Flutterby™! : Russ Cooper on Windows Update 2003-05-15 16:24:34.889998+00

Russ Cooper on Windows Update

2003-05-15 16:24:34.889998+00 by Dan Lyke 1 comments

Russ Cooper, NTBugtraq editor, on the flaws of Windows Update. Required reading. Meanwhile, here in the development world Phil has finally actually had to work with real code, rather than just writing image processing loops that the rest of us have to integrate, and his enthusiasm for the Windows development environment has diminished to the "think I'm going to be using Linux for my home explorations". Ken yesterday described his experiences with Windows Server 2003 as "I guess they can't put the admins out of a job". In the face of all this, it's good to know that Microsoft is hard at work on translucent menus. Time to get Charlene's desktop machine switched to Linux, we need to be making the tweaks necessary to roll the better system out into the world.

Well, looks like Windows Update has once again shown how untrustworthy Microsoft can be. For at least the past several days Windows Update has been providing consumers with false information. WU users would connect, initiate the scan, the scan would complete and inform the user their system needed no patches. Wonderful, a clean bill of health, or so the consumer thought.

In reality, some flaw in the Windows Update process has led it to conclude that a system, in need of critical security patches, is instead clean and good to go on the Internet. In other words, if the security check fails, tell consumers they're just fine and don't need anything.

It's good that we don't need elaborate checklists and voodoo mojo security tools to check our systems; we only have to make a quick visit to Windows Update to be sure. Finally, with the introduction of Automatic Updates, we no longer even need to make that visit manually, we can trust that Microsoft will supply us with a properly tested security patch within 24 hours and patch our systems for us (unless we're running Windows XP and got MS03-013 when it was released to WU.)

A year ago I complained about Windows Update, with its registry only checking and myriad other problems. At the time Microsoft was distributing Shavlik's HFNetchk, and so at least with tools from Microsoft we could see the error of Windows Update's ways. That cry of disgust caused Microsoft to yank HFNetchk, because they hadn't licensed it and didn't have a formal agreement for its promotion. "Consumers be damned, make darn sure they're not getting conflicting information from us" seemed to be the rallying cry at Microsoft.

I questioned the Trustworthy Computing Initiative's value then because of that debacle. When asked by the media at the new year how I felt the Trustworthy Computing Initiative had progressed, I gave it an "F", or failing grade. Some wondered why, and pointed to things which the public hadn't seen as justification for TCI's benefits. Seems too many never bothered to read Bill Gates' memo. They failed to grasp the fact that TCI was in response to a public perception that Microsoft was not sufficiently trustworthy.

Has Microsoft done anything to change that perception? No, absolutely not I say! (emphatically)

Let me put it this way. Since the inception of Windows Update millions of computers have been infected with Trojan's that are today allowing individuals to conduct en-masse DDoS attacks. Read that how you want, but its a fact. Here's another. Since the inception of Windows Update Microsoft has gone to producing patches almost every week. Few if any business' have found Microsoft trustworthy enough to permit automatic updates. So since the inception of Windows Update Microsoft has increased the number of times an Administrator needs to patch every Windows system in his/her company. Since Windows Update Microsoft has made it increasingly difficult for an Administrator to avoid Windows Update. Despite the fact that at no time has Windows Update ever proven itself trustworthy, Microsoft continue to force you to use this unreliable mechanism more.

If anyone is wondering why Windows Update is a dog, again, consider the posts this week to NTBugtraq. You wouldn't believe the number of individual experiences I received regarding problems with Windows Update. No doubt Microsoft receives far more than I do. I can't believe that huge corporations are having the problems they are, nor can I believe they haven't received a reasonable answer from Microsoft as to why the problems exist. The fact that so many possible solutions were seen to correct problems with Windows Update also suggests the environment is far less stable than it even appears to me.

And with that list can anyone say Windows Update is reliable, or to use their words, trustworthy computing?

But hey, what's Windows Update after-all. Its just a consumer platform for trying to fix a problem which really isn't Microsoft's after all (read the Breakseal.) Corporate users aren't using Windows Update, they're running Software Update Services...if they have a Windows 2000 system that is, and if they have one for every group they're trying to update, and if have a test environment to check every fix, and if they don't mind handling a very long list of patches they've chosen not to deploy...etc...

If anyone was serious about beginning to tackle the trustworthiness of Microsoft, they'd have done something a year ago when I first called Windows Update a dog. See for yourself, have a look at my previous musings and then tell me what's been fixed or improved. If, like me, you see nothing...then the Trustworthy Computing Initiative once again gets an "F";

The following URLs are wrapped to 2 lines, you'll have to piece them together for them to work;

Everyone is free to reprint, quote, or forward any or all of this message anywhere they'd like, preferably to places where people with more influence with Microsoft than I will see it.

p.s. Here's a thought, how about getting Windows Update to remove Trojans??...;-]