Full Disclosure mailing list archives
RE: Windows Update: A single point of failure f or the world's economy?
From: "Serge van Ginderachter (svgn)" <svgn () orbid be>
Date: Tue, 19 Aug 2003 20:20:08 +0200
This makes me wonder about the differences / similarities to the debian apt repositories in general and security.debian.org in particular. ("Debian" is more like an example here, I guess there are a lot of similar other examples.) Does Windows update feel dangerous because it's - Microsoft and that's very big and widely deployed? - commercial Does Debian repositories feel safe because it's - Open Source, GPL'ed or free as in beer and speech? - non commercial Is this basically really all what's to it or would there be other perspectives? Some thoughts: - Debian repositories have a lot of mirrors. "security.debian".org does not AFAIK - I do trust Debian patch system far more. I automate it on my servers, which I'd never dare on Windows servers. Not sure if I can give valid arguments on this. - remember that big part of those differences might be more related to the underlying technology on OS-level (unix parts vs. windows integration) than to other reasons? - ... Serge van Ginderachter -----Original Message----- From: Richard M. Smith [mailto:rms () computerbytesman com] Sent: dinsdag 19 augustus 2003 18:47 To: full-disclosure () lists netsys com Subject: [Full-disclosure] Windows Update: A single point of failure for the world's economy? Hi, The Washington Post has an article in today's paper saying that Microsoft is mulling over making the Auto-Update feature of Windows XP be turned on by default. The article can be found here: Microsoft Weighs Automatic Security Updates as a Default http://www.washingtonpost.com/ac2/wp-dyn/A11579-2003Aug18 This move by Microsoft sounds pretty scary to me. I am willing to bet that if Microsoft proceeds with these plans, the Windows Update Web site could easily distribute and install new software on hundreds of millions of Windows computers in a day or two. The risk here is that the system could be exploited by a disgruntled Microsoft employee and become the ultimate malware distribution system. It seems to me that the Microsoft is in the process of creating a single point of failure for the world's economy. I am wondering what sort of security and accounting systems that Microsoft has in place to prevent an insider attack on the Windows Update Web site? As one data point, yesterday I updated my wife's Windows Me laptop at the Windows Update site to repair the DCOM security hole. One of the 20 patch files I downloaded was something for DirectX. This patch file caused the laptop to blue screen of death in some VxD near the end of the Windows boot process. Luckily for me, the system seem to repair itself after the 4th reboot. I really didn't relish the idea of explaining to my wife how I broke her laptop. Richard M. Smith http://www.ComputerBytesMan.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Windows Update: A single point of failure f or the world's economy? Serge van Ginderachter (svgn) (Aug 19)