Re: Windows Update: A single point of failure for the world's economy?

To: Paul Schmehl <pauls@xxxxxxxxxxxx>
Subject: Re: Windows Update: A single point of failure for the world's economy?
From: Barry Fitzgerald <bkfsec@xxxxxxxxxxxxxxxx>
Date: Thu, 04 Sep 2003 10:57:37 -0400
Cc: Stefano Zanero <stefano.zanero@xxxxxxxx>, BugTraq <BUGTRAQ@xxxxxxxxxxxxxxxxx>
In-reply-to: <2705798112.1062604589@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <E9A01F52DC939448BBDE44ED2E1C468F24083E@xxxxxxxxxxxxxxx> <08bc01c36ff2$5ee1c910$03c8a8c0@xxxxxxxxxxx> <2705798112.1062604589@xxxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624

Paul Schmehl wrote:

--On Sunday, August 31, 2003 09:01:49 PM +0200 Stefano Zanero<stefano.zanero@xxxxxxxx> wrote:
Enabling a world-wide auto-update feature does indeed seem much of a
security risk to me.
More of a risk than up2date for RedHat or emerge -u system forGentoo? Or cvsup for *BSD?

I don't think that it's the existance of the autoupdate feature in thefirst place that is the problem, but the fact that they're thinkingabout making it impossible to turn off. Mandating patches and removingthe control to stop them from being applied - either from the end useror the administrator - is a seriously bad thing. Having methods ofeasily updating your system, on the other hand, is a good thing.

And I'll be the first to say that any existing mature package managementsystem (by this I mean RPM's and DEB files) for *nix systems is far more"fault tolerant" than MS Windows' patching methodology. That's not tosay that I haven't installed RPMs in the past that have caused metrouble - I have. But, rather, that the issues have been fewer andeasier to resolve, in my experience. Try remotely diagnosing an issuewith RPM roll-out versus an issue with an MS patch roll-out and you'llsee the difference - it's as clear as day.And I'm not just talking about patches which make a systemnon-bootable. To limit "problems with patches" to mean "making asystem non-bootable" is to only consider one of the worst possibleresults of patching. Patching can have other problematic results thatdon't show up immediately. That's the problem with having mixed DLLsand other files on the system. Diagnosing problems like this stemmingfrom Microsoft released patches can be really troublesome sometimes.But, that's just the difference between the way that MS Windows isengineered and the way that GNU/Linux is engineered.So, yes, I do consider patching MS Windows systems to be more of a riskthan patching RedHat or Gentoo systems - and by extension an autoupdateris also more of a risk. That's just my experience.

Having said that, I don't allow any of my systems to automaticallyupdate. I prefer to have more control than that.


            -Barry

References:
- Re: Windows Update: A single point of failure for the world's economy?
  - From: Paul Schmehl

Prev by Date: Re: Windows Update: A single point of failure for the world's economy?
Next by Date: RE: Windows Update: A single point of failure for the world's economy?
Previous by thread: Re: Windows Update: A single point of failure for the world's economy?
Next by thread: Re: Windows Update: A single point of failure for the world's economy?
Index(es):
- Date
- Thread