Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

DIY Service Pack For Windows 2000/XP/2003

Posted by kdawson on Tue Dec 12, 2006 03:39 PM
from the patch-it-yourself dept.
Operating Systems Software Windows Security IT
Karsten Violka writes "Looking for manageable Windows updates even without an internet connection? Heise's script collection Offline Update 3.0 downloads the entire body of fresh updates for Windows 2000, XP, or Server 2003 from Microsoft's servers in one fell swoop and then uses them to create ISO-Images for CD or DVD. Included is an intelligent installer script that allows you to update as many PCs as desired." Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.
+ -
story

Related Stories

[+] Patch Tuesday — IE7 Clean 75 comments
jginspace writes "As per the advance notification, Microsoft's monthly security bulletin, released yesterday, addressed five general Windows issues and one in Visual Studio. It also included a fix for a problem in Outlook Express for a total of seven updates. As patch Tuesdays go it was fairly unremarkable. The only general Windows update labeled 'critical' is for a flaw in Media Player. As usual, there's a cumulative update for Internet Explorer, but significantly, the only versions of IE affected are 5 and 6. Version 7 is clean — which is welcome news in this first update since the upgrade was pushed to the world last month. Microsoft was silent on the two zero-day Word holes, one reported here and a new one. Sans is calling this 'Black Tuesday' and recommends patches be applied urgently for the Visual Studio and Media Player vulnerabilities. Sans is recommending the Heise Offline Update utility covered in a previous story."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

DIY Service Pack For Windows 2000/XP/2003 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • yeah, that's real safe (Score:3, Insightful)

    by ILuvRamen (1026668) on Tuesday December 12 2006, @03:42PM (#17213308)
    Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.
    yeah, that's just so terribly safe compared to not having it...except that now there will be like a million fake isos floating around the internet saying they're the latest batch of windows updates and people who are too lazy to make the iso themselves will install the fake, spyware and trojan infested ones.
  • 1) Who says that you must download it from an unpatched PC?

    2) The probability that an unpatched PC behind a firewall will get "hacked" in the moment while you are downloading it is what... 0,2?

    3) What else will we whine about now... the versatility of Macintosh hardware?

    • Re:Well Einstein (Score:4, Funny)

      by joe 155 (937621) on Tuesday December 12 2006, @03:46PM (#17213382) Journal
      "The probability that an unpatched PC behind a firewall will get "hacked" in the moment while you are downloading it is what... 0,2?"

      I would say your second guess of 2 is closer than your first of 0... shall we split the difference and agree at 1?

    • Re: (Score:3, Interesting)

      by truthsearch (249536)
      Home desktops aren't usually behind firewalls. A new PC gets connection attempts from evil scripts and viruses within seconds of plugging it into the internet. Even with a high speed connection it takes quite a long time to download and install all of the Windows updates on a new PC. So the chances of getting infected are quite high.
      • even with a firewall they are. Case in point I hooked up my father in laws brand new out of the box HP to get updates. Within 3 minutes it was hit and infected before i could even get everything configured. Thankfully I had AV running on it by that time but it blew me away how fast it got infected.

      • Re:Well Einstein (Score:4, Insightful)

        by Vellmont (569020) on Tuesday December 12 2006, @04:19PM (#17213886)

        Home desktops aren't usually behind firewalls.

        That may have been true 10 years ago, but these days most home PCs are at least behind a NAT. Unless you've gone out of your way and configured your NAT to forward all ports to your PC (i.e. a DMZ), outside attacks will be quite useless. The only threat in this case is the user downloading a virus from email, or visiting a compromised website. If you run windows update (well, several times) before you do either of those things, there's no danger.

        • Re:Well Einstein (Score:4, Interesting)

          by Shakrai (717556) on Tuesday December 12 2006, @04:24PM (#17213966) Journal

          That may have been true 10 years ago, but these days most home PCs are at least behind a NAT.

