Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Software Security

NTBUGTRAQ Bashes Windows Update 565

BigBadBri writes "Russ Cooper, keeper of the NTBUGTRAQ list, has a few concerns (to put it mildly) with the trustworthiness of Microsoft's Windows Update."
This discussion has been archived. No new comments can be posted.

NTBUGTRAQ Bashes Windows Update

Comments Filter:
  • Trust? (Score:4, Funny)

    by DJ Rubbie ( 621940 ) on Thursday May 15, 2003 @09:59AM (#5964173) Homepage Journal
    Since when did we trust Microsoft / Windows?
    • Re:Trust? (Score:4, Insightful)

      by Gortbusters.org ( 637314 ) on Thursday May 15, 2003 @10:03AM (#5964226) Homepage Journal
      True that... with each newer operating system and update I see more and more 'report blah blah to Microsoft to improve quality'. It happens in Windows Media Player, whenever a process crashes, and probably other places as well.

      How soon until they don't tell you that and just start reporting your web browsing favorites and selling that information to others?
      • Re:Trust? (Score:4, Interesting)

        by dre80 ( 613210 ) * on Thursday May 15, 2003 @10:14AM (#5964350)
        If anything, messages like that are a late attempt to catch up. Netscape/Mozilla have had the Quality Feedback Agent at least since the Netscape 4 era, and it was hailed as an example to follow. Well, like it or not, the example has been followed. MS may well not treat the information the same way, but tracking bugs has become increasingly important as applications get increasingly larger and more complex.

        I don't trust Microsoft in general, but in this case they've yet to prove that their intentions are any other than making quality software.
        • Re:Trust? (Score:3, Insightful)

          by 1010011010 ( 53039 )
          they've yet to prove that their intentions are any other than making quality software.

          That's pretty funny.
        • Re:Trust? (Score:3, Insightful)

          by Malcontent ( 40834 )
          "I don't trust Microsoft in general, but in this case they've yet to prove that their intentions are any other than making quality software."

          What an odd thing to say. You don't trust them in general buy you trust them in this particular case? Why? That's like saying "I don't trust that convicted child molester living across from me but I'll let him babysit my kids because nobody has proven he will abuse MY kids".
      • Re:turn it off (Score:5, Informative)

        by ramzak2k ( 596734 ) * on Thursday May 15, 2003 @10:37AM (#5964597)
        if you dont like error reporting - turn it off.

        1.Start>Run
        msconfig.exe

        2.Goto Services tab and uncheck the error reporting service there.
    • Re:Trust? (Score:4, Insightful)

      by Cro Magnon ( 467622 ) on Thursday May 15, 2003 @03:29PM (#5967414) Homepage Journal
      I never trust anyone who says "Trust me".
  • duh (Score:2, Funny)

    If you can't trust the New York Times, how the heck can you trust a shady corporation like Microsoft?
  • by ramzak2k ( 596734 ) * on Thursday May 15, 2003 @10:00AM (#5964197)
    It is a feature to keep you aware of other features. Unfortunately it has a feature in itself which keeps the feature from featuring.
  • So? (Score:5, Insightful)

    by InfinityWpi ( 175421 ) on Thursday May 15, 2003 @10:01AM (#5964216)
    This shouldn't surprise anyone at all. Anyone involved in computer security or stability is going to have doubts about any sort of update technology, especially if it's from Microsoft. All it takes is a 'minor' 'bug', like the one in the article, and we could be facing a much lerger numbers of CodeRed targets, or zombie machines, or who knows what else.

    Oh, by the way, youre car is just fine. No, no recalls at all for it. Well, one, but it's only important if you actually drive, so you're fine, I'm sure...
  • by Pov ( 248300 ) on Thursday May 15, 2003 @10:02AM (#5964220)
    It's been proven time and time again that people don't patch their systems by hand. Windows Update is at least a step in the right direction, even if it does have some flaws. I can only imagine the outcry if M$ DIDN'T have a Windows Update. It would be an evil scheme or something.
    • Maybe not... (Score:5, Insightful)

      by Uruk ( 4907 ) on Thursday May 15, 2003 @10:27AM (#5964487)
      Is it better? Here's a quote from the article:

      Let me put it this way. Since the inception of Windows Update millions of computers have been infected with Trojan's that are today allowing individuals to conduct en-masse DDoS attacks. Read that how you want, but its a fact. Here's another. Since the inception of Windows Update Microsoft has gone to producing patches almost every week. Few if any business' have found Microsoft trustworthy enough to permit automatic updates

      Many people will also tell you that a false positive is far worse than a false negative. For example, if Windows Update is misconfigured and tells you that you're up to date when you're really not, that's arguably worse than not being up to date and knowing that you're not up to date. (Because in the latter situation at least you can do something about it)

      Even if technically windows update is better than nothing, it's utterly pathetic that this is the best one of the richest and most powerful corporations on the planet can do for their customers.

