NTBUGTRAQ Bashes Windows Update 565
BigBadBri writes "Russ Cooper, keeper of the NTBUGTRAQ list, has a few concerns (to put it mildly) with the trustworthiness of Microsoft's Windows Update."
This discussion has been archived.
No new comments can be posted.
NTBUGTRAQ Bashes Windows Update
Related Links Top of the: day, week, month.
Remember, UNIX spelled backwards is XINU. -- Mt.
In case of slashdotting, (Score:-1, Informative)
In reality, some flaw in the Windows Update process has led it to conclude that a system, in need of critical security patches, is instead clean and good to go on the Internet. In other words, if the security check fails, tell consumers they're just fine and don't need anything.
It's good that we don't need elaborate checklists and voodoo mojo security tools to check our systems; we only have to make a quick visit to Windows Update to be sure. Finally, with the introduction of Automatic Updates, we no longer even need to make that visit manually, we can trust that Microsoft will supply us with a properly tested security patch within 24 hours and patch our systems for us (unless we're running Windows XP and got MS03-013 when it was released to WU.)
A year ago I complained about Windows Update, with its registry only checking and myriad other problems. At the time Microsoft was distributing Shavlik's HFNetchk, and so at least with tools from Microsoft we could see the error of Windows Update's ways. That cry of disgust caused Microsoft to yank HFNetchk, because they hadn't licensed it and didn't have a formal agreement for its promotion. "Consumers be damned, make darn sure they're not getting conflicting information from us" seemed to be the rallying cry at Microsoft.
I questioned the Trustworthy Computing Initiative's value then because of that debacle. When asked by the media at the new year how I felt the Trustworthy Computing Initiative had progressed, I gave it an "F", or failing grade. Some wondered why, and pointed to things which the public hadn't seen as justification for TCI's benefits. Seems too many never bothered to read Bill Gates' memo. They failed to grasp the fact that TCI was in response to a public perception that Microsoft was not sufficiently trustworthy.
Has Microsoft done anything to change that perception? No, absolutely not I say! (emphatically)
Let me put it this way. Since the inception of Windows Update millions of computers have been infected with Trojan's that are today allowing individuals to conduct en-masse DDoS attacks. Read that how you want, but its a fact. Here's another. Since the inception of Windows Update Microsoft has gone to producing patches almost every week. Few if any business' have found Microsoft trustworthy enough to permit automatic updates. So since the inception of Windows Update Microsoft has increased the number of times an Administrator needs to patch every Windows system in his/her company. Since Windows Update Microsoft has made it increasingly difficult for an Administrator to avoid Windows Update. Despite the fact that at no time has Windows Update ever proven itself trustworthy, Microsoft continue to force you to use this unreliable mechanism more.
If anyone is wondering why Windows Update is a dog, again, consider the posts this week to NTBugtraq. You wouldn't believe the number of individual experiences I received regarding problems with Windows Update. No doubt Microsoft receives far more than I do. I can't believe that huge corporations are having the problems they are, nor can I believe they haven't received a reasonable answer from Microsoft as to why the problems exist. The fact that so many possible solutions were seen to correct problems with Windows Update also suggests the environment is far less stable than it even appears to me.
Consider, to use Windows Update reliably I need to;
1. Ensure my system date is reasonably correct. 2. Ensure my IE language setting hasn't disappeared for some reason. Even if it hasn't disappeared, try adding another language too. 3. Ensure I don't have a network sha
Atleast, this much is clear.. (Score:5, Informative)
"has a few concerns (to put it mildly) with the trustworthiness of Microsoft's Windows Update."
Good.
Re:It seems ntbugtraq.com also runs on NT... (Score:5, Informative)
Re:I don't trust Microsoft... (Score:2, Informative)
Please give your basis for that statement. How many updates have you installed and how many things have broken because of those updates? Are you speaking for yourself only or the population at large? If what you state is true then others must have the same problem, that more things are broken than fixed by Windows updates. Certainly there must be more on the web about this - can you provide any links to supporting information?
Re:Why Do They Always Rip Off Unix? (Score:3, Informative)
Spawned a few years ago by people want to get the NT stuff only and not general stuff. Works well.
AS for WU - remember most of its audience is the home user. It tries to do a worthwhile job, but from experience unless you've got a fat pipe it takes ages (10MB isn't unusual) and it craps over your settings, it DOES scan and return info on what's on your machine
Nice try M$ but a grade F.