          Umm, I'd have to disagree with that statement. Around here the biggest provider of internet connectivity for home users is Roadrunner. They provide you with a cable "modem" that acts as a bridge between their network and your PC. The PC gets a globally valid address.

          In fact the only Roadrunner home users I know (not counting geeks/techies) that have NAT routers are those that have more then one computer. Otherwise it's right into the PC and come and get it boys cuz I'm wide open!

            • Re:Well Einstein (Score:4, Funny)

              by IdolizingStewie (878683) on Tuesday December 12 2006, @05:50PM (#17215472)
              Your average interface-jockey can certainly plug the thing into the cable modem, and plug his computers into the lan side.

              I want your users. I lost internet access three times last year because some dumbass down the hall plugged his router in backwards and was trying to NAT the whole damn building.

      • Re: (Score:3, Informative)

        by Shakrai (717556)

        Home desktops aren't usually behind firewalls

        Depends on your service provider. In my experiences most DSL providers use NAT routers -- even for single PC connections. Most cable providers seem to use bridges and your PC gets a globally valid address, which tends to be a problem for a Windows PC.

        Then there's dialup users. But if you have to use dialup to do a complete set of Windows updates on a brand new PC it's an even money bet that you'll die from old age before they finish and in this scenario wh

      • Re:Well Einstein (Score:4, Funny)

        by Klaidas (981300) on Tuesday December 12 2006, @04:26PM (#17214004) Homepage
        Well, the safest thing to do it to simply turn the computer off, remove the CPU, dig it in the yard and lock the rest of the computer in a safe.
        Although, script kiddies might still be trying to infect it...
  • Does MS offer a cd with patches? Even for download (or would that violate DRM/DMCA/DigitalDarkAges laws/technologies)?

    I know Apple offers their patches as download, complete with SHA1 sig.

    • Re: (Score:2, Interesting)

      by phantomcircuit (938963)
      They used to offer a CD that they would MAIL you for free (around 2002) but stopped doing that. (no reason was given for why they stopped).

      • I can't tell... are you trying to be funny? Completely without cost (except for the costs) and better than near-instantaneous downloads, they'll probably get a CD to you within a couple months!

      • Re:Does MS offer this (Score:5, Funny)

        by plover (150551) * on Tuesday December 12 2006, @04:48PM (#17214426) Homepage Journal
        This site should be "within the limits" of that TOS simply because they don't provide the software. He just provides a tool which you can use to download it from the official Microsoft site, and the TOS doesn't say anything about how you download them, just where you download them from.

        Autopatcher, on the other hand, provides the actual software, which is explicitly prohibited by the TOS you mentioned. He has this hilarious line in his FAQ:

        Q: Is AutoPatcher legal?
        A: Yes, nwraptor once spoke to a Microsoft employee and apparently they know about us but dont care what we do!
        Now that's legal advice you can hang your hat on!
  • This sounds like a useful script. I know people who manage Windows Updates for corporate networks, and they've mentioned these sorts of ISOs before. Effectively, it allows an admin. to read the KB articles on microsoft.com and pick-and-choose which updates to make available to the corporate network. There's a lot of updates! A backup ISO of the updates you've chosen to make available allows you to easily rebuild the update server if anything happens to it, and to build update servers for other networks base

    • Re: (Score:3, Informative)

      by LurkerXXX (667952)
      I don't know any admin who would use these for a corporate network. ISOs are typically a thing you use when you only have one or a handful of individual machines to update. WSUS [microsoft.com] makes things easy to customize for what computer receives what individual patches without messing with DIY patch ISOs. WSUS Server chaining, replicas, or offline updates allows you to copy settings to other WSUS servers without worrying about 'backup ISOs' of what you have selected. It does it all for you.

  • Danger? (Score:5, Insightful)

    by dedazo (737510) on Tuesday December 12 2006, @03:49PM (#17213438) Journal
    Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.