      • Re:Maybe not... (Score:5, Insightful)

        by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday May 15, 2003 @11:06AM (#5964909) Homepage Journal
        So wait, microsoft is releasing more updates, this is bad? So maybe some of their updates have bugs, at least we get the fixes rapidly. It's not like this doesn't happen to, say, linux - a fix breaks something else and another patch comes out three days later.

        So if that's a problem with Windows Update, perhaps that is why many companies still don't trust Open Source. The only difference here is that we don't see the source code. I don't read the source anyway, so I'm not losing anything :P

        • Re:Maybe not... (Score:3, Insightful)

          by barc0001 ( 173002 )
          " So wait, microsoft is releasing more updates, this is bad? So maybe some of their updates have bugs, at least we get the fixes rapidly."

          Are you drunk?

          Picture this: You are the sysadmin at a company that runs its business all online, doing thousands of dollars of business per hour. You have a farm of 2000 servers running a custom back end for all your web services. The weekly patch comes down from Microsoft, it's time to update it. Again. Just like last week and the week before. You go down to the
      • Re:Maybe not... (Score:3, Insightful)

        by Pov ( 248300 )
        "Since the inception...", but it doesn't say "Because of..." and that's the difference. He's saying that Windows Update has failed to protect those computers, not that it caused a problem. It doesn't say how many millions of computers *didn't* get infected because of Windows Update, so it's not really a very fair argument. It only shows one side.

        I agree with you on the false positive scenario except that you've left out the most likely case without Windows Update, a nothing, because without Windows Upda
    • by jkrise ( 535370 ) on Thursday May 15, 2003 @10:27AM (#5964500) Journal
      "people don't patch their systems by hand. "
      I've never seen anybody do that, I agree :->

      "I can only imagine the outcry if M$ DIDN'T have a Windows Update. It would be an evil scheme or something."

      Tell me something. Why is it that MS refuses to deal directly with it's own customers? Why should it sell thru OEMs etc. and support thru the web? Why can't MS offer support services directly thru their various offices and provide a CD that does the Update Services? A day's delay in couriering the CD? The CD media would cost about 20c. Even 50
      CDs a year (we're talking MS here) would cost about $10 for the CDs and a maximum of $100 for postage.

      MS support services cost much more than $150 per year, but still the customers are denied the convenience of a CD and no intrusion on their systems. Why?
    • A "Windows Update" that doesn't update is worse than nothing, not better. Users are discouraged from further vigilance since they are fooled into thinking their systems are properly patched.
  • by jkrise ( 535370 ) on Thursday May 15, 2003 @10:02AM (#5964221) Journal
    Bugtraq hasn't trashed Microsoft Windows - just the Microsoft Windows Update.

    "has a few concerns (to put it mildly) with the trustworthiness of Microsoft's Windows Update."

    Good.
  • Summary (Score:5, Funny)

    by cwernli ( 18353 ) on Thursday May 15, 2003 @10:02AM (#5964225) Homepage
    To sum up the last few posts: Electronic Voting can't be trusted, NVidia can't be trusted, Microsoft Update can't be trusted... that's enough for one day. I'll go to sleep right now.
  • by Sheetrock ( 152993 ) on Thursday May 15, 2003 @10:04AM (#5964236) Homepage Journal
    Why should Microsoft platforms be immune from the progress that the Open Source spirit has given other platforms? Windows Update doesn't have to be the sole source for the common user of updates, patches, etc. -- many of these are third-party, anyway, and could probably be handled similarly to apt-get, rpm, or emerge.

