Microsoft has begun patching files on Windows XP and Vista without users’ knowledge, even when the users have turned off auto-updates. Many companies require testing of patches before they are widely installed, and businesses in this situation are objecting to the stealth patching. “Normal behaviour,” according to Microsoft.
As far as I can tell there is very little to this story.
Automatic updates to WU only happens if one of the following are true:
* You have notifications turned on,
* You have automatic download turned on,
OR
* You have automatic installation turned on.
If Windows Update is turned off on your system Windows Update will not be automatically updated. It will however be updated (if necessary) when running Windows Update manually.
Microsoft should of course not install updates to WU automatically unless configured so. It should notify users of updates to Windows Update, and letting the user know that further notifications would not be received until WU had been updated.
EDIT: Forgot an “on”. And fixed spelling error in “Forget” –> “Forgot”.
Edited 2007-09-14 14:14 UTC
UNTRUE …
Windows Update updates itself (9 files on your machine) REGARDLESS of the setting of Windows Update.
You set your Windows Update to “Never Update” … it still connects to Microsoft and performs the update.
Do you have any evidence or at least sources for that claim?
It runs counter to the explanation from Microsoft (and the complaints) and it runs counter to my experiences with Windows 2003 Server.
Do you have any evidence or at least sources for that claim?
The article itself makes that claim:
It only says “seem”. It has not been confirmed to be true for all four settings, and it is a fact that the WU-client cannot connect to WU-servers when running without Administrator rights.
I know from my experiences with my firewall that WU does not attempt to do anything when turned off. And I know that because my firewall freaks out when I run WU and forget to un-restrict WU
Edited 2007-09-14 19:12 UTC
I don’t have evidence for the thing he discribed, but I set it to “Notify, but don’t download or install”.
Yesterday evening I booted Windows and two updates were shown: The one security update and that “tool to remove baad software” (no, I don’t know the correct english names for that ). I clicked on cancel since I wanted to do this later, after doing some work.
Half an hour later there was just ONE update left. Guess which one it was.
Okay, that’s not really much “evidence” since you can’t really prove that without making a video. Guess you just have to believe me here.
Wooot O_o ??? You have an IE7-uninstaller!!1?
Hmm.. I’ve had my own problems with the notification-thingy when manually launching Windows Update. The notification thing tend to conflict with the manual launch, so I’d need the output from Windows Update’s list over installed updates and failed updates for your machine. HOWEVER: You MUST NOT give me that information. I’ll haunt you in your nightmares if you do
Launch Windows Update manually and check the list over succesful updates and failed updates and see if it shows something. Until then I can only conclude you had a problem with the notifier.
I have had conflicts with manual launch of WU and the notifier running, but I haven’t experienced what you describe. But that malicious software thingy is probably selfinstalling
You said:
Microsoft should of course not install updates to WU automatically unless configured so. It should notify users of updates to Windows Update…
That’s the whole point of the article that you found “very little to”.
No. That’s the core of the problem. The core of the article was that Microsoft was invading your privacy and modifying the entire OS by installing all kind of updates without your consent.
Remove the sensationalism of the article and you would have had a good story. As it stands now it is just obnoxious second rate “journalism”.
It was a stealth update to Windows Update itself. Now of course, they could have asked permission, but that would have looked something like this: http://kroc.deviantart.com/art/Marklark-Marklark-Marklark-32789616
Heehee
I understand the line of thinking behind that particular dialogue, but I think it could be formulated better
I’m trying to find something to say in Microsoft’s defence.
I failed.
Edited 2007-09-14 14:20
Well, from a security-POV Microsoft could hardly do it much different.
MS of course has the following options:
1) Install updates to WU automatically if WU is set to “automatic updates”
2) Download updates to WU automatically if WU is set to “automatic downloads” and notify the user that the updates are ready to be installed. However! The user must be notified that WU will not work if the updates are not installed.
3) Nofify the user of updates to WU if WU is set to “Notify only”. However! The user must be notified that WU will not to work if the updates are not installed.
The downside of doing 2) and 3) is that the user will not know about important updates until the user has updated the Updater (which is difficult to formulate properly, as Kroc proved with his earlier post.. heehee).
From a security-oriented POV Microsoft has not been unethical. From a privacy-oriented and technological POV Microsoft has handled in part unethical and in part incompetent.
But it doesn’t mean that MS is trying to take over your computer (they may be doing that, but not through WU).
What Microsoft should have done is to inform of this in WU. No part of a operating system should be self-updating without written notice of what parts gets self-updated, and why.
Also, from a security standpoint, i think this is bad.
WU is propriary. We dont know how it validates new self-updates. What if Microsoft WU servers get hacked, and millions of Windows machines starts to automaticlly download compromised code?
Edited 2007-09-14 14:34
Well for me it ain’t a risk, since my firewall blocks Windows Update unless I specifically allow WU to contact the servers
Remember, the Windows Update servers do not contact your machine. It is your machine that contact the Windows Update servers.
If the servers are compromised people using automatic download/installation/notification are in (a rather hypothetical) risk. It’s however only a matter of having a properly configured firewall – and not the built-in btw.
Well, since you cannot control what it does when it contacts the remote machine, and you cannot prevent it from changing software on the machine, it is not really your machine any more, is it?
http://www.microsoft.com/technet/archive/community/columns/security…
The really scary thing is that there is now at least one more known way to remotely install code in a Windows system without having to get permission.
All that is required is for the code one wishes to install on the target Windows system to successfully masquerade itself as being an update to WU.
True security would require that an OS insist that a local, authorised administrator of the system manually supplies credentials before any piece of new software can become executable.
It is plain that the Windows OS lacks this most basic security provision.
Well, it does require that the update is properly digitally signed, and it must be fetched from a WU-server.
But yes, if you can compromise an update-service the users are screwed. But that goes for _any_ update-service.
Yeah, but digital signing as Microsoft is easy. Duh!
Probably as easy as signing as Redhat I assume.
Personally I’m still not past the part about compromising the servers
You don’t have to compromise the server … you just have to spoof the client into believing that your data came from such a server.
Likewise, you don’t necessarily have to be able to sign your data as Microsoft … you just have to get WU to believe that it is so signed.
Tricks like these are the essential reason why it is a good idea to require manual input of credentials from a local user before any execute permissions are set. That requirement should ideally also be subject to audit … it should be possible for end users to examine OS source code so as to assure themselves that execute permissions can only be set by them.
These are the reasons why any type of “automatic update without local user authorisation” is an utterly bad idea … from an end-user perspective.
Edited 2007-09-15 13:42
Ok, so how do you get WU to believe it is signed? You make it sound so simple, yet no one has done it yet.
How do you know this?
One method that suggests itself is to replace the secret WU keys on the Windows client machine with keys that match (as a key pair) with whatever key you signed your data with.
Keys are just data … probably registry data at that.
