funsec mailing list archives

Previous By Date Next
Previous By Thread Next

How dangerous can Windows Update be?

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Mon, 17 Oct 2005 19:26:52 -0400

Windows patch backfires on the security-minded
http://news.com.com/Windows+patch+backfires+on+the+security-minded/2100-1002
_3-5897997.html?tag=nefd.top

Security-conscious Windows users who tweaked the operating system to protect
their PCs better are getting hit hardest by a flawed Microsoft patch,
experts said Monday. 

Microsoft has acknowledged that a patch released last week can cause trouble
for some users. It could lock them out of their PC, prevent the Windows
Firewall from starting, block certain applications from running or
installing, and empty the network connections folder, among other things,
the software maker said in an advisory on Friday. 


-----Original Message-----
From: Richard M. Smith [mailto:rms () computerbytesman com] 
Sent: Tuesday, August 19, 2003 12:30 PM
To: 
Subject: Windows Update: A single point of failure for the world's economy?

Hi,

The Washington Post has an article in today's paper saying that Microsoft is
mulling over making the Auto-Update feature of Windows XP be turned on by
default.  The article can be found here:

   Microsoft Weighs Automatic Security Updates as a Default 
   http://www.washingtonpost.com/ac2/wp-dyn/A11579-2003Aug18

This move by Microsoft sounds pretty scary to me.  I am willing to bet that
if Microsoft proceeds with these plans, the Windows Update Web site could
easily distribute and install new software on hundreds of millions of
Windows computers in a day or two.  

The risk here is that the system could be exploited by a disgruntled
Microsoft employee and become the ultimate malware distribution system.

It seems to me that the Microsoft is in the process of creating a single
point of failure for the world's economy.

I am wondering what sort of security and accounting systems that Microsoft
has in place to prevent an insider attack on the Windows Update Web site?

As one data point, yesterday I updated my wife's Windows Me laptop at the
Windows Update site to repair the DCOM security hole.  One of the 20 patch
files I downloaded was something for DirectX.  This patch file caused the
laptop to blue screen of death in some VxD near the end of the Windows boot
process.  Luckily for me, the system seem to repair itself after the 4th
reboot.  I really didn't relish the idea of explaining to my wife how I
broke her laptop.

Richard M. Smith
http://www.ComputerBytesMan.com
 
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: