    it is, it'd sure be nice if it behaved as expected - read the "About
    Windows Update" sometime. I don't think I've got unreasonable
    expectations, based on how they advertise the service, that this should
    have been patched for me, already!

    I wonder if you'd have a case for suing Microsoft for damages if you got
    hit and used their update service on a regular basis, with it failing to
    install the patch, leading to you being crompromised for (if nothing else)
    false advertising of the "Windows Update" service capabilities...

    Darren
    * - it is one of the versions advertised as being vulnerable and no,
        there are no copyright problems with the installed products.

    p.s. This is the kind of email that now gets censored from bugtraq,
    I just hope it's appropriate for full-disclosure...
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html