RE: Windows Update

["joe" <mvp () joeware net>]

Yes the update that caused the issue was a "dat" file update, not an engine
update. I agree, I think our AV product line sucked. Actually many of us
consistently said it was worse than the viruses it was trying to protect us
from. I will let you guess the product, but it is a common one for large
companies and starts with a Mc. 

You are correct in that it is the default, however I think as a whole that
is the safer choice for the default. People who understand the system or
even understand they have to do updates, will know or be able to figure out
how to disable the automatic install and if they want the automatic
download. If MS didn't set that default then the next time a worm or virus
slid through that would have been stopped or slowed by a majority of the
non-techie users having had their machines at autoupdate they would have
taken a beating from this community for not having done so. 

I think you have to look at your user population in order to decide how you
should implement different things. There may be an ideal world answer but if
it doesn't address reality it isn't so good. Windows has an extremely large
number of non-technical users and admins running around, more than any other
OS. MS has to take that into account when doing things. If they didn't set
that updates need to be auto-downloaded/installed how many (by percentage)
Windows users/admins do you think would know to actually turn it on? How
many knew to turn off IIS in the earlier Windows incarnations? I would be
surprised to hear a number greater than 15-20% but I am taking a wild guess.
The folks that don't want auto-updates are probably of the more technical
realm so they shouldn't have tremendous issues disabling the updates. 




  joe

-----Original Message-----
From: Über GuidoZ [mailto:uberguidoz () gmail com] 
Sent: Tuesday, August 24, 2004 6:13 PM
To: joe
Cc: FD
Subject: Re: [Full-disclosure] Windows Update

A very valid point Joe, thanks for briging it up. I DID say I only allow
virus definition files to auto-update, not program updates. Are the
definition file updates the ones causing the problems you speak of, or the
program updates to the scanning engine?

Besides that, If you can't trust the definitions updates to go properly,
then you seriously need to think about changing AV products.
;)

Reading further down the conversation, I see discussion on the Auto-Update
service. Some good points were mentioned here too. Just because it is
enabled it doesn't mean you have to let them INSTALL. In fact, you can do an
advanced install method to pick and choose which patches to install from the
downloaded updates. A nice feature indeed
- I hope this hasn't been altered in post SP2. (I never checked.) My point
was to argue against the automated downloading and installing of updates,
which I believe IS the default after SP2 is installed.