OK, so you sign your data, you spoof a Windows client machine to believe your data is coming from a Microsoft WU server, and you replace the client’s WU secret key with the other half of the key pair that you signed your data with.
The only way that I can see around such an attack is for the code to be auditable. People must be able to compile the source independently, and compare their binary with that contained in binaries which are purportedly coming from a repository. Such checks would need to be done randomly, periodically and by a number of independent parties … an open source end-user community sounds ideally suited to such a monitoring role.
Edited 2007-09-15 14:03
You are talking all theoretical stuff here, none of which is easy.
Until it is done and you can prove it, what is the point? There is none.
One method that suggests itself is to replace the secret WU keys on the Windows client machine with keys that match (as a key pair) with whatever key you signed your data with
Wait a minute, are you freakin’ serious?
At that point, the machine is already compromised. Wow, just wow. I can’t believe you are even making this argument.
At that point, the machine is compromised with the blackhat’s data.
It isn’t until the blackhat uses the identified WU “auto-update” hole that the end machine becomes compromised with the blackhat’s executable binary.
On a Windows system, I must admit, there is scarcely any difference between “data” and “executable binary” … which is the whole source of the problem in the first place.
Uh… how exactly do you replace the keys on the client machine in the first place then?
Oh, that’s right, by compromising the f–king machine.
Please think before you post.
I did say that it was just one method that came to mind, off the top of my head.
AFAIK it is quite possible to get data strings into the Windows registry without any end-user authorisation.
The only problem is that the Windows registry is not a source (AFAIK) of any data that Windows will execute automatically … and we also know that WU is such a source.
Edited 2007-09-15 14:17
It’s also easy to change mime types associations on Linux without end user authorisation.
Besides that, a normal user cannot edit the registry in Windows, apart from the normal user’s own keys (HKEY_CURRENT_USER / HKCU).
A normal user cannot modify other parts of the registry. We need to compromise the machine.
WU is only a security threat if you can compromise the machine through WU. This requires compromising the WU-servers.
Are you are baffled as I am?
I don’t know. I’m quite baffled right now, so I’m not sure how baffled I am. I don’t know what to think right now. I think “disbelief” is the word I’m seeking for. Or “baffled”. I don’t know.
The blackhat’s data CANNOT enter the machine without the machine being compromised. Such an update could possibly be done through install malware, but that is your own fault.
You cannot insert blackhat’s data without compromising the machine, so the machine is compromised. But that is equally true for ANY OS.
Your scenario has NOTHING to do with WU or any update-service. It has something to do with idiotic user-behaviour and could be done on any machine with any OS with internet connection.
This argument only applies on systems where the OS & filesystem does not distinguish between “binary data” and “executable binary data”.
Look up the term “push technology”.
http://en.wikipedia.org/wiki/Push_technology
WU appears to be a push technology.
Edited 2007-09-15 14:31
It’s not.
Push technology on the Internet refers to a style of communication protocol where the request for a given transaction originates with the publisher, or central server.
The WU client ALWAYS has to make the request.
No. WU is a pull-technology. It is the client that contacts the server. NEVER the other way around.
Yet Windows will still get an updated WU even if the end user has set WU to “never update”.
Interesting new definition of “never” from Microsoft there.
WU is a “push technology” in the same sense that an email client is. The emails (data) aren’t instigated by the email client, they are “pushed” to the client from an external source (ANY source that knows the email address) … the fact that the email client software has to contact the ISP mail server and ask for messages is just a detail. The technology remains, in essence, a “push technology” because the initiating act to get the data on to the client system is not done by the client. WU is similar to this, and so WU is in essence a “push” technology even though the client is the machine that initially says “gimme updates”. It is “push” because, as this very thread shows, then end client machine cannot be stopped from saying “gimme updates” even if the end user wants the machine to “never update”.
BTW … doesn’t Microsoft’s EULA reserve the right for Microsoft to update the software on your machine? Are you really ready to believe that Microsoft would voluntarily give up that right they had reserved for themselves via the EULA just because you ticked “never update”? Hmmmm, if you believe that you must be either very trusting, or very gullible …
Edited 2007-09-16 06:24
No. What happens is that the WU-client fetches an update from the serves, if this update is an update to the WU-client itself. And it doesn’t happen with “Never update”. It happens with “Fetch Updates and Install”, “Fetch Updates but don’t install” and “Just nofity me but don’t fetch Updates and don’t Install”. If you are running as ordinary user, WU doesn’t run at all. With pre-Vista Windows WU cannot run unless the user running it is Administrator. You cannot even do “Run as…” (equivalent to sudo/su – root) on WU.
You don’t understand the concept of pushing or pulling. Pulling means the download is initiated from client-side. Pushing means it is initiated from server-side. The mail server cannot force you to receive the mails therefore it is pull instead of push. WU-servers cannot force a connection on the client. Therefore it is pull.
Pushing is when the servers initiate the contact and “pushes” the information to you. IM-applications usually work like that (actually IM applications are push/pull-systems).
A pull-technology is defined as a techonolgy where the Client requests for something. Everything else doesn’t matter. Push and pull are SOLELY defined by who initiates the contact. Email-fetching is pull. Update-fetching is pull. You can twist the words as you want to but Windows Update is a pull-technology.
If Windows Update is disabled (set to “Never fetch Updates, Never install Updates and Never ask for Notifications” then Windows Update will never contact the WU-servers. This has been proven. If you are running as an ordinary user (most users are unfortunately running XP as Administrators) WU won’t run at all. Only when logged-in as Administrator does WU run. It is a known bug in pre-Vista Windows. Only in Vista can WU run when the user isn’t Administrator.
Microsoft reserves the right to update your system in their EULA, and I’m damn sure they are using the right to the outmost. But fact is that WU cannot run on pre-Vista Windows unless you are Administrator. And it has been proven that it does not contact WU-servers when set to “disabled”. It does however contact WU-servers in settings 1, 2 and 3 (1 is automatic download and installation, 2 is automatic download but no installation, and 3 is Only Notifications – setting 4 is “disabled”). And in all three WU updates itself if there are updates to it (in settings 2 and 3 this is very problematic from a privacy POV). However, in settings 2 and 3 other updates are not installed (and this has been proved). MS can change this of course but so far they haven’t done that. Besides that you have the option to block WU if you have a third party firewall
“Never update” doesn’t exist. There exists 4 settings:
1) Automatic download and installation.
2) Automatic download but no installation.
3) No download and no installation, but Notifications instead.
4) No notifications, no downloads, no installation. This is – at the moment – respected by Microsoft. WU is never updated when disabled. This is proven.
The problem is that WU is updated despite setting 2 and 3 – without obvious notifications (there are event logs recording the updates, but these logs are not obvious).
I don’t trust Microsoft. But it has been proved by third parties that WU doesn’t do anything when disabled (setting no. 4).
The problem is the lack of notifications in setting 2 and 3.
