Windows Update

• Previous message: Clive Flint: "Re: MSIEXEC problem with long user names"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 24 Feb 2003 13:17:27 +1100
From: "Louis Solomon [SteelBytes]" <louis@STEELBYTES.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

After failing to explain to the support drones at Microsoft my
problem/complaint with Automatic Updates in WinXP not using the proxy
settings IE, and being told by them that the windows update server would
attempt to scan the proxy if using the Windows Update site from behind a
proxy, I decided to do some investigation to explain to them that they are
wrong.

The result of the investigation showed that although virtually all the
scanning is done by the client (using lists supplied by the server), the WU
server does actually process the list of drivers on the client machine
(although the client does send this list to the server, not the server
scanning the client, and hence why it does work ok from behind a proxy)

Therefore since I was unaware that Microsoft was being sent a complete
list of all my hardware each time I use WU, I thought I might post here
on ntbugtraq since I guess many others may also be unaware of this.
This is mentioned in the Windows Update Privacy Statement:
    "Windows Update is committed to protecting your privacy. To provide
    you with the appropriate list of updates, Windows Update must collect
    a certain amount of configuration information from your computer.
    None of this configuration information can be used to identify you.
    This information includes:
        Operating-system version number
        Internet Explorer version number
        Version numbers of other software for which Windows Update
            provides updates
        Plug and Play ID numbers of hardware devices
        Region and Language setting
    The configuration information collected is used only to determine the
    appropriate updates and to generate aggregate statistics ..."

For those that are interested, here is a summarised version of the
communication of a https connection between the client and the WU server
when you click on the "Scan for updates" link on WU. (ripped by doing a
piggy in the middle attack using PortTunnel from www.SteelBytes.com)

--------------------------------------
client -> sever
    <systemInfo ... >
    <query procedure="Providers">
server -> client
    list of itemIDs of supported versions of IE and Windows
--------------------------------------
client -> server
    <systemInfo ... >
    <query
        procedure="Products" ...
        list of itemIDs of each IE and Windows ver
>
server -> client
    the following details for each itemID
        title
        xml expression on how to detect it (version fields in the registry)
        itemid & title of sub groups for this itemID ("Critical Update",
            "Recommended Updates" etc)
--------------------------------------
client -> server
    <systemInfo ... >
    <query
        procedure="Items"
        itemID of client IE version
>
server -> client
    list of hot fixes for itemID and xml expression on how to detect each
--------------------------------------
client -> server
    <systemInfo ... >
    <query
        procedure="Items"
        itemID of client Windows version
>
server -> client
    list of hot fixes for itemID and xml expression on how to detect each
--------------------------------------
client -> server
    <systemInfo ...
        COMPLETE LIST OF ALL CLIENT HARDWARE
        AND DRIVER VERSIONS
>
    <query procedure="DriverUpdates">
server -> client
    presumably a list of which drivers are out of date (mine is all upto
    date, and I am too lazy to make an artificial scenario to test this)
--------------------------------------

Louis Solomon
www.SteelBytes.com

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time

Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Next message: Thor Larholm: "Re: O UT LO OK E XPRE SS 6 .00 : broken"
• Previous message: Clive Flint: "Re: MSIEXEC problem with long user names"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]