Re: Windows Update is a dog, again!

• Previous message: Borbarad_at_GMXPRO.NET: "Re: Flooding Internet Explorer 6.0 ... and Opera ;)"
• In reply to: Russ: "Windows Update is a dog, again!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 16 May 2003 11:32:14 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Comments in-line... BTW, go ahead and start the flames now. I'm sure this
won't go over too well; however, remember, the most vehement responses
often come when the original comment hits VERY close to home.

At 16:42 14 05 03 Wednesday, you wrote:
>Well, looks like Windows Update has once again shown how untrustworthy
>Microsoft can be. For at least the past several days Windows Update has
>been providing consumers with false information. WU users would connect,
>initiate the scan, the scan would complete and inform the user their
>system needed no patches. Wonderful, a clean bill of health, or so the
>consumer thought.

Again, you're making all the responsibility MS's. Is it Ford's problem if
people don't check their brakes for safety once in a while? Should they
have to put those wonderful mini-cams the spammers are promoting on every
brake assembly so they can monitor every Escort the road? No, consumers
must take some responsibility for their own stuff. MS has security news
letters that go out any time a new patch is released with instructions on
how to obtain and DL the patch. Yes, some of them are available by WU, but
they're always available as stand-alone hotfixes.

>In reality, some flaw in the Windows Update process has led it to conclude
>that a system, in need of critical security patches, is instead clean and
>good to go on the Internet. In other words, if the security check fails,
>tell consumers they're just fine and don't need anything.

I've seen Symantec's and McAfee's auto-update processes tell me there are
no updates when I can pull new defs down from their web sites. I've also
seen RHN tell me there were no updates for my RH boxes when I knew there
were. I believe this might apply here:

Let you who is without sin cast the first stone.

>It's good that we don't need elaborate checklists and voodoo mojo security
>tools to check our systems; we only have to make a quick visit to Windows
>Update to be sure. Finally, with the introduction of Automatic Updates, we
>no longer even need to make that visit manually, we can trust that
>Microsoft will supply us with a properly tested security patch within 24
>hours and patch our systems for us (unless we're running Windows XP and
>got MS03-013 when it was released to WU.)
>
>A year ago I complained about Windows Update, with its registry only
>checking and myriad other problems. At the time Microsoft was distributing
>Shavlik's HFNetchk, and so at least with tools from Microsoft we could see
>the error of Windows Update's ways. That cry of disgust caused Microsoft
>to yank HFNetchk, because they hadn't licensed it and didn't have a formal
>agreement for its promotion. "Consumers be damned, make darn sure they're
>not getting conflicting information from us" seemed to be the rallying cry
>at Microsoft.

Again, this tool has never been unavailable that I've seen. It's currently
shipping as part of MSBA. Works as well as it always has, it does have a
different file name and requires a /hf cli switch to give you the old
output mode, but it still works just fine.

>I questioned the Trustworthy Computing Initiative's value then because of
>that debacle. When asked by the media at the new year how I felt the
>Trustworthy Computing Initiative had progressed, I gave it an "F", or
>failing grade. Some wondered why, and pointed to things which the public
>hadn't seen as justification for TCI's benefits. Seems too many never
>bothered to read Bill Gates' memo. They failed to grasp the fact that TCI
>was in response to a public perception that Microsoft was not sufficiently
>trustworthy.
>
>Has Microsoft done anything to change that perception? No, absolutely not
>I say! (emphatically)

Anyone read http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0244
lately? Until humans stop writing apps and OSs there will continue to be
flaws. Linux is no different. When Linux has 90% of the market they will
be ones being slammed for not being perfect. It's the way of the
world. The biggest are the easiest to pick on. They get more press. Does
anyone hear about Bill Clinton on a daily basis any more? No. He's no
longer 'top dog' so he's not a big target. Mr. Bush lands on an aircraft
carrier he commands and he gets slammed. Why? He's 'top dog'.

>Let me put it this way. Since the inception of Windows Update millions of
>computers have been infected with Trojan's that are today allowing
>individuals to conduct en-masse DDoS attacks. Read that how you want, but
>its a fact. Here's another. Since the inception of Windows Update
>Microsoft has gone to producing patches almost every week. Few if any
>business' have found Microsoft trustworthy enough to permit automatic
>updates. So since the inception of Windows Update Microsoft has increased
>the number of times an Administrator needs to patch every Windows system
>in his/her company. Since Windows Update Microsoft has made it
>increasingly difficult for an Administrator to avoid Windows Update.
>Despite the fact that at no time has Windows Update ever proven itself
>trustworthy, Microsoft continue to force you to use this unreliable
>mechanism more.