    A "danger" that is eliminated with a rinky $25 NAT router.

    • Thankyou. Or you could just slap a decent firewall on there from a USB key before you hook it up to the net. It's what I do when a client gets a new rig they want me to setup.

      • Re: (Score:3, Insightful)

        by AliasTheRoot (171859)
        Or plug in the Ethernet cable after you have turned on the firewall built into XP - assuming you aren't using a SP2 install where it's enabled by default.

    • Re:Danger? (Score:5, Informative)

      by LodCrappo (705968) on Tuesday December 12 2006, @04:07PM (#17213710) Homepage
      A NAT in front of your windows box does do a lot to prevent trouble while you're patching up a new install. As long as you immediately get up to date (before using the machine for anything else) then I'd think this is fine. The problem is people who rely on a NAT device for some sort of security *in place of* security patching. Many exploits work just fine through NAT if you're actually using the machine to surf the web or read email, and way too many people seem to not understand this.

      • Torrents (Score:3, Interesting)

        by shmlco (594907)
        "Many exploits work just fine through NAT if you're actually using the machine to surf the web or read email, and way too many people seem to not understand this."

        Or connect to a torrent server. Watch the number of attacks on your PC's FW skyrocket the instant you run BT and connect to a tracker. Lot's of hackers run torrent servers just to mine the connection information and find new, unprotected computers to attack.

  • autopatcher has been doing this for a while now (Score:5, Informative)

    by schnikies79 (788746) on Tuesday December 12 2006, @03:49PM (#17213442)
    i keep a up-to-date copy for my dialup friends, which most are.

    Autopatcher! [autopatcher.com]

    • Re: (Score:3, Insightful)

      by Fëanáro (130986)
      autopatcher is a closed source solution which requires you to trust executables from a dubious source. Even if you accept the autopatcher guys as currently trustworthy, they may still sell out or get hacked with much higher probability than microsoft.

  • Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.

    Or you could just buy the firewall you really should have anyway and be done with it. Seriously, I can't imagine anyone would try to argue that it's acceptable to put a server out on the net without a firewall in front of it, so why should a desktop PC be any different? That way you get to protect your unpatched Linux box too.

    • Re:Or just buy the firewall you should have anyway (Score:5, Insightful)

      by mcrbids (148650) on Tuesday December 12 2006, @04:04PM (#17213666) Journal
      Perhaps the key difference is this:

      I can put an unpatched RedHat Linux system on the public Internet and download patches without worrying about it. In fact, I routinely use such systems AS the router/firewall for other systems!

      If you hear people around here saying things like "Windows is insecure and/or isn't really ready for the Internet", that's because it's true, or you wouldn't need that stupid $25 router in the first place!

      The fact that you can't even imagine a server without a dedicated firewall in front of it speaks volumes.
      • Good luck to you and your unpatched Redhat, it doesn't have the volume of attacks a Windows box has - but don't assume it won't get rooted - it will.

        It has always been good practice to have a firewall, or at least a NAT router in front of any server, be it Redhat / Windows / BSD / OSX / Solaris whatever. Thats only one piece of the puzzle of course, but a very important one.

        However, for your average desktop machine there has to be a balance between security and usability, a balance that the builtin firewall

              • Re: (Score:3, Insightful)

                by KillerBob (217953)

                But it's reasonable to expect not to be rooted in the two or three hours it takes to get all the patches you need, if the mean time to failure is three months.

                That's up to you. But please don't take it as an offense if I say that I'd never hire you as a sysadmin.

                Ask yourself this... is the 5 minutes it takes to set up basic firewalling (or even simply shutting down any daemons you're running) worth the extra time you risk if you have to reinstall the computer? Banking on averages is never a good idea, espec

  • nLite (Score:5, Informative)

    by Nasarius (593729) on Tuesday December 12 2006, @03:59PM (#17213574)
    I've been using nLite [nliteos.com] and RyanVM's update pack [ryanvm.net] to do this for a while now. Great stuff, even works with my Dell OEM version of XP.

