As some of you know, the standard Microsoft OS distribution sold
in stores on CD is a year or so old, and doesn't include any recent
patches. You needed to download recent patches from Microsoft's
web site. Unfortunately, with the latest round of worms, Windows
doesn't survive on the net long enough to downdload patches.
In Japan, Microsoft will be distributing "free" CD's with patches
through its distribution channels, eletrical appliance and personal
computer shops. The anti-virus vendors are apparently packaging their
wares along with the Microsoft patches. Symantec and Trend will be the
first.
Symantec is distributing 15,000 CDs on Wednesday, and Trend Micro is
distributing 10,000 CDs on Thursday.
No word if Microsoft will be distributing any patch CDs in the USA.
However, many universities have created their own CDs for students
moving into dorms. It is the start of the school year in in North
America, and high speed network connections and new unpatched Microsoft
Windows on computers are a bad combination.
As some of you know, the standard Microsoft OS distribution sold
in stores on CD is a year or so old, and doesn't include any recent
patches. You needed to download recent patches from Microsoft's
web site. Unfortunately, with the latest round of worms, Windows
doesn't survive on the net long enough to downdload patches.
Which is why Microsoft should issue a software equivelant of a recall. Systems shouldn't be sold vulnerable without at least a patch CD.
The problem is that you need to look at the sum of (lead time) + (time patch CD
spent on shelf). Given a lead time of 4-6 weeks, and sitting on the shelf for
2-3 weeks... and suddenly you're looking at a 2 month old patch CD.
Now take a look at the last few year's Microsoft advisories, and ask yourself:
What percent of the time was the *last* remote-exploitable major hole more than
2 months old?
And getting the lead time down to 4-6 weeks would be a challenge - remember you
have to *ship* the re-mastered patch CD to every retailer and get it on the
shelves. That's going to hit your bottom line. And keep in mind that
Microsoft doesn't have to answer to its customers, it has to answer to its
shareholders. As long as security problems don't affect it's bottom line, we're
not going to see any change at all.
In article <3F4A10AF.7080903@brightok.net>, Jack Bates
<jbates@brightok.net> writes
Which is why Microsoft should issue a software equivelant of a recall. Systems
shouldn't be sold vulnerable without at least a patch CD.
Perhaps Windows could be delivered complete with a package whose
function was to firewall off everything except the update site (or maybe
employ some kind of VPN), and deny a more general Internet connection,
until sufficient updates had been downloaded?
The next step would be to find a secure way for Microsoft to turn that
firewall back on again remotely, if a sufficiently serious update was
required. (This could case havoc is misused, so some care would needed!)
Meanwhile, in the UK it's commonplace to buy monthly computer titles
with a CD (of useful shareware and demos) mounted on the cover. If these
don't already include the most recent Microsoft patches, perhaps they
should.
Hmm,
and how would you protect the remote controlled MS firewall software
from:
1. Vulnerabilities itself since MS is building it?
2. the "remote control" being hijacked by someone besides MS?
2a. Hey I'd love to be able to shut folks that were killing my network
off until they update, but is it my right?
2. the "remote control" being hijacked by someone besides MS?
2a. Hey I'd love to be able to shut folks that were killing my network
off until they update, but is it my right?
In article <1061823669.17113.3.camel@aiden.noc.adelphia.net>, Paul A.
Bradford <paul.bradford@adelphia.com> writes
Hmm,
and how would you protect the remote controlled MS firewall software
from:
1. Vulnerabilities itself since MS is building it?
2. the "remote control" being hijacked by someone besides MS?
2a. Hey I'd love to be able to shut folks that were killing my network
off until they update, but is it my right?
It's not that different from (my perception of) the current technology
used for XP Activation. Presumably an unactivated XP ise prevented from
accessing the Internet (as well as being prevented from doing all the
other normal user things), but is still capable of accessing the
activation server. And is the mechanism of a hypothetical remote de-
activation very far from what I was suggesting (maybe as a sort of "ask
the activation server for permission" at regular intervals)?
In article <3F4A2914.6000103@brightok.net>, Jack Bates
<jbates@brightok.net> writes
Automatic cutoff until update check every 7 days?
That's the sort of thing, although I'd make different rules for
different types of connection. From broadband users who can do it daily,
to those connected by mobile phone (who are of no practical use to these
virus/worm writers anyway) whenever they next get at least 28.8K .
who knows, i'm losing track of all the different exploits, worms, viruses etc
floating around at the moment.. whats up, did all the script kiddies find
themselves with too much time on their hands over summer breaks?
my perception of the past couple of weeks is that they are the busiest that i've
ever seen for abuse activity (including filtering our own traffic and getting
customers to fix their broken machines). and yet i'm seeing nothing in the way
of media interest etc, when melissa came out a couple years ago it was on the
news for a week.. did they get bored of covering "yet another computer virus" ?
In article <Pine.LNX.4.44.0308251657520.26400-100000@MrServer>, Stephen
J. Wilcox <steve@telecomplete.co.uk> writes
my perception of the past couple of weeks is that they are the busiest that i've
ever seen for abuse activity (including filtering our own traffic and getting
customers to fix their broken machines). and yet i'm seeing nothing in the way
of media interest etc, when melissa came out a couple years ago it was on the
news for a week.. did they get bored of covering "yet another computer virus" ?