Actually, I do understand. I understand that if the WU client must always initiate the protocol and never the server, then it is strictly speaking not a “push technology”.
However, if the periodic initiation of the transaction by the client cannot be disabled at the client end, then in effect the strict definition is effectively moot. This in effect means that the server can “push” data onto the clients and the clients cannot stop it from coming in. This situation is analogous to email clients (wherein in effect if you want email at all, you cannot stop anybody or everybody from sending you unrequested stuff).
http://en.wikipedia.org/wiki/Push_technology
So E-mail ends up being “pseudo-push technology”. WU is apparently equivalent. With the way Microsoft has apparently set up WU, if you want updates at all, you cannot stop at least Microsoft, and potentially other parties as well, from sending you alleged updates that you cannot prevent from being installed on your machine.
If you refuse all updates and make WU “never update” … then your Windows system (if it is connected to the Internet) will be compromised by the very next flaw … such as the .ani animated cursor flaw, or the .wmf flaw, or whatever inevitable flaw comes along next.
So, your choice with a Windows machine (if it is connected to the Internet) effectively becomes: “update and perish”, or “do not update and perish”.
This entire conundrum comes about because Windows has no distinction between “binary file” and “executable binary file”. That lack makes it possible to send data to a Windows system, and if you can trick the system into executing your file, then you can compromise the system. One strongly suspects that the underlying reason for this fundamental shortcoming of Windows security is that Microsoft wants to remain in ultimate control of all Windows systems. If Microsoft can remotely be in control, then it is feasible for remote parties other than Microsoft to wrest that control.
Edited 2007-09-16 11:46
However, if the periodic initiation of the transaction by the client cannot be disabled at the client end,
It can, argument over.
Hey sappyvcv. I give up here. It’s like fighting windmills or some such.
I strongly suggest you unplug your machine and take big draught of a very good beer. You must need it as much as I do
Well then the local machine is already compromised and you don’t need to run WU at all in order to create havoc. You can do whatever you want already.
You are far out here. As we all know I’m not the first one to defend Microsoft but your line of thinking here is completely broken.
If I can take over your Linux-box I can make it auto-update anything I want to – even if the distribution doesn’t have any update-functionality. All I need is a shellscript launching wget to fetch data from my fake servers, and install it silently. That’s f–king easy. The – hopefully – hard part is to compromise your local machine.
AFAIK you can get external data into the Windows registry, but Windows does not “execute” data from the registry directly.
You need another step in the chain. It would appear that WU provides (yet another) such a step for us.
You need to run with root permission on the local machine. You need a local user to manually enter root credentials to run with root permission …
… so you need another mechanism (such as the one WU automatic updates apparently provides) to do such a thing.
Edited 2007-09-15 14:23
How are you going to do that? The WU-servers NEVER contact the client.
It is always the client that contacts the servers, so in order to spoof the client you need to compromise the servers – or hacking the User’s ISP or somehow get control over the User’s internet conneciton. OR replace the WU-client in which case you already has access to the core of the User’s system.
OR get access to their LAN and ARP poison them.
But really, why are we arguing these things with these guys.
See the kind of crap I have to put up with? :p
AFAIK, update notiifiers on Linux clients run with normal priveledges. The notifiers merely inspect what versions are locally installed, and what versions are in on-line repositories. When it is found that updates are available on-line, the notifiers show the user that updates are available.
It still requires the user to manually supply root credentials to the package manager software before the actual updates can be downloaded and installed.
This is the essential difference, I suppose, between an mere update notifier and Windows Update.
On Windows, there is apparently no absolute universal fundamental-to-the-OS requirement to manually supply administrator credentials before downloaded information can be made executable.
On Linux, there are execute permissions as part of local filesystems, that can only be set by a local user. After execute permissions are set, the newly-executable file can then only run with the maximum permission level of the user who provided credentials to set the execute permission bit. Therefore, in order to bestow universal and system-level execute permission, the authorising local user must be root.
Edited 2007-09-15 12:58
dylansmrjones and sappyvcv have already dealt with your arguments from a technical standpoint (successfully, IMO), but I want to respond to a statement of yours from a non-technical standpoint.
“The really scary thing is that there is now at least one more known way to remotely install code in a Windows system without having to get permission. “
It seems to me that given that the vast majority (or, at least a substantial percentage) of home Windows computers have WU set to download and automatically install security updates anyway (that’s the default setting), that if someone wanted to infect systems by compromising WU in some way, they would have already done it, or at least already have been trying to do so. This “one more way” doesn’t add much from a practical standpoint. It would expand the targeted users beyond the “download and auto-install updates” users to the “download but don’t auto-install” and the “check for available updates” users, but the first target is so huge that baddies would have already been trying to compromise WU if so inclined. And any techniques that would exploit this “one more way”, that first huge segment of users has already been subject to.
(I talk of home computers because corporate computers likely use WSUS or SMS rather than WU, so the IT staff controls how those machines are updated, regardless of this “one more way”.)
Edited 2007-09-15 15:26
This is a typical Microsoft position.
The critical points are these:
(1) It is trivially easy to get data onto a client. Any website can do this. If you want to compromise a system, then getting your data onto a system is not a problem … the problem is to get your payload data to be executed by the target system, hopefully with elevated privileges. WU has been shown to provide just such a mechanism.
(2) Microsoft’s EULA reserves the right for Microsoft to update Windows systems. WU is one way (very likely not the only one) that Microsoft can update any Windows system. WU cannot be disabled as an entry point onto a Windows system, even apparently if the end user selects “never update”. This effectively (if not literally) makes WU a “push technology”.
(3) If Microsoft can push data onto a Windows system via WU and get it to execute (install) at system-level privileges without end-user authorisation, then that immediately presents an attractive doorway for other parties to try to do the same feat. Even if Microsoft honestly intend for this mechanism to only ever be used for WU to update itself, other parties are in no way constrained by Microsoft’s original intentions.
(4) Finally, Windows makes no distinction between “binary data” and “locally authorised to execute program”. WU illustrates this point beautifully. WU provides a mechanism (that cannot be disabled by the end user) for an external party to put new code onto the end user’s system without permission of the end user and to have that new code enjoy system-level privileges. The fact that the intention is that Microsoft is the only party that can do it is moot … the fact remains that it can be done. If Microsoft can do it, it remains only a matter of time before some other party finds a way to also do it using the same mechanisms.
This is fundamental security stuff. Either Microsoft just doesn’t get security, or Microsoft does get it but doesn’t care to provide it for end users. Either way is a very poor reflection on Microsoft.
Edited 2007-09-16 06:45
(1) It is trivially easy to get data onto a client. Any website can do this. If you want to compromise a system, then getting your data onto a system is not a problem …
Then WU is irrelevant at this point because the machine is already compromised.
the problem is to get your payload data to be executed by the target system, hopefully with elevated privileges. WU has been shown to provide just such a mechanism.
