Home page logo

bugtraq logo Bugtraq mailing list archives

RE: Windows Update: A single point of failure for the world's economy?
From: "Russ" <Russ.Cooper () rc on ca>
Date: Tue, 19 Aug 2003 14:01:50 -0400

Let me state up front that I am in complete agreement with Microsoft's move should they decide to set Automatic Updates 
to enabled on any and all OS' they sell, have sold, will ever sell. In case you're not aware, I like to think I am one 
of the most vocal critics of Windows Update.

Firstly, to address the issue of it becoming "a single point of failure for the world's economy."

Certainly, what you suggest is plausible, but, should Microsoft take such a step it would behoove them to ensure that 
just such a thing never occurs. As it is, Windows Update is not as protected as it should be. The service is not as 
robust as consumers need it to be, and not secure enough to protect itself from malware. If Microsoft were to take on 
the responsibility to ensure their Automatic Updates actually updated systems when the patches were released, Microsoft 
would have to take the necessary actions to rectify its current flaws, and rebuild it to be robust enough to support 
its claims.

No small task, but a needed one.

Also, to think that the "world's economy" is based on Windows Update is to live in a world of home users. Many 
corporations do not base anything on Windows Update. They use 3rd party products or even Microsoft products which do 
not rely upon Windows Update for their service. Many abound. Still more use scripts specifically designed to meet their 
own needs, which rely upon patches downloaded directly from download.microsoft.com. They use their own methods to 
verify them, be it file hashes, registry settings, or log files created by the scripts.

It is possible that a patch could be distributed to all home users running modified Windows OS' (since they don't 
default to having AU running now) that, like a past patch, causes a systems to slow down. I know of no patch which 
caused all systems to shutdown, or refuse to reboot. The myriad hardware configurations and drivers that a Windows OS 
might be running on certainly make conflicting VxD's possible...but then if Microsoft take this step it will become 
their job to figure this stuff out...something nobody else has bothered to do so far.

In the lifetime of ActiveX and Authenticode, Microsoft has only ever released to the general public two mis-signed 
controls. This means its certainly possible for them to screw up and have Automatic Updates distribute a patch they 
shouldn't, or didn't want out. But then what automatic updating service hasn't?

The question is whether or not the scope of such a mistake causes systems to crash and not recover. Whether or not 
Microsoft will build in the functionality into AU to be able to update a patch that's already been deployed. Whether 
they can recover from the killbit being set on the AU control, or a major modification to the OS that could prevent AU 
from functioning after the mistake.

These questions are all part of the risk equation, and while Microsoft's past track record at determining risk has been 
abysmal, we can hope that they seek sufficient advice outside of their realm of expertise to ensure it works properly.

No matter, having Microsoft commit to updating systems within a couple of days of patch availability will, if used, 
definitely reduce the number of vulnerable systems, and therefore, the scope of Internet attacks. If they succeed, we 
all win. If they fail, it will be the most significant failure of their history, and likely lead to government controls.

Clearly breakseal EULAs on patches automatically updated cannot be enforced, so security fixes for existing components 
will have to become more prevalent. This too would be a good thing.

So in the end while some users will likely experience faults after automatic installation, faults which will likely be 
due to 3rd party drivers being out of date even for those 3 parties, we will also have a much smaller pool of systems 
available to malware. Anyone who thinks this is a bad thing is not, IMO, thinking sensibly about the future.

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----Original Message-----
From: Richard M. Smith [mailto:rms () computerbytesman com] 
Sent: Tuesday, August 19, 2003 12:48 PM
Subject: Windows Update: A single point of failure for the world's economy?


The Washington Post has an article in today's paper saying that
Microsoft is mulling over making the Auto-Update feature of Windows XP
be turned on by default.  The article can be found here:

   Microsoft Weighs Automatic Security Updates as a Default 

This move by Microsoft sounds pretty scary to me.  I am willing to bet
that if Microsoft proceeds with these plans, the Windows Update Web site
could easily distribute and install new software on hundreds of millions
of Windows computers in a day or two.  

The risk here is that the system could be exploited by a disgruntled
Microsoft employee and become the ultimate malware distribution system.
It seems to me that the Microsoft is in the process of creating a single
point of failure for the world's economy.

I am wondering what sort of security and accounting systems that
Microsoft has in place to prevent an insider attack on the Windows
Update Web site?

As one data point, yesterday I updated my wife's Windows Me laptop at
the Windows Update site to repair the DCOM security hole.  One of the 20
patch files I downloaded was something for DirectX.  This patch file
caused the laptop to blue screen of death in some VxD near the end of
the Windows boot process.  Luckily for me, the system seem to repair
itself after the 4th reboot.  I really didn't relish the idea of
explaining to my wife how I broke her laptop.

Richard M. Smith

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]