Windows Update is a dog, again!

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 05/14/03

  • Next message: Sharad Ahlawat: "Re: Cisco Systems VPN Client allows local logon with Elevated Privileges"
    Date:         Wed, 14 May 2003 16:42:10 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Well, looks like Windows Update has once again shown how untrustworthy Microsoft can be. For at least the past several days Windows Update has been providing consumers with false information. WU users would connect, initiate the scan, the scan would complete and inform the user their system needed no patches. Wonderful, a clean bill of health, or so the consumer thought.

    In reality, some flaw in the Windows Update process has led it to conclude that a system, in need of critical security patches, is instead clean and good to go on the Internet. In other words, if the security check fails, tell consumers they're just fine and don't need anything.

    It's good that we don't need elaborate checklists and voodoo mojo security tools to check our systems; we only have to make a quick visit to Windows Update to be sure. Finally, with the introduction of Automatic Updates, we no longer even need to make that visit manually, we can trust that Microsoft will supply us with a properly tested security patch within 24 hours and patch our systems for us (unless we're running Windows XP and got MS03-013 when it was released to WU.)

    A year ago I complained about Windows Update, with its registry only checking and myriad other problems. At the time Microsoft was distributing Shavlik's HFNetchk, and so at least with tools from Microsoft we could see the error of Windows Update's ways. That cry of disgust caused Microsoft to yank HFNetchk, because they hadn't licensed it and didn't have a formal agreement for its promotion. "Consumers be damned, make darn sure they're not getting conflicting information from us" seemed to be the rallying cry at Microsoft.

    I questioned the Trustworthy Computing Initiative's value then because of that debacle. When asked by the media at the new year how I felt the Trustworthy Computing Initiative had progressed, I gave it an "F", or failing grade. Some wondered why, and pointed to things which the public hadn't seen as justification for TCI's benefits. Seems too many never bothered to read Bill Gates' memo. They failed to grasp the fact that TCI was in response to a public perception that Microsoft was not sufficiently trustworthy.

    Has Microsoft done anything to change that perception? No, absolutely not I say! (emphatically)

    Let me put it this way. Since the inception of Windows Update millions of computers have been infected with Trojan's that are today allowing individuals to conduct en-masse DDoS attacks. Read that how you want, but its a fact. Here's another. Since the inception of Windows Update Microsoft has gone to producing patches almost every week. Few if any business' have found Microsoft trustworthy enough to permit automatic updates. So since the inception of Windows Update Microsoft has increased the number of times an Administrator needs to patch every Windows system in his/her company. Since Windows Update Microsoft has made it increasingly difficult for an Administrator to avoid Windows Update. Despite the fact that at no time has Windows Update ever proven itself trustworthy, Microsoft continue to force you to use this unreliable mechanism more.

    If anyone is wondering why Windows Update is a dog, again, consider the posts this week to NTBugtraq. You wouldn't believe the number of individual experiences I received regarding problems with Windows Update. No doubt Microsoft receives far more than I do. I can't believe that huge corporations are having the problems they are, nor can I believe they haven't received a reasonable answer from Microsoft as to why the problems exist. The fact that so many possible solutions were seen to correct problems with Windows Update also suggests the environment is far less stable than it even appears to me.

    Consider, to use Windows Update reliably I need to;

    1. Ensure my system date is reasonably correct.
    2. Ensure my IE language setting hasn't disappeared for some reason. Even if it hasn't disappeared, try adding another language too.
    3. Ensure I don't have a network share connected which has more capacity than the drives on my own machine.
    4. Ensure that I am not setting up a new system and have set IE to check for certificate revocation.
    5. Ensure I'm checking from the system I want patches for, meaning all of the systems in my environment must be the same OS or I, as Administrator, have multiple systems to check for updates.
    6. Try HTTPS instead of HTTP if it says I need no patches, it may not have checked properly.
    7. Wonder if the backend systems for Windows Update are down, under maintenance, or just configured incorrectly if it says I need no patches, it may not have checked properly.
    8. Try MBSA, that's handled by a different development group than Windows Update so the errors might not occur in both environments, or may be different, so you can then have fun deducing the differences yourself.
    9. Wait some undetermined period of time and try again!
    10. Contact Microsoft and not get a response.

    And with that list can anyone say Windows Update is reliable, or to use their words, trustworthy computing?

    But hey, what's Windows Update after-all. Its just a consumer platform for trying to fix a problem which really isn't Microsoft's after all (read the Breakseal.) Corporate users aren't using Windows Update, they're running Software Update Services...if they have a Windows 2000 system that is, and if they have one for every group they're trying to update, and if have a test environment to check every fix, and if they don't mind handling a very long list of patches they've chosen not to deploy...etc...

    If anyone was serious about beginning to tackle the trustworthiness of Microsoft, they'd have done something a year ago when I first called Windows Update a dog. See for yourself, have a look at my previous musings and then tell me what's been fixed or improved. If, like me, you see nothing...then the Trustworthy Computing Initiative once again gets an "F";

    The following URLs are wrapped to 2 lines, you'll have to piece them together for them to work;

    <http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=6886>

    <http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0204&L=ntbugtraq&F=P&S=&P=6990>

    Hello, Microsoft, are you listening???

    Everyone is free to reprint, quote, or forward any or all of this message anywhere they'd like, preferably to places where people with more influence with Microsoft than I will see it.

    Cheers,
    Russ - NTBugtraq Editor

    p.s. Here's a thought, how about getting Windows Update to remove Trojans??...;-]

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    EXECUTIVE SEMINAR: "Information Security and the Disappearing Perimeter"

    Join Peter S. Tippett, PhD, M.D., the industry's foremost authority on
    network security, and TruSecure for a free breakfast seminar on "The Impact
    of the Disappearing Perimeter." Learn how you can proactively protect your
    organization against today's newest threats, including those from remote
    users, business partners and wireless. To register, and to view the full
    list of dates and cities, click below or call 1-888-396-8348.

    http://www.trusecure.com/offer/s0096/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Sharad Ahlawat: "Re: Cisco Systems VPN Client allows local logon with Elevated Privileges"

    Relevant Pages

    • Re: I Just Head The Entire State Of New York Has A Power Outage
      ... Windows Update flaw 'left PCs open' to MSBlast ... MSBlast, according to Russ Cooper, chief scientist at security company ... their registry and offers them list of patches that have not yet been ... Microsoft did not respond to requests for comment on the Windows Update ...
      (alt.os.linux)
    • RE: Help with XP Hotfixes and Patches
      ... Help with XP Hotfixes and Patches ... > After installing I immediately went to Windows Update to try and grab ... > I have run the Microsoft Baseline Security Analyzer thru several times ...
      (Focus-Microsoft)
    • RE: Windows Update has stopped working.
      ... Microsoft CSS Online Newsgroup Support ... Windows Update has stopped working. ... Click on Start, Run, type REGSVR32 MSXML.DLL and click OK. ...
      (microsoft.public.windows.server.sbs)
    • RE: Windows Update
      ... Subject: Windows Update ... > did say that we should install all the patches up to and including the ... > very common practice with Microsoft to forget or leave out items that ... This feature takes the SP ...
      (Focus-Microsoft)
    • Re: KB943460 / Software Distribution Service 3.0 System Restore Pr
      ... Sorry if I seemed coy its simply I had it my head you were a Microsoft ... I suppose it might simply be a rebrand of Windows Update. ... McAfee Security Center or AVG Free. ... KB943460 is not causing your System Restore problems. ...
      (microsoft.public.windowsxp.general)