Re: Windows Update: A single point of failure for the world's economy?

To: "Paul Schmehl" <pauls@xxxxxxxxxxxx>, "Stefano Zanero" <stefano.zanero@xxxxxxxx>, "BugTraq" <BUGTRAQ@xxxxxxxxxxxxxxxxx>
Subject: Re: Windows Update: A single point of failure for the world's economy?
From: "Kurt Seifried" <bt@xxxxxxxxxxxx>
Date: Wed, 3 Sep 2003 16:02:05 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <E9A01F52DC939448BBDE44ED2E1C468F24083E@xxxxxxxxxxxxxxx> <08bc01c36ff2$5ee1c910$03c8a8c0@xxxxxxxxxxx> <2705798112.1062604589@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: "Kurt Seifried" <bt@xxxxxxxxxxxx>

> > Enabling a world-wide auto-update feature does indeed seem much of a
> > security risk to me.
> >
> More of a risk than up2date for RedHat or emerge -u system for Gentoo?  Or
> cvsup for *BSD?

Yes. These systems are voluntary. The structure of UNIX systems, and updates
makes it much easier to test and update and less likely to kill a system
even if it is flawed. Updating user space applications in Red Hat, other
then SSH causes me essentially no nervousness. If Apache bombs out I can
trivially roll it back to an older version, or if it's totally screwed up
remove, and replace (and not lose my config files either since most RPM
packages are designed to protect old/original config files). I cannot
selectively install say 90% of Service Pack 4 in Windows 2000, it's pretty
much all or  nothing. In Red Hat (and Linux/BSD in general) there are no
roll up security fixes (exceptions being appliance vendors, but those are
much more tightly bound environments and less likely to suffer update
related problems).

To put it bluntly:

Compare the number of times MS has had to re-release patches/updates or
additional fixes because it kills/breaks something vs.s. the number of times
Red Hat or SuSE does.

P.S. even if MS does solve most of these issues they still have painted
themselves into a corner due to their rather insane file locking which
requires a reboot in virtually every circumstance you want to replace
important files.

> Paul Schmehl (pauls@xxxxxxxxxxxx)



Kurt Seifried, kurt@xxxxxxxxxxxx
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

References:
- Re: Windows Update: A single point of failure for the world's economy?
  - From: Paul Schmehl

Prev by Date: Re: RIP: ActiveX controls in Internet Explorer?
Next by Date: Re: Windows Update: A single point of failure for the world's economy?
Previous by thread: Re: Windows Update: A single point of failure for the world's economy?
Next by thread: Re: Windows Update: A single point of failure for the world's economy?
Index(es):
- Date
- Thread