NTBUGTRAQ Bashes Windows Update 565
BigBadBri writes "Russ Cooper, keeper of the NTBUGTRAQ list, has a few concerns (to put it mildly) with the trustworthiness of Microsoft's Windows Update."
This discussion has been archived.
No new comments can be posted.
NTBUGTRAQ Bashes Windows Update
Related Links Top of the: day, week, month.
HELP!!!! I'm being held prisoner in /usr/games/lib!
Trust went out for me.. (Score:1, Interesting)
Will a major company fix an expensive flaw for the masses and distribute it for free?
Then work on an alternative... (Score:3, Interesting)
I've read a number of depressed perspectives on how we've got to accept a broken technology because it is patent-encumbered, closed source, or whatever, and I wonder "Where's your initiative, people?" To use a cooking analogy: the Koreans and the Dutch couldn't be much more different geographically, but at approximately the same time in history they faced a similar crisis involving an abundance of fuel and a pittance of foodstuffs -- the Koreans invented stir-frying, which allowed a maximum amount of heat in a minimum amount of time to sear their food, while the Dutch came up with the Dutch Oven, which is an ancient European equivalent of the Crock-Pot where food was cooked in its own vapors in a covered environment at a low temperature over an extended period of time.
This is only one of a number of similar examples throughout history of almost-parallel development. People have constantly had to reinvent the wheel for any number of reasons, but most importantly the process was influenced by cultural and social factors that ultimately lead to different approaches towards the same problem. Thus we can choose from the solutions the one that is most efficient or most effective... the strength of Open Source.
I guess the point is that there is almost always more than one way to solve a problem, and generally it's the optimists that get to it. I see too many good ideas sunk by naysayers that won't give a concept a fair shake; irregardless, who could have predicted the computer, air travel, or the mysteries of the atom a mere century ago? Hope for even the best of the future and it will yet exceed your expectations.
Trustworthy Computing? (Score:4, Interesting)
First Windows, then the Outlook bugs, then the Hotmail bugs, now the Windows Update security issues - not to mention the Shatter Exploit [tombom.co.uk] (fundamental unfixable Win API flaws)
Mmm I love days like today.
strange timing... (Score:4, Interesting)
Bugs (Score:5, Interesting)
To summarise:
Windows update has a bug in it. Until MS release a fix, you can't really trust it. Oh yes, and you can't really trust that the patches it downloads and installs won't total your system - but everyone vaigly clueful and in IT knew that already.
Have I missed anything?
Re:It seems ntbugtraq.com also runs on NT... (Score:3, Interesting)
Hmmm....
www.netcraft.com sez:
--
Re:Trust? (Score:4, Interesting)
I don't trust Microsoft in general, but in this case they've yet to prove that their intentions are any other than making quality software.
Re:hmmm... (Score:3, Interesting)
Re:I like Windows Update (Score:3, Interesting)
Re:Why Do They Always Rip Off Unix? (Score:5, Interesting)
This is very true, and if anyone doubts it, grab yourself a copy of vmware for linux systems (ironicly, thats the ad at the top of this page) and fire up windows XP, then, do a tcpdump on the interface that vmware is using, run strings on the data inside the packets....its quite interesting what you see when you reassemble all the packets going to v4.windowsupdate.microsoft.com.
This is also true when win98 is run within VMware, and windows update sends that nice message box saying "this is done without sending data to microsft"
Windows, its whats for dinner
Re:it's better than nothing (Score:5, Interesting)
I've never seen anybody do that, I agree
"I can only imagine the outcry if M$ DIDN'T have a Windows Update. It would be an evil scheme or something."
Tell me something. Why is it that MS refuses to deal directly with it's own customers? Why should it sell thru OEMs etc. and support thru the web? Why can't MS offer support services directly thru their various offices and provide a CD that does the Update Services? A day's delay in couriering the CD? The CD media would cost about 20c. Even 50
CDs a year (we're talking MS here) would cost about $10 for the CDs and a maximum of $100 for postage.
MS support services cost much more than $150 per year, but still the customers are denied the convenience of a CD and no intrusion on their systems. Why?