~G

On Sun, 22 Aug 2004 09:01:54 -0400, joe <mvp () joeware net> wrote:
> If that is your stance, you should probably have it for AV updates as
well.
> There have been various AV updates that have been known to break 
> functionality and blue screen boxes. I recall one update for one of my 
> customers that had blown up a good many web servers and local site 
> file and print servers (hundreds of servers) and this is with an AV 
> Update that was approved by and placed on the distribution server by
central security.
> Anyway, versus completely shutting down WU, you can configure to 
> automatic download without installation.
>
> All that being said, actively professionally maintained servers are in 
> a different boat than most machines that will be running WU. In a 
> large properly firewalled and protected corporate environment, I don't 
> think the client support group would really depend on automatic 
> updates from outside the company, they would use SUS or some other 
> deployment mechanism. If using some other deployment mechanism, WU 
> would be off. Either way, patches would be tested before being deployed,
it wouldn't be automatic.
> That being said, once you get to x machines with x being a function of 
> your resources available to do testing, the number of LOB apps you 
> have running, and how bad the hole is being plugged you will run into 
> occasion where you can not test everything and simply have to release. 
> One would hope that this will be less frequent if you have XP SP2 
> deployed and have the firewall up and running without turning it into 
> swiss cheese but until we see the next worm type attack and see if XP SP2
is safer we can't for sure say anything.
> If the biggest issues end up requiring some sort of people 
> interaction, then that is quite a win in and of itself.
>
>   joe
>
>
>
>
> -----Original Message-----
> From: full-disclosure-admin () lists netsys com
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Über 
> GuidoZ
> Sent: Saturday, August 21, 2004 7:56 PM
> To: FD
> Subject: Re: [Full-disclosure] Windows Update
>
> Umm, hold on a sec here...
>
> (snip from "James Tucker"):
> > There really should be no reason why you would want to disable the 
> > Automatic Updates service anyway, unless you are rolling out updates 
> > using a centralised distribution system, in which case you would not 
> > need it anyway.
>
> I believe you are missing one fundamental point: SPs and updates are 
> notorious for breaking something else. (Especially from Microsoft.) 
> Granted, if fixing a security weakness breaks something you're using, 
> then that aspect could have been written better. However, that still 
> doesn't fix it when an entire business network goes down and YOU are 
> the one responsible. I do not allow ANY automatic updates (except for 
> virus definitions) to run on ANY networks I am in charge of. I take 
> the time (like every good sysadmin
> should) to look over each update before applying it so I know three
things:
> 1. What it's fixing/patching
> 2. Why it's fixing/patching it
> 3. What will be the end result of the fix/patch
>
> If you would simply allow updates and SPs to have free reign over your
> system(s) without taking any time to look over those updates, you're 
> going to be one busy and irritated sysadmin. That is, if you still 
> have a job after a little bit.
>
> ~G
>
> P.S. Don't take my word for it. Look here:
>  - http://www.infoworld.com/article/04/08/12/HNdisablesp2_1.html
>  - http://www.pcworld.idg.com.au/index.php/id;1183008015;fp;2;fpid;1
>  - http://www.integratedmar.com/ecl-usa/story.cfm?item=18619
>  - http://www.vnunet.com/news/1157279
>  - Or, find the other 200+ articles by searching Google News
>     for "disable automatic update sp2"  =)
>
> On Sat, 21 Aug 2004 18:51:40 -0300, James Tucker <jftucker () gmail com>
wrote:
> > Here I found that I can have BITS and Automatic Updates in "manual", 
> > Windows Update works fine here. It may be a good idea to refresh the 
> > MMC console page, as you will probably find that at time the service 
> > had shut down if and when BITS was stopped prematurely (i.e. when it 
> > was in use).
> >
> > There really should be no reason why you would want to disable the 
> > Automatic Updates service anyway, unless you are rolling out updates 
> > using a centralised distribution system, in which case you would not 
> > need it anyway.
> >
> > If you are worried about system resources, you should look into how 
> > much the service really uses; the effect is negligable, in fact 
> > there is more impact if you select (scroll over) a large number of 
> > application shortcuts (due to the caching system) than if you leave 
> > Automatic Updates on. If you are worried about your privacy and you 
> > dont believe that the data sent back and forth has not been checked 
> > before, then you surely dont want to run Windows Updates ever. If 
> > you want to cull some real system resources and have not already 
> > done so, turn the Help and Support service to manual, that will save 
> > ~30mb on boot, up until the first use of XP help; this will stop 
> > help links from programs from forwarding to the correct page, until 
> > the service has loaded once.
> >
> > As for worry over using bandwidth on your internet service, again, 
> > you want to check this out as its a trickle service, not a flood. 
> > BITS does not stand for Bloody Idiots Trashing Service; it means 
> > what it says on the tin.
> >
> > On Fri, 20 Aug 2004 14:30:22 -0700, David Vincent
> >
> >
> > <support () sleepdeprived ca> wrote:
> > > joe wrote:
> > >
> > > > Yep, this is how it works now.
> > > >
> > > > You control whether Windows Update is updating or not via the 
> > > > security panel in the control panel applets (wscui.cpl).
> > > To eb complete, I should have mentioned I have Automatic Updates 
> > > turned off in the control panel.  I also had the service disabled 
> > > before applying SP2 and venturing to Windows Update v5.
> > >
> > > > Of course if you aren't using automatic update you could always 
> > > > disable the service and just reenable when you go to do the 
> > > > update, or don't use windows update at all and just pull the 
> > > > downloads separately. We are talking about a single command line 
> > > > to reenable that service
> > > Yep.
> > >
> > > > Is it a pain? Yes, for those who like to run minimal services. Is 
> > > > it a security issue or life threatening, probably not.
> > > Agreed.
> > >
> > > -d
> > >
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> --
> Peace. ~G
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


--
Peace. ~G

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html