That's because things only (normally) get in the news if there's someone
trying very hard to get it in the news. They will often have their own
agenda. At the same time there are people paid large sums to make sure
certain things *don't* get in the news. And then you have to factor in
how hungry the media are for something extra to stop the adverts from
bumping into one another [1]. Therefore reality, and "what's in the
news", are rarely the same.
[1] A couple of weeks ago, the only, and I mean *only* story, reported
by many USA news stations was the blackouts. Nothing else got a look-in.
You can access the Internet with an unactivated copy of XP for 30 days
before it shuts off on you. You can do normal user things with an
unactivated copy for 30 days before it shuts off on you. MS doesn't do
remote deactivation, just timed deactivation.
Theoretically it could be possible, but with all the filter-happy
people around today who are spooked by packets from Windows machines
they don't understand, they might end up filtering off something like
oh say...Windows Update, causing unreachability and tons of support
calls to Microsoft.
Believe me, no matter how much you charge, no one likes support calls,
not even Microsoft at whatever obscene rate it is per pop. Why do you
think XP now comes with 'Remote Assistance' so a friend can help you
instead of having to call Microsoft? Also, perhaps Microsoft put that
high per-call rate into play to SLOW DOWN the amount of calls they
were getting, not because "Bill Gates is greedy". Hey, NetZero did it
too.
>Also, perhaps Microsoft put that
>high per-call rate into play to SLOW DOWN the amount of calls they
>were getting, not because "Bill Gates is greedy".
This was a theory, not an interpretation.
Microsoft isn't charging for support calls regarding the worm & patching
problems. Its free to anybody who calls.
I was not talking about the worm, this was in regards to an automatic
deactivation/activation system based on patches applied, that can and
will break due to improper filtering resulting in a higher call rate
to Microsoft.
Microsoft has a task scheduler that people should learn to use to remind
them to check update to make sure their patches are current, it is
located in the control panel and labled Scheduled Tasks and has an
Add Scheduled Tasks icon to add update, FYI
Microsoft has a task scheduler that people should learn to use to remind
them to check update to make sure their patches are current, it is
located in the control panel and labled Scheduled Tasks and has an
Add Scheduled Tasks icon to add update, FYI
And that helps a fresh store bought computer how? It'll be infected before it can even download the first initial patches.
"It's Tuesday, time to download patches. Please connect to the Internet to
download any critical patches. Estimated download Time: 25 minutes.
Estimated Probe frequency: 5 minutes"
Purchase of a $60 NAT/router and inserion of that between computer and cable modem deters this type of attack, and allows the user the chance to download patches. So does enabling the firewall feature Microsoft put into XP, but didn't enable (and have now decided to enable).
As I read that, I wondered why it is that I haven't patched any of my
windows systems if it was just as simple as reminding myself to do so. It
occurred to me that I just simply don't trust Microsoft to properly patch
my systems. I keep all things Windows behind firewalls of different types
at all times. So far it has proved to be an effective solution.
I don't trust Microsoft to get the patch right, not arbitrarily delete my
data, or change my machine in some unexpected fashion that I will not
approve of. Granted, I, nor are most people on this list, the average Joe
PC user, but I can't imagine I'm alone.
There are deeper fundemental problems here. Software quality and security
has been thoroughly beat to death, but will not improve in the near
future. The trust issue that I just mentioned is another. These problems
and dependence on a single corporate closed source entity will get people
killed if they haven't already. These issues put our country at risk. I
was none to plussed to see the monitors as my wife delivered our first
were all windows based.
I've been patching for years, only had one problem applying SP4 on
Windows 2000, but I shrugged that off as some random problem because
I didn't install that machine. I reinstalled Windows 2000 and
reapplied SP4 with no problems.
I was called in to help someone with a "slow computer" today. He's running Microsoft ME, and it's an OS that I have very little experience with. I disabled a bunch of crap in his startup folder, then I took a look at the OS itself. I ran Windows update which told us that there was a service pack with "critical updates" that we should install before doing anything else, and I foolishly decided to follow these instructions without researching first. (Oh well, live and learn!)
The machine hung at 62% installed. Trying to cancel the install via the "cancel" button resulted in the cancel message warning you that if you didn't let it complete it's special cancel process and tried to restart the machine instead, you could fatally ruin the computer (I don't recall the exact message, but it was pretty emphatic that you had to let MS finish "canceling" the install). 10 minutes later, with no sign that the computer was doing anything (no disk activity) or would ever complete this cancelation, we rebooted. I had to reboot and shut down several times before it would shut down cleanly and reboot cleanly.
Later I learned that this "critical update" package was mostly for installing IE6, and that there are a lot of people who have had this same problem trying to install IE6 on ME, and that it's a well known issue at many ISPs and OEMs, but of course MS still insists that there's nothing wrong and that you should still install that update. Yeah, when the devil starts building snowmen.