No, actually it hasn’t. You’ve only claimed it has with no proof whatsoever.
WU cannot be disabled as an entry point onto a Windows system, even apparently if the end user selects “never update”.
Ah, but it can. It’s been stated by multiple people already that setting to “never update” didn’t do the updates. Even further, it’s quite trivial to disable the WU service.
(3) If Microsoft can push data onto a Windows system via WU and get it to execute (install) at system-level privileges without end-user authorisation,
A side effect of the poor security in versions prior to Vista. However, on other systems, most people would blindly authorize ANY updates done through the Operating Systems update client. Honestly, what percentage of people attempt to verify the update server is valid and the updates they are receiving are valid? Not many.
(that cannot be disabled by the end user)
I know it must be fun to state lies, but please stop already.
Sigh!
Even if we take MS cheerleaders at their word and assume that WU can be disabled, then that in effect means that the Windows system is now vulnerable (after WU has been disabled) to the very latest “Windows exploit of the day”. In this sense it is not safe to completely disable WU … because your system is bound to get compromised sooner or later through another exploit.
In this sense you cannot disable WU because you cannot afford to.
If we set WU to one of the “tell me about updates but don’t install them” options, the it turns out that Windows doesn’t actually obey the “don’t install them” setting at all times … and in that sense the WU backdoor into a Windows system cannot be disabled.
In this sense you cannot disable the WU system-level backdoor because WU doesn’t do what you set it to do.
So with a Windows system, you cannot remove Microsoft’s “push” control over the system without isolating the system from the Internet, nor can you afford to. You cannot have a secure system, by design.
Edited 2007-09-16 23:07
Disable the Windows Update service. Disable. it. It won’t run.
What don’t you understand?
Disable it and your system can be compromised by any new 0 day exploit that is discovered. As soon as a new 0 day is discovered, you have no effective choice but to enable WU, in order to get the update that fixes the new 0 day vulnerability.
Enable it so that WU runs and you cannot prevent some types of alleged “updates” using it as a backdoor, even if you set it to “inform me but do not install updates”.
You can’t afford to disable WU, but you can’t afford to run it either. Either way, you are screwed, and not in control of your own Windows system.
What don’t you understand?
Edited 2007-09-17 00:46
1) You can disable WU and get any 0 day exploit fixes straight from Microsofts site instead of through the update service
2) You still have yet to prove or even offer a possible explination for how you’d actually compromise the WU service and have it successfully install bad data onto a client machine.
You are making claims that so and so is possible but have yet to offer explinations how. You have yet to explain how you could actually digitally sign these supposed bad updates as Microsoft w/o already compromising the machine, or even how to do it with compromising the machine (you don’t even know if you can replace the client keys w/o some serious system hacking).
Edited 2007-09-17 02:39
None of these excuses removes the fact that WU has been exposed by this incident as a potential backdoor into Windows systems.
I am not myself a blackhat, nor am I a Windows internals expert.
Nevertheless, Microsoft themselves have admitted to the fact that WU has a mechanism whereby an external party (they believe only themselves) can get code on to your Windows system and have your system execute that code at a system level of privelege without your knowledge or authorisation.
Microsoft have not exactly earned any level of trust in the past when it comes to security.
So now, the burden of proof is squarely in Microsoft’s court. It is up to Microsoft to show their product does not have this apparent backdoor, rather than it being up to me now to proove that the alleged backdoor does really exist.
I have already proposed one potential attack vector against the WU backdoor key, and I am just a rank amature when it comes to things like this. I wonder if I can think of any other possible attack vector against this backdoor?
WU right now looks like a promising backdoor to a vast array of Windows systems. Only one person has to work out the key to the door, and a huge percentage of the world’s computers are theirs for the taking.
Spoofing is not that difficult, and it is beyond Microsoft’s control anyway, so the only real hurdle is the key with which WU expects updates to be signed with. There are multiple examples of files that have been signed with the key, so even a brute force attack (whereby you work out what the original encryption key must have been) could potentially work here to uncover Microsoft’s private key of the key pair.
A brute force attack takes considerable compute power, however. A supercomputer is required. You would ideally like access to something akin to the worlds largest distributed supercomputer …
http://en.wikipedia.org/wiki/Storm_botnet
http://en.wikipedia.org/wiki/Storm_botnet#Computing_power
… fortunately such a resource is beyond the reach of malicious blackhats ….
oh wait!
Edited 2007-09-17 03:27
None of these excuses removes the fact that WU has been exposed by this incident as a potential backdoor into Windows systems.
There is nothing new we know except Microsoft in this case ignored settings for notification only. This does not make WU any “less secure” or more open to hacks. It means little in terms of security.
So now, the burden of proof is squarely in Microsoft’s court. It is up to Microsoft to show their product does not have this apparent backdoor, rather than it being up to me now to proove that the alleged backdoor does really exist.
Wrong. Any time you make a claim, the burden of proof is on you.
I have already proposed on potential attack vector against the WU backdoor key, and I am just a rank amature when it comes to things like this. I wonder if I can think of any other possible attack vector against this backdoor?
A poor one that won’t work.
Spoofing is not that difficult, and it is beyond Microsoft’s control anyway, so the only real hurdle is the key with which WU expects updates to be signed with. There are multiple examples of files that have been signed with the key, so even a brute force attack could potentially work here to uncover Microsoft’s private key of the key pair.
If it is supposedly so easy, why don’t you explain how it could ACTUALLY be done (not how you think it might be done), and why hasn’t it been done?
Oh, that’s right, because it’s not that easy.
Face it, WU as an attack vector is way too difficult to accomplish for hackers to really give a shit about. Everything is a potential attack vector, but that doesn’t make everything poorly designed or insecure.
Sigh!
It is not about the lack of notification, it is about the automation.
WU has an admitted mechanism whereby it can receive data from the Internet and execute it at system-level privelege without requiring any local manual input of credentials.
That is a backdoor.
http://en.wikipedia.org/wiki/Backdoor_%28computing%29
Rubbish. The potential prize is literally billions of the world’s computers. The motivation is huge.
The Storm botnet may provide a potential path to that prize. And that is just one potential path.
This is a serious situation. Pay attention.
I believe Microsoft need to fix this pronto … and I don’t even run Microsoft’s OS!
Edited 2007-09-17 03:36
Yet again, you’re blatantly ignoring the fact that you need to sign the updates as Microsoft.
Read about known attack methods against key pair encryption methods here:
http://en.wikipedia.org/wiki/Rsa_encryption
Personally, I don’t have the math, nor do I have the supercomputer, nor do I want world power … but I don’t discount the possibility that there could be some people in this wide world who do.
… becuase it has been only a few days since it was found out that this backdoor existed?
… becuase it has been only a few days since it was found out that this backdoor existed?
Except it’s not a backdoor and this is not anymore helpful to hackers. The amount of people that have Automatic Updates enabled is much much greater than the ones that have notification only set anyway. Why does it f–king matter now that there are some more people you can potentially force upgrades to?