  • nlite (Score:4, Interesting)

    by Danathar (267989) on Tuesday December 12 2006, @04:03PM (#17213656) Journal
    nlite does almost the same thing and is much more flexible and easier to use

    http://www.nliteos.com/ [nliteos.com]
  • For anyone interested in this sort of thing, you might also want to check out RyanVM:

    http://www.ryanvm.net/msfn/ [ryanvm.net]

    This allows you to produce updated Windows installation CDs, that actually have the service packs and post-service pack hotfixes *already integrated into the installation*. This saves the extra time normally taken to install Windows *then* go apply all the updates.
  • ...a Windows zealot slagged for saying "How are you supposed know how to configure support in *nix if you can't get on the internet to do it?" Seriously...

    "Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates." - Who the heck said you should connect the unpatched machine to the 'net to grab this stuff? FFS, I bet ol' Karsten would go to town of the Windows zealot for playing stupid. ;)
  • This is a useful tool for my particular environment where we use RapiDeploy to re-image boxes. The image gets a little stale and we have to go through a quarantine network before our Cisco Clean Access authenticates us--we're essentially in a leper colony while we're trying to catch up on patches. It's a bit of a catch 22.

    Having the patches on hand would really help when we don't have a little router on hand on field calls.

  • Yes but no Polish (or any other than few) language version is supported. So it is useless for me.

    It just shows how retarded update management is in Windows. It is like 10 years behind Linux and 5 behind OSX. And Vista is no different either.
  • I wish the big Linux distros would start doing this. Being unable (or unwilling) to patch a linux box without a broadband connections is one of my biggest pet peeves with the current crop of distros.

  • What about Microsoft? (Score:3, Interesting)

    by febuiles (743020) on Tuesday December 12 2006, @04:21PM (#17213918) Homepage Journal
    I wonder what Microsoft thinks about this, right now I'm downloading updates that I wouldn't be able to get since I don't use a legal version of their software.

    Thank you :D

    • Re: (Score:3, Insightful)

      by pandrijeczko (588093)
      I guess they think you are a complete and total hypocrite, just like I do.

      If you're not prepared to pay for their software then you shouldn't be using it, simple. And you would probably be admired more if you had the courage and strength of conviction to go spend the time learning to use an alternative OS in order to make a much clearer statement to Microsoft that you're not prepared to pay the money they ask for their products.

      Any fool can download a pirated Windows CD from the Internet, it takes initi

  • Stop with the "unpatched PCs are insecure" rubbish (Score:4, Informative)

    by pandrijeczko (588093) on Tuesday December 12 2006, @04:52PM (#17214482)
    Anyone with any knowledge of security knows that if you deploy a NAT router/firewall between your unpatched PC and the Internet, whether a simple £50 box in a home environment or behind a DMZ in a corporate environment, then that PC, whether running Windows, Linux or any other OS, is pretty safe as long as you don't run any services out onto the Internet with it and don't do too much else with it. And if you run an Internet connection without one of these in place then more fool you...

    On a Windows desktop PC behind a firewall, you are vulnerable to scripts and viruses that it come in from emails, documents & web pages but if you stick the PC on the network and don't use it for any of those things *until* you've put on all the updates, then nothing is going to happen to it. So let's get rid of this stupid notion that the moment you put an unpatched PC on a firewalled LAN, it's going to get swamped with viruses and rootkits - it just won't happen.

    No, I'm no Microsoft fan but let's stick to facts rather than "science fiction" FUD stories...

    • > No, I'm no Microsoft fan but let's stick to facts
      > rather than "science fiction" FUD stories...