Every patch at WU is available for straight DL. You can use the Windows
Update catalog to pull down standalone hot fixes for every MS OS from 98
on. So stop using WU as an automated tool. Subscribe to MS's security
lists and pull the patches down manually and apply them as such.

>If anyone is wondering why Windows Update is a dog, again, consider the
>posts this week to NTBugtraq. You wouldn't believe the number of
>individual experiences I received regarding problems with Windows Update.
>No doubt Microsoft receives far more than I do. I can't believe that huge
>corporations are having the problems they are, nor can I believe they
>haven't received a reasonable answer from Microsoft as to why the problems
>exist. The fact that so many possible solutions were seen to correct
>problems with Windows Update also suggests the environment is far less
>stable than it even appears to me.
>
>Consider, to use Windows Update reliably I need to;
>
>1. Ensure my system date is reasonably correct.

It should be with in a few tenths of a second. It's quite simple to use
tick.usno.navy.mil or tock.usno.navy.mil to sync your clock. In XP the
command is:

net time /setsntp:tick.usno.navy.mil

>2. Ensure my IE language setting hasn't disappeared for some reason. Even
>if it hasn't disappeared, try adding another language too.
>3. Ensure I don't have a network share connected which has more capacity
>than the drives on my own machine.

Not true, I have a net share that has 200GB free on it, no problems here.

>4. Ensure that I am not setting up a new system and have set IE to check
>for certificate revocation.

Why? Mine are all set that way and WU works fine for us.

>5. Ensure I'm checking from the system I want patches for, meaning all of
>the systems in my environment must be the same OS or I, as Administrator,
>have multiple systems to check for updates.

Duh! If you're running Red Hat 9 would you expect patches for 7.3 to
work? That's like saying you'd expect air filters for Ford Escorts to work
on Ford Explorers.

>6. Try HTTPS instead of HTTP if it says I need no patches, it may not have
>checked properly.

I think you'll find that https://windowsupdate.microsoft.com redirects you
to a non-SSL'd page so I'm not sure what you're getting at here.

>7. Wonder if the backend systems for Windows Update are down, under
>maintenance, or just configured incorrectly if it says I need no patches,
>it may not have checked properly.
>8. Try MBSA, that's handled by a different development group than Windows
>Update so the errors might not occur in both environments, or may be
>different, so you can then have fun deducing the differences yourself.

2nd opinions are always good. Remember no tool is a substitute for knowing
what's installed on your system. MBSA isn't perfect either. If a patch is
"newer" than expected it tosses a yellow X at the error.

>9. Wait some undetermined period of time and try again!
>10. Contact Microsoft and not get a response.

SRX tickets please? I've never opened a ticket with MS that I didn't have
direct contact with a rep in a matter of minutes and if everyone stating WU
is buggy should be able to open a ticket free of charge. I've never been
charged with calling with a bug. Rants are no good unless there's
reporting and confirmation to/from MS. I just confirmation of our bug
report to MS on 2003 Server's ntbackup.exe problem. Took about a week, but
I have it, now they'll work on fixing it.

I'm sorry guys but no one is perfect. Not anyone reading this list and I'm
certainly not either. No one is. Request to join the WU beta
team. Provide your feedback and observations, report bugs, and see if they
don't get fixed. I've found them to be very responsive and eager to fix
problems.

Sincerely,
Terabyte Computers, Inc.

Brian S. Bergin
President

http://www.terabyte.net

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
EXECUTIVE SEMINAR: "Information Security and the Disappearing Perimeter"

Join Peter S. Tippett, PhD, M.D., the industry's foremost authority on
network security, and TruSecure for a free breakfast seminar on "The Impact
of the Disappearing Perimeter." Learn how you can proactively protect your
organization against today's newest threats, including those from remote
users, business partners and wireless. To register, and to view the full
list of dates and cities, click below or call 1-888-396-8348.

http://www.trusecure.com/offer/s0096/

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Previous message: Borbarad_at_GMXPRO.NET: "Re: Flooding Internet Explorer 6.0 ... and Opera ;)"
• In reply to: Russ: "Windows Update is a dog, again!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]