Here’s a clue: It doesn’t in the grand scheme of things. It doesn’t in regards to much hard or easy it may be to “hack” WU. It doesn’t in regards to how appetizing of a target WU is to hackers.
…
Sigh!
Are you naturally this stupid, or do you have to work at it?
The concept of “signing” invloves an RSA key pair. One of the key pair is kept secret (private, held by Microsoft), and the other is public (there is a copy on every Windows machine in the world). “Signing as Microsoft” means that a signature string is encrypted by Microsoft using its secret key, so that when Windows decode the WU packet with the matching public key the Windows system is assured that the packet came from Microsoft.
OK, so we have a number of examples of packets that have been signed by Microsoft, and we have the public key. Our task, as blackhats seeking to unlock the WU backdoor, is to discover what is the secret key (the one held by Microsoft) so that we can sign our own data packets with our discovered key, and pretend to be Microsoft.
This is called craking the key. Got it? How do we do that? Well, given the information we have, it is possible, but it is a computationally very hard problem, that gets harder the longer that the key length is. We need a supercomputer.
Here is some information regarding how hard it is:
http://en.wikipedia.org/wiki/RSA_Factoring_Challenge
http://en.wikipedia.org/wiki/The_Magic_Words_are_Squeamish_Ossifrag…
AFAIK, the longest key length succsefully cracked so far is 633 bits.
It requires a supercomputer to crack longer keys than that. It is a problem ideally suited to massively parrallel supercomputers.
http://en.wikipedia.org/wiki/Distributed.net
http://en.wikipedia.org/wiki/Brute_force_attack
OK, so do we know of a massively parrallel supercomputer that might be up to this task?
Why yes, actually, we do:
http://en.wikipedia.org/wiki/Storm_botnet
OK, so can blackhats get access to that resource?
Why yes, actually, they can.
So you can probably bet safely that this very problem is a task that the storm botnet is working on right now. It will take some time, but it could be possible for the WU secret key to be cracked by the storm botnet in some reasonable timeframe.
OK, so if it is cracked, then the blackhats in control of the storm botnet will have the secret key. They can write their own version of WU, sign it as if they were Microsoft, and send it out to all Windows computers that are listening, masquerading as an update to WU.
All Windows computers (worldwide) that have WU set to “automatic”, or even just to “inform of updates but do not install” will then accept the balckhat’s package via the WU backdoor, in the belief that it is a genuine update to WU from Microsoft, and automatically apply the changes without asking locally for permission. This would number hundreds of millions of machines.
The result would be hundreds of millions of compromised Windows machines. Apart from the goodies to be had directly form those machines, the storm botnet itself would suddently become 100 times more powerful. This botnet supercomputer would then have the power to crack any RSA key pair in the world.
World banking would come down. The Internet would come down. I can’t beigin to describe the devestation that a key to a Windows backdoor would unleash.
Edited 2007-09-18 01:19
You just don’t get it. I’m sorry.
Maybe someone else will listen to you spew gibberish, but I’m done.
http://en.wikipedia.org/wiki/Ad_hominem
Thankyou for your effective admission of my point.
Hey, genius. Look at your post right before mine.
Are you naturally this stupid, or do you have to work at it?
Whoops?
You didn’t read the definition, did you.
Not only did I infer you weren’t keeping up with the discussion, I did also address the substance of your claim, which was that I was ignoring that WU updates had to be signed as Microsoft.
You were wrong about that, and I patiently explained the full method of unlocking the backdoor that WU presents, that should have been obvious to you, had you actually read the references I gave you earlier.
Since I addressed your comment, as well as pointing out how you were showing a distinct lack of any clues, my post easily avoids falling within the definition of “ad hominem argument”. To qualify as an ad hominem attack would have required me to have called you stupid without saying why.
Granted, your very latest post (to which this is a reply) also avoids being an ad hominem attack, because you actually attempted to make a point. Your latest post then is mere sarcasm … unfortunately for you were wrong yet again.
Be advised that you are only getting this treatment from me after several claims from you that I didn’t understand something or other, when actually I did understand it, and it was in fact you who were struggling to follow.
What is good for the goose is, after all, good for the gander.
Edited 2007-09-18 13:47
Ohhh, so because you made further arguments, it’s ok to be insulting?
Sorry, no dice. Try again chump. RMS wouldn’t be very proud of you.
You are easily confused, aren’t you? No, you have it wrong again.
It is OK for me to insult you, because you tried to do just that to me several times first.
As I said, what is good for the goose is good for the gander.
My other point was that “because I made further arguments”, my post couldn’t be called an ad hominem attack, unlike your post, which contained nothing but an insult (which was wrong BTW).
So yet again, even now, you are wrong. That is at least one thing you are apparently very good at … being wrong.
Chump.
What happens if ANY update servers (including those hosted by debian, redhat, apple, etc) get hacked? A lot of people are screwed.
Well, there is the difference that Debian machines don’t automatically download software from the Debian servers
But yes, any kind of updating service which is hacked poses a severe security threat. But then.. turning on your computer poses a threat in itself. And the greatest threat is sitting 40 centimeters from the monitor.
That darn Evil Monkey, always sitting there, staring at me…
Silly boy, you need to learn how to Spank the Monkey !
You’re talking about that annoying Monkey-ad that promised Gold and Green Forests?
emmm, no.
I was talking about spanking the evil monkey, he needs to be kept under control
NOTHING ///
My machine uses RPM (yum or up2date) to install packages.
The packages have to be SIGNED by a private GPG key before they will install.
The key that is required to sign the pacakges is not stored on the update server at RedHat.
SO .. if someone replaces the real packages with fake ones, nothing at all happens on my machine, other than I am told that these packages are not signed by the proper key.
SEE … don’t ask retorical questions when the answer makes you look bad
How do you know Microsoft doesn’t have the same type of thing in place?
You do also know about Windows File Protection, right?
Windows File Protection is for files already installed on your computer, not files on a remote server.
AFAIK WU uses digitally signing. I could be mistaken though, but I cannot believe MS would run an update service without digitally signed packages. Perhaps in the old Win98 days, but not today.
If you try to replace system files with files not signed by Microsoft, WFP complains. That’s my point.
Incorrect.
Windows File Protection will only protect files it has indexed AFTER they are installed on a computer.
Have a look here please
http://en.wikipedia.org/wiki/Windows_File_Protection
Uh.. yeah. Your point?
You install windows.
WFP protects system files.
WU servers get hacked
You run WU
Assuming (most likely wrongly) that WU client doesn’t make sure the files are signed, it replaces the files
WFP says “yo wtf?” and restores the original versions.
Seriously, what are you even trying to say?
Clearly, you are confused by this…
WFP protects YOUR systems files, so, when WU runs an update, the new files come down and get installed, the signiture gets checked and WFP notices that files have changed. Normally, it will not allow this.
