[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Windows Update: A single point of failure for the world's economy?

To: "'full-disclosure@lists.netsys.com'" <full-disclosure@lists.netsys.com>
Subject: RE: [Full-Disclosure] Windows Update: A single point of failure for the world's economy?
From: "Serge van Ginderachter (svgn)" <svgn@orbid.be>
Date: Tue, 19 Aug 2003 20:20:08 +0200

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [Full-Disclosure] Windows Update: A single point of failure for the world's economy?</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=2>This makes me wonder about the differences / similarities to the debian apt repositories in general and security.debian.org in particular. (&quot;Debian&quot; is more like an example here, I guess there are a lot of similar other examples.)</FONT></P>

<P><FONT SIZE=2>Does Windows update feel dangerous because it's</FONT>
<BR><FONT SIZE=2>- Microsoft and that's very big and widely deployed?</FONT>
<BR><FONT SIZE=2>- commercial</FONT>
<BR><FONT SIZE=2>Does Debian repositories feel safe because it's </FONT>
<BR><FONT SIZE=2>- Open Source, GPL'ed or free as in beer and speech?</FONT>
<BR><FONT SIZE=2>- non commercial</FONT>
</P>

<P><FONT SIZE=2>Is this basically really all what's to it or would there be other perspectives?</FONT>
</P>
<BR>

<P><FONT SIZE=2>Some thoughts:</FONT>
<BR><FONT SIZE=2>- Debian repositories have a lot of mirrors. &quot;security.debian&quot;.org does not AFAIK</FONT>
<BR><FONT SIZE=2>- I do trust Debian patch system far more. I automate it on my servers, which I'd never dare on Windows servers. Not sure if I can give valid arguments on this.</FONT></P>

<P><FONT SIZE=2>- remember that big part of those differences might be more related to the underlying technology on OS-level (unix parts vs. windows integration) than to other reasons?</FONT></P>

<P><FONT SIZE=2>- ...</FONT>
</P>
<BR>
<BR>
<BR>

<P><FONT SIZE=2>Serge van Ginderachter</FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Richard M. Smith [<A HREF="mailto:rms@computerbytesman.com";>mailto:rms@computerbytesman.com</A>]</FONT>
<BR><FONT SIZE=2>Sent: dinsdag 19 augustus 2003 18:47</FONT>
<BR><FONT SIZE=2>To: full-disclosure@lists.netsys.com</FONT>
<BR><FONT SIZE=2>Subject: [Full-Disclosure] Windows Update: A single point of failure for</FONT>
<BR><FONT SIZE=2>the world's economy?</FONT>
</P>
<BR>

<P><FONT SIZE=2>Hi,</FONT>
</P>

<P><FONT SIZE=2>The Washington Post has an article in today's paper saying that</FONT>
<BR><FONT SIZE=2>Microsoft is mulling over making the Auto-Update feature of Windows XP</FONT>
<BR><FONT SIZE=2>be turned on by default.&nbsp; The article can be found here:</FONT>
</P>

<P><FONT SIZE=2>&nbsp;&nbsp; Microsoft Weighs Automatic Security Updates as a Default </FONT>
<BR><FONT SIZE=2>&nbsp;&nbsp; <A HREF="http://www.washingtonpost.com/ac2/wp-dyn/A11579-2003Aug18"; TARGET="_blank">http://www.washingtonpost.com/ac2/wp-dyn/A11579-2003Aug18</A></FONT>
</P>

<P><FONT SIZE=2>This move by Microsoft sounds pretty scary to me.&nbsp; I am willing to bet</FONT>
<BR><FONT SIZE=2>that if Microsoft proceeds with these plans, the Windows Update Web site</FONT>
<BR><FONT SIZE=2>could easily distribute and install new software on hundreds of millions</FONT>
<BR><FONT SIZE=2>of Windows computers in a day or two.&nbsp; </FONT>
</P>

<P><FONT SIZE=2>The risk here is that the system could be exploited by a disgruntled</FONT>
<BR><FONT SIZE=2>Microsoft employee and become the ultimate malware distribution system.</FONT>
<BR><FONT SIZE=2>It seems to me that the Microsoft is in the process of creating a single</FONT>
<BR><FONT SIZE=2>point of failure for the world's economy.</FONT>
</P>

<P><FONT SIZE=2>I am wondering what sort of security and accounting systems that</FONT>
<BR><FONT SIZE=2>Microsoft has in place to prevent an insider attack on the Windows</FONT>
<BR><FONT SIZE=2>Update Web site?</FONT>
</P>

<P><FONT SIZE=2>As one data point, yesterday I updated my wife's Windows Me laptop at</FONT>
<BR><FONT SIZE=2>the Windows Update site to repair the DCOM security hole.&nbsp; One of the 20</FONT>
<BR><FONT SIZE=2>patch files I downloaded was something for DirectX.&nbsp; This patch file</FONT>
<BR><FONT SIZE=2>caused the laptop to blue screen of death in some VxD near the end of</FONT>
<BR><FONT SIZE=2>the Windows boot process.&nbsp; Luckily for me, the system seem to repair</FONT>
<BR><FONT SIZE=2>itself after the 4th reboot.&nbsp; I really didn't relish the idea of</FONT>
<BR><FONT SIZE=2>explaining to my wife how I broke her laptop.</FONT>
</P>

<P><FONT SIZE=2>Richard M. Smith</FONT>
<BR><FONT SIZE=2><A HREF="http://www.ComputerBytesMan.com"; TARGET="_blank">http://www.ComputerBytesMan.com</A></FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>Full-Disclosure - We believe in it.</FONT>
<BR><FONT SIZE=2>Charter: <A HREF="http://lists.netsys.com/full-disclosure-charter.html"; TARGET="_blank">http://lists.netsys.com/full-disclosure-charter.html</A></FONT>
</P>

</BODY>
</HTML>

Prev by Date: Re: [Full-Disclosure] Windows Update: A single point of failure forthe world's economy?
Next by Date: [Full-Disclosure] Al Qaida claims responsibility for blackout
Prev by thread: Re: [Full-Disclosure] Windows Update: A single point of failure forthe world's economy?
Next by thread: [Full-Disclosure] Anyone? Important Security Update for the .NET Messenger Service
Index(es):
- Date
- Thread