patch redistribution

From: George Monkey (monkeytoms_at_YAHOO.COM)
Date: 09/27/04

  • Next message: Geoff Vass: "Re: Windows Update / Office Update again!"
    Date:         Mon, 27 Sep 2004 09:27:33 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Much of the higher education sector's support personnel know this information already, but the rest of the world may not, and I suspect that more than a few heads will turn at this information. This is information is similar to the recent BitTorrent headlines, but has implications closer to home.

    Microsoft is strictly enforcing it's license agreements with respect to redistribution of security patches to "third parties".

    This means that you may not share/give a CD of Microsoft patches that you burned to someone else for use on a computer that you do not own. Institutionally, the same restriction applies. You can't patch any computer that your institution doesn't own with a patch that doesn't come directly from Microsoft's Windows Update or a certified CD from Microsoft.

    In the higher education world this means that universities are severely restricted from assisting students in patching their computers, because students are considered third-parties by Microsoft. Essentially, students must either acquire an authorized CD, burn their own copy from a fully-patched computer, or go online (unpatched!) and get the patches.

    In your network of family and friends the same scenario applies. They have to acquire their own patches.

    There are some caveats and additional horrors.

    SUS is not exempt from this idiocy. You may not redistribute patches to computers that your institution does not own via SUS. If a non-licensed computer (i.e. a computer that your institution doesn't own, and also isn't covered under a license as if it was owned by your institution) connects to your SUS server and downloads patches, then your institution is legally at fault. SUS is clearly designed to be an open patch distribution system (e.g. anonymous access is part of the design). These licensing issues severely limit the usefulness of SUS to organizations with strict intranets, and in practical terms mean that universities and other open organizations can't run SUS at all.

    But wait you say ... what if I simply buy the external connector license so that 3rd parties can connect to my SUS server? Well, then they could legally connect, but the licenses of the individual patches themselves prohibit 3rd party distribution. So no go.
    Some of Microsoft's licenses allow you to skirt this patch redistribution issue. But they are few and far between, and represent a greatly increased financial burden if you can find one. MSDN-AA (designed for academia) is one example.

    In many cases, Microsoft employees have misled their clients into thinking that unlimited redistribution of patches was OK. You should proceed with extreme caution if you are counting on a similar verbal hand-waving.

    The bottom line seems to be that the security initiative takes a back seat to other priorities within Microsoft.

    References:

    http://www.microsoft.com/Education/HEVDP.aspx contains text buried within it that first introduced this issue.

    Follow-up conversations through official Microsoft support channels provided the details summarized above.

    Some of these details are documented on the sp2-issues mailing list hosted by Educause. See http://listserv.educause.edu/cgi-bin/wa.exe?A1=ind0409&L=sp2-issues.

    Two noteworthy posts from that mailing list include:

    Final Q&A from 8/26 Web Cast
    http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0409&L=sp2-issues&T=0&F=&S=&P=2064

    and

    Windows XP SP2 Update - NEW INFORMATION REGARDING BLOCKING SP2 DOWNLOADS VIA AU AND WU
    http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0409&L=sp2-issues&T=0&F=&S=&P=1005

    both from a Microsoft employee who was "authorized" to dialogue with the Higher Education community about this issue.

    ---------------------------------
    Do you Yahoo!?
    New and Improved Yahoo! Mail - 100MB free storage!

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: Geoff Vass: "Re: Windows Update / Office Update again!"