However,
WFP has no way of checking whether a remote site is hacked or accurate, and WU are assumed to be coming from pristine Microsoft servers.
WFP will install the new update and recreate its signatures.
Therfore, if someone cracks into the Microsoft WU server, and sticks a load of spyware and virus programs onto it, then your WU will happily download and install the malware. Even going so far as protecting the downloaded malware, if it has the same filename as a system file.
WFP has been created to stop the USER either deleting/renaming or generally hosing his own system files.
WFP was never meant to be something like PGP-Keys for download servers, the way some linux distros use. These check the validity of the file, using the checksum that the original author created before uploading the file. These checksums “MD5” are usually on the authors page, or the maintainer of the repository sends them.
Thus, if the servers get cracked, the files and the checksums are at a mis-match, so the files cannot be downloaded.
WFP should be like this, unfortunately for users, it is not.
WFP has no way of checking whether a remote site is hacked or accurate, and WU are assumed to be coming from pristine Microsoft servers.
WFP will install the new update and recreate its signatures.
This is where we apparently disagree. Until we have more information on how it actually works, I guess neither of us can be right.
I’m not sure what you mean by “update and recreate its signatures” though. WFP doesn’t create signatures. It verifies that a file is digitally signed by Microsoft. WU is the one that updates the files.
If WU updates a file that isn’t signed in the first place (which again, we don’t know that it would, and it probably wouldn’t), WFP won’t cache it and will instead replace it.
So no, I’m not confused, dick.
Oh, you are not confused, but instead, you revert to name calling ?
I wont.
You are wrong assuming that wu uses digital signatures, it does not, Microsoft says it does not, WU does not first offer to get your MD5 checksums before updating.
Ok, if they don’t, paste a link to an article or site saying so. Linking to search results doesn’t count.
And how many average users would care about md5 checksums? Not very many.
Sorry Matt,
If you do not understand the importance of MD5, and why it should be checked, I don’t think I should waste time arguing with you.
Those links I posted, all show that WU does not use digital signing on the servers. Every link, take your pick.
No, you didn’t post any direct links saying so. Post a direct link and post a quote or shut up.
Also, I never said the I do not “understand the important of MD5”, I said that most people won’t check, not that they shouldn’t. If you can’t understand that fundamental difference, I’m sorry.
Once again, just to be clear … it might not be even necessary to “crack into a Microsoft WU server”.
All that is required is to make the WU on the Windows client machine **THINK** that it is getting an update from a Microsoft WU server.
Several techniques apply:
http://en.wikipedia.org/wiki/Spoof
Edited 2007-09-15 13:48
All that is required is to make the WU on the Windows client machine **THINK** that it is getting an update from a Microsoft WU server.
Goes for any update service.
… but not such a weakness for update notifiers which still require manual input of credentials by a local user before any update is installed.
Also not such a weakness for any system where the binary executable payloads that are supposed to be coming from repositories are independently verifiable as authentic (by compilation of source).
Edited 2007-09-15 14:12
So each and every time you update, you go ahead and verify the server you are getting your updates from hasn’t been compromised and is who it says it is? Somehow, I doubt that, and I can guarantee you most people wouldn’t. Most people would just blindly enter their credentials and let the fake server do it’s thing.
Please please please, I’ll ask one more time, think before you post.
In fact have a look for yourself, here is a search of digital signing and windows update on Microsofts own Technet…
http://search.microsoft.com/results.aspx?q=%22digital+signing~*…
Uh, yeah, and which of those has direct information on digital signing and WFP on Windows XP?
Obviously you found which of those links and found the information for yourself, so go ahead and share.
True; this was raised from another point of view; what happens if someone can find how it works and attract the end users machine from that vector – using an apparent ‘legitimate’ open door where by the WU can be updated to point to an illegitimate source and thus, ability to deploy false updates which are actually anything ranging from adware to spyware to virus’s.
The issue I think which people forget, and you have raised in your post is this; the issue isn’t necessarily privacy per say but how this ‘technology’ can be exploited.
It is very easy to remedy. You simply have the updater update itself when you check for updates.
The updater informs the user about the need for the update every time a manual update check is attempted, they have to do it to use the current update system.
Simple. Very simple. No need to do anything automatically.
Of course, I think automatic updates ( auto-download-install ) is The Dumbest Idea Ever(R).
–The loon
But it can’t check for updates without the updater update. In 3 of the 4 settings, the updater automatically checks for updates, which is when you say its ok for it to update itself.
The 4th setting, according to some people, doesn’t automatically update the updater anyway.
The fourth approach will however result in Windows Update being updated automatically the moment you manually launch Windows Update. There will be a message with BIG LETTERS stating that it is checking to see you are running the newest version. I can’t remember the exact wording now, but WU is updated the first time you run it manually after an update of WU is available.
If this was normal surely it would have happened before, perhaps it is my memory but I can’t remember any other instance of it happening.
Asside: Has anybody with the updated files tried to use a 3rd party updates service such as Windiz Update yet?
http://windowsupdate.62nds.com/
“If this was normal surely it would have happened before, perhaps it is my memory but I can’t remember any other instance of it happening. “
——————-
According to the Microsoft blog, Windows Update has been like this since the introduction of XP, and has updated itself in the past many times in the past.
http://blogs.technet.com/mu/archive/2007/09/13/how-windows-update-k…
Just to reinforce what dylansmrjones is saying, according to the Microsoft blog, a user can set Windows update to one of four settings: “1) Install updates automatically, 2) Download updates but let me choose whether to install them, 3) Check for updates but let me choose whether to download and install them, and 4) Never check for updates”, and that Windows Update components themselves auto-update for all settings except setting (4). The reason, as stated in the blog, is that if the user is using Windows Update at all, even just to check if updates are available, then the client-side Windows Update components must be kept in sync with the server-side components. According to the blog, the Windows Update components do NOT update themselves if the user completely turned off Windows Update, that is for setting (4).
The earth-shattering story that was reported yesterday is that someone found that Windows Update components were updated for settings (2) and/or (3). But according to the Microsoft blog, “This has been the case since we introduced the automatic update feature in Windows XP. In fact, WU has auto-updated itself many times in the past.”
The Microsoft blog also says that this does not affect those that use WSUS or SMS rather than Windows Update, so IT departments are still in complete control of the OS updating process.
The only issue here is that Microsoft should have more clearly disclosed that Windows Update components do update themselves for settings (2) and (3) (that they would update themselves for setting (1) goes without saying). But I’m not sure how to do that in a user friendly manner, because there is such a thing as “too much information” for a normal user to absorb. Probably just add a link to the Windows Update control panel that says “Click here for more information” that refers to a web page explaining in detail what the process is. I doubt normal users care; IT staff would care, but they probably already know and/or are using WSUS or SMS rather than Windows Update, in which case they wouldn’t be affected anyway.
