Re: Windows Update Support on Win2K sp2

From: Marty Brewer (brewer_at_REMSS.COM)
Date: 10/24/03

  • Next message: Jeff Click: "MS Office 2003 Customer Experience Feedback Program" 
    Date:         Thu, 23 Oct 2003 18:59:58 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    At 03:09 PM 10/23/2003, you wrote:
    >Last week, Steve Ballmer announced that Microsoft will be providing
    >security patch support for both Windows 2000 SP2, and Windows NT4 SP6a
    >through June 30, 2004. You can expect to see any security patches
    >released for these two platforms available via WU through this date.

    That is what I expected a week ago, but running WU on several Windows 2000
    SP2 boxes led me to believe that those boxes had no critical
    vulnerabilities. SP4 was offered, but nothing else. (Thu, 16 Oct 2003)

    I think many WU users would have (and maybe have) left the matter in
    blissful ignorance.

    However, something didn't seem right...so...
    ...after installing SP3, WU had many critical patches to offer.

    I then assumed that only the latest 2 service packs would be supported by WU.

    I don't think anyone expects WU to be perfect, but I think if WU was not
    going to scan for critical vulnerabilities due to service pack level, it
    should have said so.

    Today, WU on the same SP2 box has several critical patches to offer.
    Perhaps it was a temporary problem.

    I thought this was valuable information, so I posted last week.

    I think many people in the world use WU, and the feedback it provides
    should be as trustworthy as reasonably possible.

    Marty

    >Date: Thu, 16 Oct 2003 14:30:17 -0700
    >To: NTBugtraq@listserv.ntbugtraq.com
    >From: Marty Brewer <brewer@remss.com>
    >Subject: Windows Update Behavior on Win2000 sp2
    >
    >In light of the recent critical patches, I would expect Windows Update to
    >offer at least some of them.
    >
    >On several Win2000 sp2 clients, WU offers sp4, but none of the recent
    >security updates.
    >
    >Perhaps they were patched with Automatic Updates, or some other mechanism,
    >but I don't think so.
    >
    >I downloaded the ISS MS03-043 Popup Messenger scanner (thanks), which
    >indicated the Win2000 sp2 machines were vulnerable.
    >
    >http://www.microsoft.com/technet/security/bulletin/MS03-043.asp
    >provides a different patch for sp2 and sp3,4 (so it would seem that sp2 is
    >supported)
    >
    >
    >Is the idea that WU users should first install the latest service pack,
    >and only then will WU be able to detect critical security vulnerabilities?
    >
    >Could this be anticipated WU behavior?
    >
    >If so, perhaps WU could enlighten people.
    >The WU behavior I'm seeing implies that the machine is fully patched (if
    >not fully service packed) when it is not.

    *************************************
    Marty Brewer
    Remote Sensing Systems
    438 First Street, Suite 200
    Santa Rosa, CA 95401 USA

    (707) 545-2904 X24 voice
    (707) 545-2906 FAX

    http://www.remss.com
    *************************************

    -----
    Marcus Ranum's new book "The Myth of Homeland Security" is now out and
    is available from http://www.amazon.com/ranum In this hard-hitting
    review of the homeland security business, Ranum shows us how the problem
    is vastly harder than it's being made to sound, and how special
    interests, *** covering, and bureaucracy are threatening to derail any
    chance of making progress.
    -----

  • Next message: Jeff Click: "MS Office 2003 Customer Experience Feedback Program"