Full Disclosure mailing list archives
Re: Windows Update
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Tue, 24 Aug 2004 12:55:53 -0400
joe wrote:
I would actually go so far as to say that if this is true, it's actually (most-likely) more secure than relying solely on the activex control. If the on-system client can be securely queried for the list of updates that the system needs, this does two things in my estimation: it keeps the code to do so out of browser-related control and it keeps any unneeded info from being sent back to MS. (which is good for MS because it reduces their resource load.)The client is required. I have sent a complaint to MS though concerning the idea that the service set to manual but started doesn't allow the updates tooccur. That, I agree, is a bad design choice.If the service is set to automatic but not started, it will get started as soon as you try to actually search for updates. Having it set to auto and not started just gets you past the initial check. I actually replaced the service with a quick "do-nothing" service I wrote and the web page gets past the initial check but then hangs in the search for updates section. I haveno doubt that the client is actually used and needed.Once again, I agree requiring the service set to automatic is poor. Again however, this isn't life threatening or insecure, just a pain. Simply use something to quickly change the start config for the service before going tothe windows update site and change it back afterward. No big hoo hoo.joe
If they had based their detection engine on proper tests of client activity, I think this would have removed the confusion here.
-Barryp.s. Probably the best design is that it should start the client temporarily when set to manual and then have it fall on it's sword when the update is done.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Windows Update, (continued)
- RE: Windows Update Dave Aitel (Aug 22)
- Re: Windows Update Über GuidoZ (Aug 24)
- RE: Windows Update joe (Aug 25)
- Re: Windows Update ASB (Aug 23)
- Re: Windows Update Michael Schaefer (Aug 23)
- Re: Windows Update David Vincent (Aug 20)
- Re: Windows Update Gregh (Aug 21)
- Re: Windows Update Michael Schaefer (Aug 23)
- Re: Windows Update Barry Fitzgerald (Aug 23)
- RE: Windows Update joe (Aug 24)
- Re: Windows Update Barry Fitzgerald (Aug 24)
- RE: Windows Update joe (Aug 23)
- Re: Windows Update ASB (Aug 23)
- Re: Windows Update David Vincent (Aug 23)
- Re: The 'good worm' from HP Florian Weimer (Aug 20)
- Re: The 'good worm' from HP Valdis . Kletnieks (Aug 20)
- Re: The 'good worm' from HP Maarten (Aug 20)
- Re: The 'good worm' from HP Nick FitzGerald (Aug 20)