I don’t think that if the user has set Windows Update for settings (2) or (3) that they should be notified every time that Windows Update components themselves need to be updated, and given the chance to deny that operation. I think it’s just too much info and would make setting (2) and (3) too cumbersome for users. But I know that many tech geeks like to know everything that is going on, so they would feel differently about it. But if Microsoft did change Windows Update to allow the user to reject updating Windows Update components for settings (2) and (3), such an option must be accompanied by a big loud warning saying that if the user does reject updating the Windows Update components, then the Windows Update setting will change to setting (4). (I doubt many that intentionally chose settings (2) or (3) would go for that, which is why I think such an option is a waste of time for both Microsoft and the user.)
If you want more details, be sure to read the MS blog.
BTW, the term “stealth” that I saw bandied about yesterday (and sadly, today on osnews) is sensationalistic, as the event logs show exactly what Windows Update component files were updated and exactly when that update took place. A “stealth” update wouldn’t record any logs for the event.
Edited 2007-09-14 17:32
Well well.. damned if pigs cannot fly, MollyC – We agree on something
I’m slightly amused that you are seemingly getting modded down for “defending” Microsoft :p
Haha yeah
I’m having a great time with this
“I’m having a great time with this ”
I’m convinced that someone else is using your account actually…mother’s maiden name please? I’ve never seen you defend Microsoft
Agreed, there are people out there so blinded by their hatred from Microsoft they will mod down anyone who gives a rational explaination of anything Microsoft does.
There should be an ignore button for people like them.
Whilst the log exists, the real issue is that on closed source OS, you still don’t know actually what has been changed. All you know is some filenames, but that doesn’t actually prove anything.
I personally see only a small difference between the stealth update, and accepting an update. Either proves nothing about what code and functionality was actually changed in the update.
Ergo, this article blows things well out of proportion.
“The only issue here is that Microsoft should have more clearly disclosed that Windows Update components do update themselves for settings (2) and (3) (that they would update themselves for setting (1) goes without saying). But I’m not sure how to do that in a user friendly manner, because there is such a thing as “too much information” for a normal user to absorb.”
Yeah, if you’re a clueless Windows user…
Oh, please, this is just ridiculous. What’s so damn hard about saying that the Windows Update process will update itself at those 2 settings. It’s not rocket science to explain that.
Better yet, it shouldn’t do it. What’s so hard about putting in a notification system that says you need to update the Windows updater. If you can set the system to notify you only, notify that WU needs to be updated.
Some people just want to bend over backwards to excuse any stupid thing Microsoft does.
This is wrong on soo many levels.
Just one scenario:
MS servers are compromized and send out stealth updates with rootkits.
There you have a botnet that can take down COUNTRIES.
I just cant believe that company …
There is one problem with your scenario.
The Windows Update servers don’t send anything out. They don’t contact clients. It is the clients that contacts the servers. As such Windows Update is only a little more insecure than gentoo Portage, FreeBSD ports or Redhat repositories. Unless of course you have turned automatic updates/automatic downloads/notification on. It is easy fixed though. Turn off WU and launch Windows Update the first tuesday every month
Gentoo and Redhat ask for the root password and dont do anything in “stealth mode”. So this is a totally different ball game.
Windows Update cannot run unless it has Administrator rights.
And it doesn’t do anything in stealth mode unless you put it in stealth mode.
If you configure your gentoo box to automatically update (a cron-job) itself without notifying the running User you would have the same situation.
gentoo does not ask for the root password. It just fails to run because of missing rights (just like Windows Update) – unless it is configured to allow the user to run it as normal user. I don’t recommend that. Use sudo, please.
In pre-Vista Windows a Limited User Account (or Restricted User Account) cannot run Windows Update. A user cannot even receive notifications. The problem stems from most users running XP with Administrator rights. Imagine that!
This has nothing to do with user level security. This update takes place even when a user is not logged in.
WTF!? Anything to backup THAT claim?
My machine cannot connect to anything when no users are logged-in. And Windows Update does not run at all when the logged-in user do not have Administrator Rights. At least that is true for pre-Vista Windows.
I have several xp boxes behind a Firewall One firewall with content filtering turned on. And if the article is true then the versions are on there and no one has been loggin to this computer for quite some time and no admins for sure. We use SMS to do our up dates and have not installed this one. Through GP we have turned off AU because we use SMS.
\rvailc$WINDOWSsystem32SoftwareDistributionSetupServiceStartup wups2.dll7.0.6000.381
Remember, there are *two* users with administrator rights on a Windows system: Administrator and System. My guess is that this runs as the System user.
WU does not work when the logged in user does not have Administrator rights.
You can try for yourself. Log on Windows Update with a LUA (RUA in Win2K and Win2K3). It fails. Even with a power user does it fail.
I’ll have to check it to be sure, but it’ll have to wait. I’m not in the mood for rebooting (into Windows)
Microsoft own your copy of Windows so they can do pretty much what they want to it. It’s besides the point that the updates NEED to be done, but people dont want to be force fed by a spoon from them.
For the Windows users, it’s like it or lump it and you should be used to it by now. Windows users just put up with it and moan and it’s always the way.
You can just run your pre-Vista Windows as an ordinary user (Limited/Restricted User Account) instead of running with Administrator rights. Then WU won’t run at all.
Imagine running Linux as ‘root’ O_o
BTW: Turn off WU completely. That’ll solve the problem.
Oh, and about half of the programs you use won’t run either.
lol
Hmm… all my programs run fine as Restricted User.
Of course Installers need to run with Administrator rights. Use “Run as…”
Oh, and yes. Players utilizing DirectShow-filters need to run as Administrator to work (almost) flawlessly.
Apart from that I only have one application (from 1997) that doesn’t work properly. That has been fixed by giving my normal user read+write permissions for that applications folder in “Program Files”. I have another one which needs extra permissions to run, but it is not installed since changes in the XML-format on Hattrick.org has rendered the application useless.
Everything else works correctly. Only admin tools require Administrator rights, and rightly so.
On Tuesday AM, out of the blue, my copy of Vista self-destructed when MS “determined” I wasn’t using a legitimate copy. This was with a pre-installed OEM version on an HP laptop I purchased a few months ago; hence, no activation required. Yet, I woke up one morning and logged in to a screen telling me my version of Windows Vista was had an invalid activation key and that I could just go and bugger off because it wasn’t let me going to do anything.
In fairness, it was reasonably quickly resolved with a call to the MS activation hotline, but why the f*ck should I have to call MS for permission to use my computer when they randomly decide to shut it down? Particularly when it was purchased on a system to avoid activation headaches? It really irks me because the main reason I use Windows is for work, and it would have been really fricking embarrassing to show up at a customer site for a training preso with a locked laptop because MS had a hiccup.
