Re: [Full-Disclosure] Windows Update

[Barry Fitzgerald <bkfsec@xxxxxxxxxxxxxxxx>]

Michael Schaefer wrote:

> It looks like windows update requires Automated Updates to be set to 
> automatic startup, but does not require the process to actually be 
> running...
>
> So the statement that they are "required" is obviously false.
>
> As a work around, I can manually change the startup status, do the 
> windows update, then change the startup status back to manual.
>
>
> Seriously annoying, but doable.
It's a little bit more than seriously annoying, though.  It represents a 
very poor design choice.

Obviously, if this setting change works, it means that the automatic 
update client is not actually necessary to install patches from 
windowsupdate.  I could see the service requirement *if* Microsoft were 
piggybacking the installation code off of the client in an effort to no 
longer rely on installing the code with an ActiveX control, however what 
this demonstrates is that the only reason to do this check is strictly 
to ensure that automatic updates is running.

This is either a bug or a very poor design choice. 

If the idea is to ensure that everyone has automatic update running, 
then it's going fail.  The people who are getting their updates from 
WindowsUpdate are not the people you generally need to worry about 
getting their patches -- it's the people who don't know about 
WindowsUpdate and who don't have automatic update running that you have 
to worry about.

What I'm saying is that warning people is good; blocking people is bad.

It's kind of like not letting someone get a medical checkup if they 
don't check their blood sugar everyday.  It hurts people more than it helps.

            -Barry





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html