Re:duh (Score:1, Interesting)
If NYT was an untrustworthy paper they would have simply fired him and tried to cover it up. The NYT employs humans just like every other business so they are prone to err once in a while just like everybody else.
If you put 100% trust in ANYTHING where humans are involved than you are a fool. If you cast aside all trust for a single incident such as this than you are a fool as well.
Re:I like Windows Update (Score:3, Interesting)
It applied Service Pack 3 to Win 2K and rebooted. When it came back up (or actually failed to), it could no longer see the ATA100 hard drive on which it was installed...
I tinkered around for about an hour before I decided it would be quicker to re-install than to try to fix it...
Until then I had had good experiences with update for the most part. It is a good concept (like Red Hat Network), but given the wide range of hardware/software configurations out there, I'm not sure it will ever get to the point that a large update doesn't fry someone...
Blacklisted Windows don't update (Score:2, Interesting)
Re:I don't trust Microsoft... (Score:3, Interesting)
Re:Bugs (Score:2, Interesting)
Re:I don't trust Microsoft... (Score:3, Interesting)
You want examples? Try using Win2K and WebTrends Web Analyzer (and don't change the subject by suggesting a different log analysis tool - this is required by the company).
Somewhere, after a raft of updates last winter, the damn system kept locking-up in the middle of analysis. So we rip it down, build it back up fresh and remove anything that could cause issues. Same problem. The machine's a Dell Optiplex PIII 450, with 384MB of RAM and 40GBs of drive space - and it can't reliably run a logfile of 2MB without locking-up hard. And so we do it again. And again. Feh!
We're all baffled. Anything else can run, and WebTrends says they'e compatible but quietly acknowledges (via a help person) that Win2K people have been having update issues. I've spoken to others so this bit of anecdotal information strikes a nerve.
WinXP has given me issues with media player codec problems, window redraws, explorer.exe running wild (climbing to 99% of processor time) after servicepak 1.
Windows sucks. Period. We all know it. We're the smart ones, but the other 90% of the user base is either too frightened/lazy to change to something that works, or too cynical to even consider change. The damn system is mystery to most users - they just pray it works, and when it doesn't, all they can do is rip it out and start over.
This is not the way it's supposed to be.
Re:I don't trust Microsoft... (Score:2, Interesting)
Re:Trust? (Score:2, Interesting)
If you *don't* trust it that's worthless (Score:1, Interesting)
The only way to be sure is to packet-sniff your network using products where you can see all the source code.
Re:I don't trust Microsoft... (Score:3, Interesting)
Please give your basis for that statement. How many updates have you installed and how many things have broken because of those updates?
In my case almost certainly more than you have since I worked on the Windows Update team at MS. I know how well they tested the updates, what kind of things were bugged and not fixed and in general their level of quality control.
More often than not patchs installed via WU will work fine, but I've seen them cause BSOD that require a reinstall to fix often enough that I don't use it.
Re:Blacklisted Windows don't update (Score:2, Interesting)
World full of unpatched warez windozes, ready to be exploited & zombified.
I'm not saying MS should hand out patches and support even to those who steal their software, but the block will have this side-effect, and it may, in the long term, be a problem. In a perfect world every system would be secure and patched. In the real world most normal luser systems tend to be spotty on the patches, but if you intentionally block out illegal copies, you ensure that certain, rather high percentage of world's computers will be 0wnz0rable on demand. The users won't care, or consider the risk lesser than the price of actually paying for their windoze.
Re:I don't trust Microsoft... (Score:2, Interesting)
Re:In case of slashdotting, (Score:3, Interesting)
Thanks for the HTTPS tip. I was wondering why a brand-new install didn't need anything updated.
Re:Don't trust it? Don't use it. (Score:3, Interesting)
A company named Microsoft provides Corporate Update [microsoft.com]. You can download whatever patches you want and apply them to multiple systems. The part he's referring to as broken seems to be the automatic update detection code.
FreeBSD (Score:4, Interesting)
At one time, it seemed the Windows Update site was having problems - but the messages I got and the apparently relevant MS knowledgebase docs weren't helpful, so I thought the problem was with my system and wasted many hours because of that.
And as Russ points out, even if you run Windows Update successfully, you shouldn't be surprised if your system isn't really up to date.
