patch redistribution

From: George Monkey (monkeytoms_at_YAHOO.COM)
Date: 09/27/04

  • Next message: Geoff Vass: "Re: Windows Update / Office Update again!"
    Date:         Mon, 27 Sep 2004 09:27:33 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Much of the higher education sector's support personnel know this information already, but the rest of the world may not, and I suspect that more than a few heads will turn at this information. This is information is similar to the recent BitTorrent headlines, but has implications closer to home.

    Microsoft is strictly enforcing it's license agreements with respect to redistribution of security patches to "third parties".

    This means that you may not share/give a CD of Microsoft patches that you burned to someone else for use on a computer that you do not own. Institutionally, the same restriction applies. You can't patch any computer that your institution doesn't own with a patch that doesn't come directly from Microsoft's Windows Update or a certified CD from Microsoft.

    In the higher education world this means that universities are severely restricted from assisting students in patching their computers, because students are considered third-parties by Microsoft. Essentially, students must either acquire an authorized CD, burn their own copy from a fully-patched computer, or go online (unpatched!) and get the patches.

    In your network of family and friends the same scenario applies. They have to acquire their own patches.

    There are some caveats and additional horrors.

    SUS is not exempt from this idiocy. You may not redistribute patches to computers that your institution does not own via SUS. If a non-licensed computer (i.e. a computer that your institution doesn't own, and also isn't covered under a license as if it was owned by your institution) connects to your SUS server and downloads patches, then your institution is legally at fault. SUS is clearly designed to be an open patch distribution system (e.g. anonymous access is part of the design). These licensing issues severely limit the usefulness of SUS to organizations with strict intranets, and in practical terms mean that universities and other open organizations can't run SUS at all.

    But wait you say ... what if I simply buy the external connector license so that 3rd parties can connect to my SUS server? Well, then they could legally connect, but the licenses of the individual patches themselves prohibit 3rd party distribution. So no go.
    Some of Microsoft's licenses allow you to skirt this patch redistribution issue. But they are few and far between, and represent a greatly increased financial burden if you can find one. MSDN-AA (designed for academia) is one example.

    In many cases, Microsoft employees have misled their clients into thinking that unlimited redistribution of patches was OK. You should proceed with extreme caution if you are counting on a similar verbal hand-waving.

    The bottom line seems to be that the security initiative takes a back seat to other priorities within Microsoft.

    References:

    http://www.microsoft.com/Education/HEVDP.aspx contains text buried within it that first introduced this issue.

    Follow-up conversations through official Microsoft support channels provided the details summarized above.

    Some of these details are documented on the sp2-issues mailing list hosted by Educause. See http://listserv.educause.edu/cgi-bin/wa.exe?A1=ind0409&L=sp2-issues.

    Two noteworthy posts from that mailing list include:

    Final Q&A from 8/26 Web Cast
    http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0409&L=sp2-issues&T=0&F=&S=&P=2064

    and

    Windows XP SP2 Update - NEW INFORMATION REGARDING BLOCKING SP2 DOWNLOADS VIA AU AND WU
    http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0409&L=sp2-issues&T=0&F=&S=&P=1005

    both from a Microsoft employee who was "authorized" to dialogue with the Higher Education community about this issue.

    ---------------------------------
    Do you Yahoo!?
    New and Improved Yahoo! Mail - 100MB free storage!

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: Geoff Vass: "Re: Windows Update / Office Update again!"

    Relevant Pages

    • Re: MS Security patches in my mailbox
      ... > For the last week I have been getting security patches which are ... I haven't attempted to install the patches and won't until ... people into thinking they are legitimate software patches. ... Microsoft never ever send files unsolicited in this manner. ...
      (microsoft.public.security)
    • Microsoft Releases Two New Patches
      ... Microsoft Releases Two Security Patches ... Microsoft said one patch is to fix a flaw in Windows desktop and ...
      (comp.dcom.telecom)
    • RE: Best way to deploy MS security patches ??
      ... QCHAIN usually only requires one reboot for all the patches, ... Too bad Microsoft doesn't advertise this wonderful tool more. ... Best way to deploy MS security patches ?? ... Try FREE Yahoo! ...
      (Security-Basics)
    • So Windows Update is a dog, now what?
      ... extension, that means that the soon-to-be-released Windows Update, ... How about someone getting serious about patch management over at ... In their explanation of the severity rating scheme, the Microsoft ... incredibly reliable mechanism for getting patches onto systems, ...
      (NT-Bugtraq)
    • RE: Security and EOL issues (was RE: WMF Exploit Patch released)
      ... While I sympathies with those that feel that Microsoft is getting richer ... Compare AIX to Windows, ... software support for AIX Base Operating System 4.3.3. ... Every vendor releases new builds and patches, ...
      (Security-Basics)