As far as I’m concerned, MS needs a little more scrutiny on this from legal authorities. I’m still bitter. But it underscores the fact that users do need to realize that as long as they are connected to the internet, they have no true idea of what is occurring communication-wise between their system and Microsoft.
edit: typo
Edited 2007-09-15 02:31 UTC
In the corporate world updates most likely will be handled by an sus server somewhere on the intranet. In addition most users for obvious reasons aren't root anyway, forced by (AD) policy.
In this scenario, only the update software is being updated without user notification and not the system itself. That really isn’t a big deal.
To be honest, I wish the Linux distribution I use had some sort of automatic check for updates mechanism. I have to do it manually from command line everyday.
Cron is your friend
Unless you’re using LinuxFromScratch. In that case you are your own distro-maintainer.
What distro are you on? If you mentioned that, you would have had a solution already. I use adept notifier, which adds some stuff to /etc/apt/apt.conf.d so I can just change the values to auto check and download. Combine that with anacron so the machine doesn’t need to be on at update time, and life is very good.
It checks (apt-get update) and downloads (apt-get upgrade -d) without installing anything, then the adept-notifier pops up a little thing in the lower right of the screen, and I can install quickly when I want to without waiting for the download.
Then you should use Ubuntu, because it’s had this feature since Edgy Eft.
Although i wouldn’t mourn a single bit if MS would cease to exist overnight i do dislike sensationistic crap with the sole purpose of bringing discredit based on lies.
Yes, that is indeed a rubbish site, none of the other links work correctly, it just appears to be one big advert
It seems Vista runs on a need to know basis…
Sometimes my hard drive is thrashing away and I don’t have a clue why. I’m not doing anything, so why is windows. I have the knowledge to install process wathcers and HD activity monitors but I want an OS that keeps my informed at all times whats happing in the background. That does not mean it has to throw all that info in my face but I should be able to get a low down on what exactly is happing at any given time I choose to know.
“Sometimes my hard drive is thrashing away and I don’t have a clue why. I’m not doing anything,”
Would you rather it be thrashing your drive while you’re <em>using</em> the machine?
Vista will adapt to your usage patterns and try to do background stuff whenever it thinks you’re not using the machine.
He didn’t say he was not using the machine. He said he was not doing anything at the moment.
When the drive starts trashing and Winblows is doing it’s “cloak&dagger” stuff, you can’t use the machine because it’s not responsive.
That’s what Microsoft claims. You worked on Vista and have access to the source code that does that to back up that claim?
Microsoft makes a lot of claims, none of which are true though.
And in practice when using the OS it’s very easy to see that. As the poster said about the disk trashing for no reason at all, and many can confirm that, myself included (yes, I work on Vista regularly too).
So no, Vista doesn’t adapt to anything and it most certainly does not think. It just barely runs if you don’t ask it to do too much.
GG, insert coint to play again Jason.
What freakin’ difference does it make whether the update is automatic or not? Have you ever manually scanned each and every bit of every package update on your Linux machine? Whether it automatically updates or you manually tell it to update, either way, if the server is hacked you’re going to get screwed.
Oh, wait, most Linux update services use signed packages? Unless you’re telling me the Microsoft updates aren’t signed, that’s still irrelevant – Linux updates (manual or otherwise) would still be just as dangerous as any Windows automatic update – which would be “not very dangerous at all.”
Unless of course the build servers for package updates are hacked, but then, I’m willing to bet that Microsoft’s build server network has a more secured setup for that than any Linux distribution. Microsoft’s build servers aren’t community accessible, for one.
I’ve had Linux machines die after a bad manual update. Manual updates guarantee nothing at all, except that the updates are less likely to get applied in a timely manner, if at all. (Almost every Linux server I’v worked on as a contractor never had any updates applied to it until I came along. Wouldn’t be a problem if they were automatic. Except, wait, binary compatibility is EVIL and only good for proprietary software, and has nothing to do at all with being able to safely update a live system and expect all of its existing self-compiled/installed software to keep working.)
The difference between automatic, and tell me the updates so I can say yes is that it allows me to determine when to install (in case of a kernel update that requires a reboot or glibc update that requires daemons to be restarted) and I can look at what is about to happen so that if the update borks the machine, I have a chance of knowing what actually broke things, making recovery easier.
Ummm, Linux distro maintainers are TRUSTED by their users, Microsoft IS NOT trusted by anyone (can yo spell ANTITRUST ?)
You’d most likely lose that bet.
Was the source code to Win2k not stolen a few years back?
Besides, Microsoft treats its network as a bank, Linux distro sites are like community centres, yet they still managed to be VERY secure and trustworthy.
Well, that’s a good testament to the quality and security by design of Linux. You can have a server running without any updates for a long time and it stays secure and running well without any updates.
Intall Windows without any updates and it’s hacked inlike what, 15 minutes?
BTW, I took off a point off your post because you posted a rant without thinking. Hopefully you’re not doing that when working as a “contractor” on Linux servers.
I always have windows update disabled and the update service itself stopped and disabled on all the windows machines I use, with the exception of the short periods of time I specifically want to update those machines. I don’t like surprises.
It’s operational.
I had a client call me fifteen minutes ago. His workstation PC rebooted after this update. Then he can’t remote login and his email didn’t run in the morning, so his email isn’t ready for him to read when he gets in.
If Microsoft didn’t have this idiotic necessity to reboot every damn time it modifies the OS, it would be a lot easier to recommend automatic updates.
This is why you never do automatic updates on a server.
But it can be a problem even on a workstation.
listen ms put this update into stealth/install-no-matter-what mode. if you don’t get that this obscure behavior is a potential security risk then ok …
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12)
i love it.
Still software from your harddisk. I rather boot an original norton ghost CD and clone the box from a DVD image.
I have yet to see malware that adds malicious code to a DVD though thin air
http://blogs.technet.com/mu/archive/2007/09/13/how-windows-update-k…
First, Microsoft signs just about every binary they produce. If you’ve ever downloaded a Word doc from Microsoft’s site, sometimes you used to find that it was wrapped in a self-extracting EXE. This was done solely so that they could put a digital signature on it. Obviously the private keys used for Windows are very tightly guarded and they are not likely to be on the Windows Update servers. Likely they are only available on the machines that do “Official” builds of Windows (a small, tightly-controlled set of machines).
WU updating itself automatically when enabled is an interesting decision. I bet there was a long discussion about this at some Windows group meeting before they came up with a consensus to accept this behavior. The choices are twofold:
1) Only inform the user of a single update (the WU update) and potentially require two update check/install cycles to fully update the machine. Pros: user gets full control of _every single_ update to his or her machine. Cons: A user has no idea how many updates they will actually get when a WU update comes out and may not notice further updates stuck behind the WU update.
2) Current behavior. Pro: Having a single update cycle makes it less likey that a user will fail to notice important updates after the WU update. Con: User loses control of the machine with regards to updates to WU itself. Mitigation: WU components should have pretty much no application compatibility or stability impact on the rest of the system.