Re:I don't trust Microsoft... (Score:5, Informative)
Re:Slashdotted... (Score:2, Informative)
Re:I like Windows Update (Score:3, Informative)
Any user can run the software update tool and be informed of new packages. Before any can be installed, a window pops up asking for an admin account login. Once entered, download progress is indicated, install progress is indicated. All installed patches are logged to a file that can be viewed from the System Preferences.
All in all, a very good system, although I have observed it break randomly at times, usually after a v. popular patch is released. Then, it sometimes just mysteriously fails to download the patches, though it still reports them as being available to install. I guess either patience or a manual fetch from support.apple.com are your options then.
Anyway, I just wanted to put my two bits in on Software Update for OSX.
Re:I don't trust Microsoft... (Score:4, Informative)
And once you get one bad patch that throws your systems into chaos, you get real wary of other ones in the future.
Slashdot Effect Preventer (TM) (Score:2, Informative)
Date: Wed, 14 May 2003 16:42:10 -0400
Reply-To: Windows NTBugtraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Sender: Windows NTBugtraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
From: Russ <Russ.Cooper@RC.ON.CA>
Subject: Windows Update is a dog, again!
Content-Type: text/plain; charset="iso-8859-1"
Well, looks like Windows Update has once again shown how untrustworthy Microsoft can be. For at least the past several days Windows Update has been providing consumers with false information. WU users would connect, initiate the scan, the scan would complete and inform the user their system needed no patches. Wonderful, a clean bill of health, or so the consumer thought.
In reality, some flaw in the Windows Update process has led it to conclude that a system, in need of critical security patches, is instead clean and good to go on the Internet. In other words, if the security check fails, tell consumers they're just fine and don't need anything.
It's good that we don't need elaborate checklists and voodoo mojo security tools to check our systems; we only have to make a quick visit to Windows Update to be sure. Finally, with the introduction of Automatic Updates, we no longer even need to make that visit manually, we can trust that Microsoft will supply us with a properly tested security patch within 24 hours and patch our systems for us (unless we're running Windows XP and got MS03-013 when it was released to WU.)
A year ago I complained about Windows Update, with its registry only checking and myriad other problems. At the time Microsoft was distributing Shavlik's HFNetchk, and so at least with tools from Microsoft we could see the error of Windows Update's ways. That cry of disgust caused Microsoft to yank HFNetchk, because they hadn't licensed it and didn't have a formal agreement for its promotion. "Consumers be damned, make darn sure they're not getting conflicting information from us" seemed to be the rallying cry at Microsoft.
I questioned the Trustworthy Computing Initiative's value then because of that debacle. When asked by the media at the new year how I felt the Trustworthy Computing Initiative had progressed, I gave it an "F", or failing grade. Some wondered why, and pointed to things which the public hadn't seen as justification for TCI's benefits. Seems too many never bothered to read Bill Gates' memo. They failed to grasp the fact that TCI was in response to a public perception that Microsoft was not sufficiently trustworthy.
Has Microsoft done anything to change that perception? No, absolutely not I say! (emphatically)
Let me put it this way. Since the inception of Windows Update millions of computers have been infected with Trojan's that are today allowing individuals to conduct en-masse DDoS attacks. Read that how you want, but its a fact. Here's another. Since the inception of Windows Update Microsoft has gone to producing patches almost every week. Few if any business' have found Microsoft trustworthy enough to permit automatic updates. So since the inception of Windows Update Microsoft has increased the number of times an Administrator needs to patch every Windows system in his/her company. Since Windows Update Microsoft has made it increasingly difficult for an Administrator to avoid Windows Update. Despite the fact that at no time has Windows Update ever proven itself trustworthy, Microsoft continue to force you to use this unreliable mechanism more.
If anyone is wondering why Windows Update is a dog, again, consider the posts this week to NTBugtraq. You wouldn't believe the number of individual experiences I received regarding problems with Windows Update. No doubt Microsoft receives far more than I do. I can't believe that huge corporations are having the problems they are, nor can I believe they haven't received a reasonab
Re:I like Windows Update (Score:3, Informative)
I have. I find it extremely irritating, because it requires seperate download and install steps. I want to get my list of updates, select all, click one thing to get them installed, then walk away for a few minutes. Red Had Network doesn't let me do that.
