Re: MS-02-052

[nick () virus-l demon co uk (Nick FitzGerald)]

> Does anybody else find it disturbing that today's JVM patch can only
> be installed through Windows Update, ...

Yes.

And, as a more general point, it is most frustrating for those who 
have to admin (or oversee the admin of) Losedows boxes but who have 
the option themselves of either not running the MS bug-fest known as 
Internet Explorer and/or don't run Losedows themselves that MS takes 
this and similar Losedows-centric approaches to patch availability.

It seems that part of "Trustworthy Computing" is that what makes 
sense and is useful to those who actually try to practice it in 
their day to day endeavours is not taken into account.  MS should 
make full "network install" kits for all downloadable upgrades, 
service packs, etc and should make them readily available from an 
easily accessible location and make them obtainable with any 
minimally functional "browser" (even wget).  Failure to do this (or, 
at least to make the locations of such things damned hard to find 
when they available) shows just how much MS really cares for your 
security -- it seems MS cares enough about it that MS would rather 
save some of its plentitude of dimes by reducing their bandwidth 
charges...

> ... and the Windows Update site now
> attempts to install an unsigned control
> (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.cab)
> after informing the user to "click Yes on any Security Warnings that
> pop up"?

8-)

What can we say?

You _are_ talking about Microsoft...


Regards,

Nick FitzGerald