    I've read a number of depressed perspectives on how we've got to accept a broken technology because it is patent-encumbered, closed source, or whatever, and I wonder "Where's your initiative, people?" To use a cooking analogy: the Koreans and the Dutch couldn't be much more different geographically, but at approximately the same time in history they faced a similar crisis involving an abundance of fuel and a pittance of foodstuffs -- the Koreans invented stir-frying, which allowed a maximum amount of heat in a minimum amount of time to sear their food, while the Dutch came up with the Dutch Oven, which is an ancient European equivalent of the Crock-Pot where food was cooked in its own vapors in a covered environment at a low temperature over an extended period of time.

    This is only one of a number of similar examples throughout history of almost-parallel development. People have constantly had to reinvent the wheel for any number of reasons, but most importantly the process was influenced by cultural and social factors that ultimately lead to different approaches towards the same problem. Thus we can choose from the solutions the one that is most efficient or most effective... the strength of Open Source.

    I guess the point is that there is almost always more than one way to solve a problem, and generally it's the optimists that get to it. I see too many good ideas sunk by naysayers that won't give a concept a fair shake; irregardless, who could have predicted the computer, air travel, or the mysteries of the atom a mere century ago? Hope for even the best of the future and it will yet exceed your expectations.

    • by DJ Rubbie ( 621940 ) on Thursday May 15, 2003 @10:09AM (#5964291) Homepage Journal
      Actually, it has to be the only source of update because only Microsoft can do something about problems within their source code, therefore, they are the sole providers of patches for Windows.
  • by Teckla ( 630646 ) on Thursday May 15, 2003 @10:05AM (#5964243)
    I'll voice an opinion that'll surely prove to be unpopular around these parts: I like Windows Update.

    Sure, like any given piece of software, you may run into glitches and bugs at some point. But, overall, Windows Update has provided me with an extremely easy and painless way to keep my systems updated.

    Even my Mom can use it, which says a lot. It's better than any alternatives I've seen which require too much geek knowledge to operate. (Admittedly I've never seen how MacOS X handles updates.)

    -Teckla
    • 'apt-get upgrade' is still a better tool, but I admit, I've used Windows update and I found a nice way of managing patches in an MS environment.

      Step 1: Set up a machine with an old, unpatched version of whatever OS you're using.

      Step 2: Run windows update

      Step 3: grab the patches as they're being downloaded and copy them off to another folder

      Step 4: Let it upgrade your test box.

      When it finished, it will remove all traces of the patches. You copied them off into another folder, right? If so, you now hav
    • by andrewmc ( 88496 ) on Thursday May 15, 2003 @10:18AM (#5964409)
      Windows Update has provided me with an extremely easy and painless way to keep my systems updated.
      Maybe I'm missing something, but didn't the article say that it can leave your system not fully updated, while you only think it is?
    • Perhaps you've never used Red Hat Network or Ximian's red carpet, I find both to be (almost) bug free and work very well.
      • Perhaps you've never used Red Hat Network...

        I have. I find it extremely irritating, because it requires seperate download and install steps. I want to get my list of updates, select all, click one thing to get them installed, then walk away for a few minutes. Red Had Network doesn't let me do that.

        Unless anyone knows differently, of course...

        Cheers,
        Ian

        • by Alanus ( 309106 ) on Thursday May 15, 2003 @10:39AM (#5964626)
          Just use "up2date -u" and you're done. Even better: Schedule it...
        • "I find it [RHN] extremely irritating, because it requires seperate download and install steps."

          I'm sorry, but the separation of download and install steps is a good idea. It means that you can do work while RHN downloads and not worry about things changing out from under you.
          • by mccalli ( 323026 ) on Thursday May 15, 2003 @10:58AM (#5964803) Homepage
            >>I find it [RHN] extremely irritating, because it requires seperate download and install steps.
            >I'm sorry, but the separation of download and install steps is a good idea.

            Two users who disagree. Solution would be to make the behaviour configurable then, yes?

            Cheers,
            Ian

            • Two users who disagree. Solution would be to make the behaviour configurable then, yes?

              It _is_ configurable. Out of a long list of options ("man up2date"):

              d, --download
              Download packages only, do not install them. This option
              is provided so that you can override the configuration
              option "Do not install packages after retrieval." It is
              mutually exclusive with the --install option.

              -i, --install
              Install packages after they are downloaded. This option
    • by Anonymous Coward
      OSX runs Software Update after you install the OS for the first time. It schedules itself to run weekly and check for patches. You can select what patches you do and don't want to install, as well as drop patches from being on the list (eg, if you like iTunes 2 then you can tell it to never inform you of new versions of iTunes).