      These are not SF FUD stories. There are a lot of people who:
      - don't know shit about security
      - don't know shit about patching
      - own USB xDSL modem or connect to *untrusted* network with wifi or something similar (do you carry a $50 router with your laptop?)
      - use computer to Just Work With it - as a tool - you know

      And Windows is not uber-user-friendly there. In fact I think you need to be relatively skilled t

      • Re:Stop with the "unpatched PCs are insecure" rubb (Score:4, Insightful)

        by pandrijeczko (588093) on Tuesday December 12 2006, @05:36PM (#17215184)
        > These are not SF FUD stories. There are a lot of people who: > - don't know shit about security > - don't know shit about patching > - own USB xDSL modem or connect to *untrusted* network with wifi or something similar (do you carry a $50 router with your laptop?) > - use computer to Just Work With it - as a tool - you know

        I agree - but I've set up a number of these NAT routers recently for friends and colleagues, and apart from some simple configuration for ADSL accounts (and some wireless security if needed), these things now work pretty much out of the box. They are a whole heap of good security for little cost that are easy to setup - and protect you from about 90% of the bad things out there on the Internet the moment you switch them on.

        And for your information, I carry round a Linux laptop with a fully locked down kernel firewall that I *carefully* open up as I need to if I'm on an unprotected (un-NAT-ed) Internet connection. :-)

        > And Windows is not uber-user-friendly there. In fact I think you need to be relatively skilled to set up XP so it is relatively secured. Not > something your mom or dad (I assume) can do with their computers.

        I agree again - which is why I recommend a NAT router to anyone I know with ADSL; and if they refuse to buy one, I refuse to offer them any help when their PC goes wrong! :-)

        > MS made some stupid decissions few years ago and now they pay the price. This is not FUD. People do not have the latest Vista and so on. Some of them > use 5 year old computers since they tend to work for them.

        Again, I agree. But, if anything, Windows 9x didn't have a complete enough IP stack to allow much to be run in the way of services out to the Internet - so it could be argued that unpatched and out of the box, a 9x machine is more secure than XP.

        > I can surely install old version of Linux distribution or OSX and do not get infected in 10 minutes after connecting to untrusted network.

        It depends on what's out there. Before I moved house last year, on my old ISP I ran an SSH (Secure Shell) server out to the Internet and my log files were filled with scripted access attempts against the server - just pounding away at my server with common account names hoping that one of them would allow entry.

        Yes, a secured Linux server is always going to be more secure than a secured Windows server but please don't get complacent about it - it just takes one stupid mistake on either OS and someone will get into it.

      • Re:Stop with the "unpatched PCs are insecure" rubb (Score:5, Informative)

        by pandrijeczko (588093) on Tuesday December 12 2006, @05:58PM (#17215634)
        PCs behind a NAT router should be given "private" IP addresses - either fixed ones or DHCP assigned ones. These private addresses are in the ranges 10.x.x.x, 172.16.x.x to 172.31.x.x, and 192.168.x.x.

        Since every directed IP packet on the Internet contains the sender and receiver IP address, any Internet router that sees a private address in either the source or destination address will drop the packet and not route it. Consequently, no-one on the Internet can get to a PC in the private address range - not only that but there are probably thousands of PCs using anyone of those private IP addresses at any moment in time.

        The trick of a NAT router is that when one of your PCs connects through the router to the Internet, the NAT router substitutes the private source IP address in each packet coming from one of those PCs with the real IP address on the Internet side of the router. So when a response comes back from, say, a web server one of your PCs is accessing, the response hits the router's Internet IP and the router puts the private IP address back in to send it back to the right PC.

        It is possible to forward incoming connections to the router onto a PC in the private address space but this feature has to be manually configured on the router and is turned off by default.

        So, yes, you can still download a nasty email or script from a server on the Internet, even with a NAT router in place - but then you just don't use a PC for those purposes until you've fully patched them.

        • Re: (Score:3, Informative)

          by evilviper (135110)

          Consequently, no-one on the Internet can get to a PC in the private address range - not only that but there are probably thousands of PCs using anyone of those private IP addresses at any moment in time.

