mailing list archives
RE: Windows Update: A single point of failure for the world's economy?
From: "Russ" <Russ.Cooper () rc on ca>
Date: Tue, 19 Aug 2003 14:01:50 -0400
Let me state up front that I am in complete agreement with Microsoft's move should they decide to set Automatic Updates
to enabled on any and all OS' they sell, have sold, will ever sell. In case you're not aware, I like to think I am one
of the most vocal critics of Windows Update.
Firstly, to address the issue of it becoming "a single point of failure for the world's economy."
Certainly, what you suggest is plausible, but, should Microsoft take such a step it would behoove them to ensure that
just such a thing never occurs. As it is, Windows Update is not as protected as it should be. The service is not as
robust as consumers need it to be, and not secure enough to protect itself from malware. If Microsoft were to take on
the responsibility to ensure their Automatic Updates actually updated systems when the patches were released, Microsoft
would have to take the necessary actions to rectify its current flaws, and rebuild it to be robust enough to support
No small task, but a needed one.
Also, to think that the "world's economy" is based on Windows Update is to live in a world of home users. Many
corporations do not base anything on Windows Update. They use 3rd party products or even Microsoft products which do
not rely upon Windows Update for their service. Many abound. Still more use scripts specifically designed to meet their
own needs, which rely upon patches downloaded directly from download.microsoft.com. They use their own methods to
verify them, be it file hashes, registry settings, or log files created by the scripts.
It is possible that a patch could be distributed to all home users running modified Windows OS' (since they don't
default to having AU running now) that, like a past patch, causes a systems to slow down. I know of no patch which
caused all systems to shutdown, or refuse to reboot. The myriad hardware configurations and drivers that a Windows OS
might be running on certainly make conflicting VxD's possible...but then if Microsoft take this step it will become
their job to figure this stuff out...something nobody else has bothered to do so far.
In the lifetime of ActiveX and Authenticode, Microsoft has only ever released to the general public two mis-signed
controls. This means its certainly possible for them to screw up and have Automatic Updates distribute a patch they
shouldn't, or didn't want out. But then what automatic updating service hasn't?
The question is whether or not the scope of such a mistake causes systems to crash and not recover. Whether or not
Microsoft will build in the functionality into AU to be able to update a patch that's already been deployed. Whether
they can recover from the killbit being set on the AU control, or a major modification to the OS that could prevent AU
from functioning after the mistake.
These questions are all part of the risk equation, and while Microsoft's past track record at determining risk has been
abysmal, we can hope that they seek sufficient advice outside of their realm of expertise to ensure it works properly.
No matter, having Microsoft commit to updating systems within a couple of days of patch availability will, if used,
definitely reduce the number of vulnerable systems, and therefore, the scope of Internet attacks. If they succeed, we
all win. If they fail, it will be the most significant failure of their history, and likely lead to government controls.
Clearly breakseal EULAs on patches automatically updated cannot be enforced, so security fixes for existing components
will have to become more prevalent. This too would be a good thing.
So in the end while some users will likely experience faults after automatic installation, faults which will likely be
due to 3rd party drivers being out of date even for those 3 parties, we will also have a much smaller pool of systems
available to malware. Anyone who thinks this is a bad thing is not, IMO, thinking sensibly about the future.
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
From: Richard M. Smith [mailto:rms () computerbytesman com]
Sent: Tuesday, August 19, 2003 12:48 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Windows Update: A single point of failure for the world's economy?
The Washington Post has an article in today's paper saying that
Microsoft is mulling over making the Auto-Update feature of Windows XP
be turned on by default. The article can be found here:
Microsoft Weighs Automatic Security Updates as a Default
This move by Microsoft sounds pretty scary to me. I am willing to bet
that if Microsoft proceeds with these plans, the Windows Update Web site
could easily distribute and install new software on hundreds of millions
of Windows computers in a day or two.
The risk here is that the system could be exploited by a disgruntled
Microsoft employee and become the ultimate malware distribution system.
It seems to me that the Microsoft is in the process of creating a single
point of failure for the world's economy.
I am wondering what sort of security and accounting systems that
Microsoft has in place to prevent an insider attack on the Windows
Update Web site?
As one data point, yesterday I updated my wife's Windows Me laptop at
the Windows Update site to repair the DCOM security hole. One of the 20
patch files I downloaded was something for DirectX. This patch file
caused the laptop to blue screen of death in some VxD near the end of
the Windows boot process. Luckily for me, the system seem to repair
itself after the 4th reboot. I really didn't relish the idea of
explaining to my wife how I broke her laptop.
Richard M. Smith