Bugtraq mailing list archives

Microsoft Critical Updater Security

From: netmask () 303 ORG (Erik Parker)
Date: Sat, 23 Jan 1999 05:34:06 -0600


Microsoft's Critical Updater is a nightmare in it self anyway, because it
downloads and installs programs for you, but in the past has ALWAYS let
you choose what you wanted to update and such. Well, it announced today,
there ia "Critical Update", it was for a Y2K issue. (That is NOT critical
yet).

Well, The popup says "Hey, critical update available, shall we go check
it out?". Iexplorer opens up (note, you can't use netscape for updating).

It took longer to load than usual, because it downloaded and installed..
Soemthing, and then asked me to reboot BEFORE if even finished loading
their site. It asks you "Should we search your machine to see what you
have?" (It did this after it updated). It showed me a list of critical
updates that I dont have (just the y2k thing). So.. What did it install?
Why Didn't it ask? When I rebooted it told me it was updating system
settings and such. So it did something.

It does not list anything in the installation history, going to
"installation history" on their update site. It shows my last update was
over a week ago.

The exact update it was telling me was critical is:

Microsoft virtual machine
4443 KB/37 min
Experience animations and other advanced Web page features by using the
fastest and most reliable way to run Java applications on your computer.
This update corrects a minor issue associated with generating dates on
your computer on or after January 1, 2000.  Read this first

(Which I might add, I am sick of upgrading this stupid virtual machine)

Either way, think of the possibilies of that. If I go and hack microsoft
(god knows NT isn't the most secure environment (bhwahah)). And figure out
how they announce there are new updates, and put a bunk update in there,
and there is obvisously an option that says "Make em do it, we are
microsoft, and we are gods, we shall FORCE this update". Then hey, maybe I
can BO every machine in the world running Windows 98.



While I am at it, if anyone uses a program called HyperSnapDX, it sends
information back to their server without your authorization, or warning
you. I have tcp logs if any is interested.

Current thread:

L0pht Security Advisory on NT Password Appraiser Dr. Mudge (Jan 20)
- Re: L0pht Security Advisory on NT Password Appraiser Chris Maresca (Jan 21)
- L0pht Security Advisory on NT Password Appraiser David Damerell (Jan 22)
- Microsoft Critical Updater Security Erik Parker (Jan 23)
  - Re: Microsoft Critical Updater Security Lucky Green (Jan 24)
- linux crashes irix6.3 II Philipp Schott (Jan 23)