      Any user can run the software update tool and be informed of new packages. Before any can be installed, a window pops up asking for an admin account login. Once entered, downloa
    • A few weeks ago I ran update... (cue ominous music).

      It applied Service Pack 3 to Win 2K and rebooted. When it came back up (or actually failed to), it could no longer see the ATA100 hard drive on which it was installed...

      I tinkered around for about an hour before I decided it would be quicker to re-install than to try to fix it...

      Until then I had had good experiences with update for the most part. It is a good concept (like Red Hat Network), but given the wide range of hardware/software configurations ou

    • by Reziac ( 43301 ) on Thursday May 15, 2003 @10:46AM (#5964704) Homepage Journal
      And don't you wish that NT4 SP4 had been forcefed to everyone as an automatic update? ;)

    • FreeBSD (Score:4, Interesting)

      by TheLink ( 130905 ) on Thursday May 15, 2003 @12:16PM (#5965620) Journal
      Actually I found getting my FreeBSD system up to date easier than Windows Update.

      At one time, it seemed the Windows Update site was having problems - but the messages I got and the apparently relevant MS knowledgebase docs weren't helpful, so I thought the problem was with my system and wasted many hours because of that.

      And as Russ points out, even if you run Windows Update successfully, you shouldn't be surprised if your system isn't really up to date.

      With FreeBSD once I synchronized sources and rebuilt, I could be pretty certain what I had sitting on my HDD, AND so could others. If I have a problem, I can state the release I synced to, and the devs will know what I'm talking about. That makes support easier.

      But with MS, the process is such that you can't really be sure esp when there are problems. Even if you can it may take so much time to be sure that you might as well wipe and reinstall everything.

      Trustworthy? Not. Convenient? Yes.
  • by DaPhoenix ( 318174 ) <rayb@ko[ ]et ['d.n' in gap]> on Thursday May 15, 2003 @10:05AM (#5964244)
    Man it seems like every day we find out how to define the 'trustworthy' in "trustworthy computing"

    First Windows, then the Outlook bugs, then the Hotmail bugs, now the Windows Update security issues - not to mention the Shatter Exploit [tombom.co.uk] (fundamental unfixable Win API flaws)

    Mmm I love days like today. :)
  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Thursday May 15, 2003 @10:08AM (#5964273)
    Comment removed based on user account deletion
    • Re:hmmm... (Score:3, Interesting)

      by Justin205 ( 662116 )
      Red Hat updates are usually fairly on time, especially for security stuff. Feature updates usually only come in the next version, but since it's free, no big problem. Windows Update seems to get updates late, from when they are first available, if you know where to look, and isn't very reliable. When I use Windows, I've had the SP1 install on XP screw up at least twice from Windows Update, so I go download the installer manually.
  • strange timing... (Score:4, Interesting)

    by drummerboy714 ( 632637 ) on Thursday May 15, 2003 @10:09AM (#5964292)
    Last week I spent all day downloading patches for an XP laptop that we are evaluating. Today we (my notoriously adorable assistant) received a notification that there are (surprise!) more patches to download. When I looked at the list, some of them were going back to Feb of 2002. We looked at what patches and Q#'s show as installed, and several of these are the same ones WUS show as needed. Needless to say, we are yanking the XP OS and going back to W2K. Oh, that we could use Linux in our production environment!!!!
  • "Trustworthy Computing Initiative once again gets an "F""

    Failed? Fscked up? Foolproof? Friendly? Fiendish?

    Just curoius
  • Bugs (Score:5, Interesting)

    by Mr_Silver ( 213637 ) on Thursday May 15, 2003 @10:12AM (#5964328)
    In reality, some flaw in the Windows Update process has led it to conclude that a system, in need of critical security patches, is instead clean and good to go on the Internet. In other words, if the security check fails, tell consumers they're just fine and don't need anything.

    To summarise:

    Windows update has a bug in it. Until MS release a fix, you can't really trust it. Oh yes, and you can't really trust that the patches it downloads and installs won't total your system - but everyone vaigly clueful and in IT knew that already.

    Have I missed anything?

  • by sczimme ( 603413 ) on Thursday May 15, 2003 @10:16AM (#5964382)

    From the article:

    we no longer even need to make that visit manually, we can trust that Microsoft will supply us with a properly tested security patch within 24 hours and patch our systems for us

    What follows is not MS-bashing.

