RE: [Full-Disclosure] Windows Update
From: joe (mvp_at_joeware.net)
Date: 08/24/04
- Previous message: Ron DuFresne: "RE: [Full-Disclosure] Possible New Malware...."
- In reply to: Barry Fitzgerald: "Re: [Full-Disclosure] Windows Update"
- Next in thread: Barry Fitzgerald: "Re: [Full-Disclosure] Windows Update"
- Reply: Barry Fitzgerald: "Re: [Full-Disclosure] Windows Update"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Barry Fitzgerald'" <bkfsec@sdf.lonestar.org>, <mbs@mistrealm.com> Date: Tue, 24 Aug 2004 11:28:07 -0400
The client is required. I have sent a complaint to MS though concerning the
idea that the service set to manual but started doesn't allow the updates to
occur. That, I agree, is a bad design choice.
If the service is set to automatic but not started, it will get started as
soon as you try to actually search for updates. Having it set to auto and
not started just gets you past the initial check. I actually replaced the
service with a quick "do-nothing" service I wrote and the web page gets past
the initial check but then hangs in the search for updates section. I have
no doubt that the client is actually used and needed.
Once again, I agree requiring the service set to automatic is poor. Again
however, this isn't life threatening or insecure, just a pain. Simply use
something to quickly change the start config for the service before going to
the windows update site and change it back afterward. No big hoo hoo.
joe
-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Barry
Fitzgerald
Sent: Monday, August 23, 2004 4:35 PM
To: mbs@mistrealm.com
Cc: full-disclosure@netsys.com
Subject: Re: [Full-Disclosure] Windows Update
It's a little bit more than seriously annoying, though. It represents a
very poor design choice.
Obviously, if this setting change works, it means that the automatic update
client is not actually necessary to install patches from windowsupdate. I
could see the service requirement *if* Microsoft were piggybacking the
installation code off of the client in an effort to no longer rely on
installing the code with an ActiveX control, however what this demonstrates
is that the only reason to do this check is strictly to ensure that
automatic updates is running.
This is either a bug or a very poor design choice.
If the idea is to ensure that everyone has automatic update running, then
it's going fail. The people who are getting their updates from
WindowsUpdate are not the people you generally need to worry about getting
their patches -- it's the people who don't know about WindowsUpdate and who
don't have automatic update running that you have to worry about.
What I'm saying is that warning people is good; blocking people is bad.
It's kind of like not letting someone get a medical checkup if they don't
check their blood sugar everyday. It hurts people more than it helps.
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Ron DuFresne: "RE: [Full-Disclosure] Possible New Malware...."
- In reply to: Barry Fitzgerald: "Re: [Full-Disclosure] Windows Update"
- Next in thread: Barry Fitzgerald: "Re: [Full-Disclosure] Windows Update"
- Reply: Barry Fitzgerald: "Re: [Full-Disclosure] Windows Update"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