With FreeBSD once I synchronized sources and rebuilt, I could be pretty certain what I had sitting on my HDD, AND so could others. If I have a problem, I can state the release I synced to, and the devs will know what I'm talking about. That makes support easier.
But with MS, the process is such that you can't really be sure esp when there are problems. Even if you can it may take so much time to be sure that you might as well wipe and reinstall everything.
Trustworthy? Not. Convenient? Yes.
Re:In case of slashdotting, (Score:5, Interesting)
What Russ is attepting to do is tell MS to wake the hell up and fix it, and that if you are a Windows user that you should know that Windows Update is basically a pile of shit and that you can't trust it.
So I guess don't quite understand you beef. Is MS paying Russ to solve Windows Update problems and he isn't doing the job or something?
As an end-user to commercial software, your job when it comes to bugs is to report them. Not fix them.
Re:In case of slashdotting, (Score:3, Interesting)
Ok, I'll bite. Solutions:
- Move away from Windows by converting to Apple's MacOS/X-based systems
- Move away from Windows by converting to IBM's Linux-based systems
- Move away from Windows by converting to Sun's Java-based systems
- Move away from Windows to Sun's Linux-based systems (not yet released, AFAIK, but still a viable plan for the future)
- Move away from Windows to a white-box dekstop on which you install whatever you please
Or were you asking about solutions that Microsoft could implement? If that was what you were asking for, then I have no real recommendations other than they should issue a press release advising their users not to visit non-MSN Web sites for fear of finding out what a mess they've gotten themselves into by running Windows in the first place. Is there a good reason left in the world to run Windows? For the most part it seems to be all momentum-based. MS-Office apps for MacOS lag because MS sells less units for Mac-OS. Replacement apps for Office lag on other platforms because there's no one putting a billion dollars into funding developers to work full-time on it (though IBM has spent that much overall on all of Linux, no one spends this much on just the office apps, which are, next to the browser, and mail client, the most important for desktops). That money isn't flowing because there are a lot of inter-dependencies that lock people to Windows. For example, I'm going to have to run Windows under VMware so that I can talk to my new phone once a day. I run XP at home to play a video game. It's not an OS, it's a legacy app-platform much like DOS was for a decade (and still is to some extent).As migration (that has already begun in dozens of niches) away from Windows begins to pick up steam, more of these dependencies will be met for other platforms. Linux has had amazing ramp-up in that area over the last 5 years. I'm always stunned to see major hardware and software vendors coming into the fold and making their stuff work right with Linux. Now the business-side of that is starting to gain ground, and for example, Fujitsu is partnering with Red Hat. I see MacOS coming out on top though, but there's always going to be a much bigger piece of the pie allocated to other OSes than Microsoft ever had to deal with while it was on top. This is a good thing. We should never go back to a world so dominated by one vendor's software. Software has become too important for that.
Once MS can't rely on self-sustaining market-share to keep them going, they'll be forced to make substantive changes to the way they view customers. This too is a good thing. Who knows, perhaps in 20 years, we'll all be happily running Windows 2XXYbeta1, and it will work well, have real standards compliance, open specifications for key OS features and APIs and actaully be supported. It could happen, and if anything is going to make it happen, it will be compeition.
Re:I don't trust Microsoft... (Score:3, Interesting)
Re:strange timing... (Score:1, Interesting)
As for the VPN... you are only as protected as yor vpn users machine is... [I have seen MANY VPN installations that allow full access to the inside once the VPN is established... Problem is that if the users machine is infected, they are now essentially "carriers" that can infect the unpatched/lightly patched inside network through the vpn]
There are several underground groups whose only reason for existing is to find these gateway to treasure machines. [several trojans/backdoor/"remote administration" programs have been written for just this purpose... one specifically looks for certain popular vpn clients and acts on what it finds.
another of their pastimes is to scan for RDP and ICA servers, then try to connect to them and log on localy... Seems that many "ahem" admins forget to set the LOCAL admin password.... Mainly RDP since XP pro makes it so easy to enable remote control... Many times RDP is the only service visible. This is because MS made it so difficult to change the RDP port; scanning for RDP is easy....