    System security (and other functions) should not be left to a laissez-faire, set-it-and-forget-it sort of mechanism. The administrator is responsible for applying the patches, manually if need be, and should be diligent enough to determine whether all requisite patches are installed even when using an automated method like Windows Update. Yes, that includes apt-get, RHN, up2date, and others.

    I believe it also behooves the administrator to conduct independent testing on-site: there have some notable examples of patches getting out the door that caused as many problems as they solved. (Yes, I'm thinking of SP4 for NT 4.0. Still not MS bashing, though.)

    Trust, but verify.
    • by michaelggreer ( 612022 ) on Thursday May 15, 2003 @10:50AM (#5964728)
      I agree that administrators have this responsibility, but most computer users are not qualified admins, nor should they have to be. They cannot "conduct independent testing on-site." We require consumer OSes to be set-it-and-forget-it, so this criticism of MS is completely valid.
  • by svenjob ( 671129 ) <vtsvenjob@[ ]il.com ['gma' in gap]> on Thursday May 15, 2003 @10:17AM (#5964394)
    If you don't trust Windows Update, don't use their service. If you don't trust nVidia, get an ATI. Online voting? Do it the old fashioned way! There are many things in the world which you can choose to use or not to use based on trust. Don't trust it, don't use it. (like free candy)
    • Funny... (Score:2, Funny)

      by Justin205 ( 662116 )
      I don't trust Windows Update, nVidia or online voting, so I use Linux, ATI and I don't vote (too young).
    • by vondo ( 303621 ) * on Thursday May 15, 2003 @10:54AM (#5964768)
      It's impossible not to "use" online voting, even if it is only an option. The product of online voting is a new government or new laws, so if it has problems, they effect you whether you actually vote online or not (or not at all).

      It's a completely different situation than not using NVidia.

  • by Anonymous Coward on Thursday May 15, 2003 @10:18AM (#5964410)
    It just automatically downloaded some new nVidia drivers that increased my 3DMark score by 30%! Windows update works great!
  • I was low on disk space on a box and therefore deleted out the $NtUninstallQxxxxxx$ archives created by WU to save disk space. Bah, that through WU into a tizzy, thinking I hadn't installed some of the patches whose uninstall archives I had deleted.

    Um, if they are just uninstall archives, and I have no plans of uninstalling the patch, they should be able to be deleted. Why WU relies on the existence of the Uninstall directories to determine if a patch is installed, I have NI, but it is terrible practice.
  • by bogie ( 31020 ) on Thursday May 15, 2003 @10:53AM (#5964752) Journal
    Isn't the security aspect, its the fact that MS hasn't gotten patching down yet. Patches from Microsoft CONSTANTLY slow down and screw up peoples computers. Every time you download a patch its like playing russian roulette.

    I just experienced this two days ago. My friend had me reinstall XP on his laptop so I started with a disc that had XP SP1 included. Now considering the huge list of known problems SP1 causes both he and myself were happy with how the system preformed after install. It seemed snappy and worked well. But then after I ran windows update and pulled down like 15 security updates, boom instant slowdown. I'd say its about 15-20% slower now. I might as well have pulled out his PIII900 and dropped in a PIII600. (And yes I specifically avoided 811493)

    When will MS stop having to reissue patches and stop slowing down and screwing up systems because they can't figure out how to make software with some decent security built in? I mean screw the security track record of other OS's, Microsoft is the one with 40 billion in the bank. They are also the ones who still don't get it and are just now telling their programmers that security needs to be considered when designing software. For about the fact that OSS exists, I still can't believe people can people can have faith in a company like that.
  • by Joe5678 ( 135227 ) on Thursday May 15, 2003 @11:20AM (#5965073)
    I never visit windows update anymore, one too many times of it installing an update that hosed my system. Shavlik still develops HFNetChk, http://hfnetchk.shavlik.com/ [slashdot.org], and it's still free. Just run it and then go to http://www.microsoft.com/security to get the updates it says you need. A bit more of a pain, but a lot more piece of mind.
  • by gmuslera ( 3436 ) on Thursday May 15, 2003 @11:56AM (#5965422) Homepage Journal
    p.s. Here's a thought, how about getting Windows Update to remove Trojans??...;-]

    Knowing how much trustworthy is Microsoft, the only trojan that it will sucessfully remove will be the one named "LILO"

Garbage In -- Gospel Out.

Working...