Unless anyone knows differently, of course...
Cheers,
Ian
Re:turn it off (Score:5, Informative)
1.Start>Run
msconfig.exe
2.Goto Services tab and uncheck the error reporting service there.
Re:I like Windows Update (Score:5, Informative)
Re:I don't trust Microsoft... (Score:3, Informative)
Win2K SP3 broke my FireWire webcam [orangemicro.com]...when a filter graph that used it closed, the computer bluescreened. (I eventually found that you could copy ohci1394.sys from a SP2 system into %systemroot%\system32\drivers and use the camera under SP3 that way...but SP3 shouldn't have broken it to begin with.)
Re:I don't trust Microsoft... (Score:5, Informative)
I have. My Wife's XP system stopped booting after a Windows Update. It's a semi-random thing - 75% of the time, after POST (and the "Windows failed to start properly last time" screen) we get a blank screen, black, forever. Power down and try again. Another 10% of the time, we get a black screen with white bars across the bottom. Power down and try again. Maybe 15% of the time, XP boots cleanly.
Using the different boot options doesn't help, either - same results, if you're bringing up Windows and not a command prompt. Rolling back the system to two weeks prior to the behavior starting didn't fix it, either. Now, when she gets it to boot, she leaves it on (and hopes it doesn't crash and shut down when she changes users to let our daughter play Barbie games), and we fight through multiple attempts when we reboot.
Someday, she'll get upset enough to let me reimage it for her and reinstall XP (yes, she has to use MS-only software for her job). Until then - we try, try again....
Re:I like Windows Update (Score:3, Informative)
I'm sorry, but the separation of download and install steps is a good idea. It means that you can do work while RHN downloads and not worry about things changing out from under you.
Re:Insecurity by obscurity (Score:4, Informative)
HFNetChk still free... (Score:4, Informative)
Re:I like Windows Update (Score:3, Informative)
It _is_ configurable. Out of a long list of options ("man up2date"):
d, --download
Download packages only, do not install them. This option
is provided so that you can override the configuration
option "Do not install packages after retrieval." It is
mutually exclusive with the --install option.
-i, --install
Install packages after they are downloaded. This option
is provided so that you can override the configuration
option "Do not install packages after retrieval.". It is
mutually exlusive with the the --download option.
-u, --update
Completely update the system. All relevant pack-
ages will be downloaded (and possibly installed,
if you have configured Update Agent to do so).
It seems to me that the main issue here is not the ease of use of systems to provide security patches (up2date, apt-get, Windows Update are all easy to use), but how much you trust the vendor / free software organisation not to break your system if you download them automatically. Personally, I haven't (yet) been burnt by RedHat's patches, and upgrade them automatically, but don't trust MS to always get things right.
Phil
Re:turn it off - Holy Hell Babies! (Score:3, Informative)
Trick to getting updates (Score:2, Informative)
Re:I don't trust Microsoft... (Score:4, Informative)
What is even more maddening, is that in the test environment (different hardware, I know in a perfect world it would be identical) it worked fine.
Re:Blacklisted Windows don't update (Score:2, Informative)
BTW, this is only true for Windows >= XP. I actually own Windows 2000, but have it installed on about three computers at home. So even though they run in VMware, I technically still do run Windows.
Another alternative to Windows Update (Score:2, Informative)
Re:In case of slashdotting, (Score:3, Informative)
MSDN W2K (Score:2, Informative)
My biggest complaint with Windows Update is the inconvenience of having to sort the wheat from the chaff: many of the recommended updates [microsoft.com] do not concern me.
Re:I don't trust Microsoft... (Score:4, Informative)
Re:EULA? illegal? (Score:3, Informative)
Now before you rebut saying that example refers to a dual boot machine, you're still running a XP exe on a 2K, and if the EULA forbids that then their "tech tip" is illegal
Re:In case of slashdotting, (Score:5, Informative)
Almost everything I said in this recent message is a suggestion. They need to be more informative about the activities of the application. What's the point of doing a scan and saying you need no patches if it failed in the process and recorded a message in an obscure log on your machine? The suggestion is it shouldn't do that, it should say on the web page that the scan failed, and, provide something more of an explanation than an 8-digit error message.
Read my message again with that mindset and I think you'll see many suggestions.
Cheers,
Russ - NTBugtraq Editor