[ale] [OT and sorry] - M$ patches and security advice?

Jonathan Rickman jonathan at xcorps.net
Thu Sep 11 22:22:41 EDT 2003 

On Thursday 11 September 2003 21:20, Frank Zamenski wrote:

> If the ver is Win2K SP3 (or maybe it is SP4?), it has a slightly
> different gimmick (it was added with one of those later SPs): like Win
> eXtra Poo does now, it encourages you with this damn annoying info
> ballon you see on your lower-right desktop shortly after logging in
> (which you can NOT disable) to set up auto-update. It is said that by
> enabling that, the OS will then do all this update nonsense for you in
> the background, doing gawd only knows what to the PC. Can't say I
> recommend it.

Frank this is not directed at you in particular.

I need to clear up some apparent misconceptions about how the Windows 
Update process works. If it sounds like I am defending MS, then so be it. 
Secure computing is my number one priority, Linux evangelism takes a 
backseat and with it, MS bashing. Do not be afraid of Windows Update, 
just be cautious when using it just as you should be when patching any 
system. You really have no choice in the matter if you want a secure 
system. MS is the sole provider of Windows and is therefore the sole 
provider of updates. Different from the Linux world? Yes. Hard to 
understand? No. The auto update feature can be disabled on 2k and XP (not 
sure about 9x), contrary to what has been stated. If enabled, it will 
contact MS periodically to check for the presence of an updated file (XML 
IIRC) and compare that file against its registry. This can be verified 
using standard network and system diagnostic tools. There are 3 settings 
to the current version of Windows Update on Win2k and WinXP. You can set 
it to notify you when updates are available, download updates without 
installing and notify you when they are ready, and for the truly 
brave...automatically download and install patches at a scheduled time. I 
do not recommend the third option, for obvious reasons. Windows is not 
quite like a *nix system, where you can effectively ignore many security 
advisories that involve local exploits on a single user system. The 
internals of a Windows system are so tangled that practically any 
vulnerability can be leveraged remotely with a little creativity on the 
part of the attacker. Often the presence of more than one vulnerability 
that alone is not critical, can lead to a total compromise of a Windows 
system. IMNSHO, failing to take advantage of this service on a Windows 
system is...ahem...not smart. Ironically, many of those who turn the 
feature off for whatever reason, are the same folks who wont hesitate to 
apt-get/emerge themselves into oblivion without so much as a moment of 
hesitation. They will often brag about it as well. Security is a process, 
not a product. I would daresay that I can lock a Windows box down tighter 
than 90% of Linux admins can lock down their Linux boxes...and I 
personally despise Windows. Does that make Windows more secure? No. It 
means that my methods are more secure. If you run Windows, use Windows 
Update. Don't leave yourself open to compromise. If you distrust MS to 
the point that you will not patch Windows, then IMO you should not use 
Windows at all. Furthermore, if you're that paranoid you should not trust 
Linux distributors either and should build from audited source. I'm all 
for a good old fashioned MS bashing session, but let's not hand out bad 
advice in the process. 

-- 
Jonathan Rickman
Key ID: 0DF501FF

More information about the Ale mailing list