Bugtraq mailing list archives
Re: Windows Update: A single point of failure for the world's economy?
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Thu, 04 Sep 2003 10:57:37 -0400
Paul Schmehl wrote:
--On Sunday, August 31, 2003 09:01:49 PM +0200 Stefano Zanero <stefano.zanero () ieee org> wrote:More of a risk than up2date for RedHat or emerge -u system for Gentoo? Or cvsup for *BSD?Enabling a world-wide auto-update feature does indeed seem much of a security risk to me.
I don't think that it's the existance of the autoupdate feature in the first place that is the problem, but the fact that they're thinking about making it impossible to turn off. Mandating patches and removing the control to stop them from being applied - either from the end user or the administrator - is a seriously bad thing. Having methods of easily updating your system, on the other hand, is a good thing.
And I'll be the first to say that any existing mature package management system (by this I mean RPM's and DEB files) for *nix systems is far more "fault tolerant" than MS Windows' patching methodology. That's not to say that I haven't installed RPMs in the past that have caused me trouble - I have. But, rather, that the issues have been fewer and easier to resolve, in my experience. Try remotely diagnosing an issue with RPM roll-out versus an issue with an MS patch roll-out and you'll see the difference - it's as clear as day. And I'm not just talking about patches which make a system non-bootable. To limit "problems with patches" to mean "making a system non-bootable" is to only consider one of the worst possible results of patching. Patching can have other problematic results that don't show up immediately. That's the problem with having mixed DLLs and other files on the system. Diagnosing problems like this stemming from Microsoft released patches can be really troublesome sometimes. But, that's just the difference between the way that MS Windows is engineered and the way that GNU/Linux is engineered. So, yes, I do consider patching MS Windows systems to be more of a risk than patching RedHat or Gentoo systems - and by extension an autoupdater is also more of a risk. That's just my experience.
Having said that, I don't allow any of my systems to automatically update. I prefer to have more control than that.
-Barry
Current thread:
- Re: Windows Update: A single point of failure for the world's economy? Stefano Zanero (Sep 02)
- Re: Windows Update: A single point of failure for the world's economy? Paul Schmehl (Sep 03)
- Re: Windows Update: A single point of failure for the world's economy? Kurt Seifried (Sep 04)
- Re: Windows Update: A single point of failure for the world's economy? Jeremy C. Reed (Sep 04)
- Re: Windows Update: A single point of failure for the world's economy? Stefano Zanero (Sep 04)
- Re: Windows Update: A single point of failure for the world's economy? Barry Fitzgerald (Sep 04)
- Re: Windows Update: A single point of failure for the world's economy? Lawrence MacIntyre (Sep 03)
- Re: Windows Update: A single point of failure for the world's economy? Andrew Gideon (Sep 03)
- <Possible follow-ups>
- Re: Windows Update: A single point of failure for the world's economy? Aaron Cheek (Sep 04)
- RE: Windows Update: A single point of failure for the world's economy? Schmehl, Paul L (Sep 04)
- RE: Windows Update: A single point of failure for the world's economy? Schmehl, Paul L (Sep 04)
- Re: Windows Update: A single point of failure for the world's economy? Paul Schmehl (Sep 03)