          People keep repeating it, but it's just not true. It is TRIVIALLY easy to send packets to private addresses behind an open NAT.

          First off, the way in which packets sent to a NAT box disappear is like waving a big red flag that says "NAT". Then all it takes is a little bit of forging of header address, and a

        • Re:encountered (again) another win box without NAT (Score:4, Informative)

          by KillerBob (217953) on Tuesday December 12 2006, @06:26PM (#17216068)
          With *BSD, it's entirely possible to set up a low-level firewall that offers just as much protection as NAT without actually doing any address translation. It does this by monitoring the traffic at the packet-level, and can be configured to block certain ports, to ignore all unrequested traffic, or any number of QoS-type monitoring/filtering features that are a royal pain in the ass to set up on a NAT box. Really, the biggest advantage of NAT is that the DHCP allows you to have more than one computer on the network. (granted, that's a pretty big advantage).

          There's even a howto on NetBSD's website that explains exactly how to go about setting such a box up.

          But you're right... generally, it's easier to go with NAT in the long run.

  • Security is about "survival of the fittest" (Score:4, Insightful)

    by pandrijeczko (588093) on Tuesday December 12 2006, @06:31PM (#17216146)
    In response to some of the comments in this topic, a lot of the people on here need to be aware of the fact that OS security is a *process*, not a *goal*. Whether you run Windows, Linux, FreeBSD or whatever, it is very dangerous to assume that just because you have the latest updates installed alongside the latest virus checker, that you are "secure" and can just then sit back and relax.

    The unfortunate fact about OS security is that it is a case of "survival of the fittest". It's pretty safe to assume that as long as there is an Internet, then there will be crackers out there trying to break into PCs that sit on the Internet. From their perspective, if they crack open a PC then they are happy and that the longer it takes them to break into a PC, the more likely they are to just give up and try another one.

    Consequently, the more "walls" you put in the way of a cracker, the more the chances that you'll reach the limit of his abilities & make him give up. So security is all about doing *multiple* things against attacks - disabling well-known account names, using strong passwords, deploying software firewalls *AND* NAT routers, turning off unnecessary services, tightening the configuration of needed services to only allow certain hosts to access... these are all *ADDITIONAL* steps to just applying software updates.

    Sure, a lot of these processes are tricky for new users but a lot of them are also very simple to deploy - and any of those that you do deploy put you one step ahead of the people who don't deploy them and who are, consequently, put at more risk from attack by crackers.

    • Trust him? Do you know what Heise is? (Score:2, Informative)

      by Anonymous Coward
      Who do you refer to, exactly? Heise? Heise is not a him, it's a big (and trustworthy) publisher of computer magazines in Germany (c't and iX).

    • Re: (Score:2, Insightful)

      by Jonah Hex (651948)
      So what's the point of using a reg.exe from the NT 4.0 resource kit? Rename a self extracting zip to reg.exe?

      In short, don't play with strange links posted by anonymous cowards...

      Jonah HEX
    • Yes, there is. Every time MS releases an updated WGA .dll, the pirates release a cracked copy. Shows up all over the place. Download, overwite the files in WINDOWS/SYSTEM32, and presto, no more nags, and you can use Windows Update manually too.

      I have a feeling it won't be quite so cut and dried with Vista though.

    • Re:Installed patched OS, same as old OS (Score:4, Interesting)

      by PAPPP (546666) on Tuesday December 12 2006, @07:07PM (#17216564) Homepage
      One of the best "In Soviet..." jokes I've ever seen, for those not in the know, it refers to some US made technology, most famously pipeline control software, the soviets stole in the early 1980s which was carefully designed to pass QA tests, then go haywire. Suffice to say, the plan worked, and in fact produced the largest non-nuclear explosion seen from space when it took out a large natural gas pipeline in Siberia. A version of the story here [fcw.com].

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.