Slashdot Mirror
NTBUGTRAQ Bashes Windows Update
BigBadBri writes "Russ Cooper, keeper of the NTBUGTRAQ list, has a few concerns (to put it mildly) with the trustworthiness of Microsoft's Windows Update."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
Bugtraq hasn't trashed Microsoft Windows - just the Microsoft Windows Update.
"has a few concerns (to put it mildly) with the trustworthiness of Microsoft's Windows Update."
Good.
If you keep throwing chairs, one day you'll break windows....
The site www.ntbugtraq.com is running Microsoft-IIS/5.0 on Windows 2000. p. So, close.
Get your own free personal location tracker
Although I haven't had many problems with them, installing Win2k SP3 on a Vmware image causes it to fail to boot. Microsoft has a knowledge base article on it, but in order to receive the patch, you need to *call* them, which is damn expensive.
OSX runs Software Update after you install the OS for the first time. It schedules itself to run weekly and check for patches. You can select what patches you do and don't want to install, as well as drop patches from being on the list (eg, if you like iTunes 2 then you can tell it to never inform you of new versions of iTunes).
Any user can run the software update tool and be informed of new packages. Before any can be installed, a window pops up asking for an admin account login. Once entered, download progress is indicated, install progress is indicated. All installed patches are logged to a file that can be viewed from the System Preferences.
All in all, a very good system, although I have observed it break randomly at times, usually after a v. popular patch is released. Then, it sometimes just mysteriously fails to download the patches, though it still reports them as being available to install. I guess either patience or a manual fetch from support.apple.com are your options then.
Anyway, I just wanted to put my two bits in on Software Update for OSX.
Not a Windows update per se, but SP3 for SQL Server broke one of our applications and we had to roll back. That was not pretty at all.
And once you get one bad patch that throws your systems into chaos, you get real wary of other ones in the future.
if you dont like error reporting - turn it off.
1.Start>Run
msconfig.exe
2.Goto Services tab and uncheck the error reporting service there.
Siggy Say, Siggy Do
Just use "up2date -u" and you're done. Even better: Schedule it...
I haven't experienced a single problem due to a Windows update.
I have. My Wife's XP system stopped booting after a Windows Update. It's a semi-random thing - 75% of the time, after POST (and the "Windows failed to start properly last time" screen) we get a blank screen, black, forever. Power down and try again. Another 10% of the time, we get a black screen with white bars across the bottom. Power down and try again. Maybe 15% of the time, XP boots cleanly.
Using the different boot options doesn't help, either - same results, if you're bringing up Windows and not a command prompt. Rolling back the system to two weeks prior to the behavior starting didn't fix it, either. Now, when she gets it to boot, she leaves it on (and hopes it doesn't crash and shut down when she changes users to let our daughter play Barbie games), and we fight through multiple attempts when we reboot.
Someday, she'll get upset enough to let me reimage it for her and reinstall XP (yes, she has to use MS-only software for her job). Until then - we try, try again....
I love vegetarians - some of my favorite foods are vegetarians.
I don't know about you but I've had a ton of windows updates fail. Of course, they usually fail by saying they succeeded, but then the next day it wants to download the update again. This has happened to me with a number of updates. In each case they eventually fixed the patch installer and the problem went away.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I never visit windows update anymore, one too many times of it installing an update that hosed my system. Shavlik still develops HFNetChk, http://hfnetchk.shavlik.com/, and it's still free. Just run it and then go to http://www.microsoft.com/security to get the updates it says you need. A bit more of a pain, but a lot more piece of mind.
Two users who disagree. Solution would be to make the behaviour configurable then, yes?
It _is_ configurable. Out of a long list of options ("man up2date"):
d, --download
Download packages only, do not install them. This option
is provided so that you can override the configuration
option "Do not install packages after retrieval." It is
mutually exclusive with the --install option.
-i, --install
Install packages after they are downloaded. This option
is provided so that you can override the configuration
option "Do not install packages after retrieval.". It is
mutually exlusive with the the --download option.
-u, --update
Completely update the system. All relevant pack-
ages will be downloaded (and possibly installed,
if you have configured Update Agent to do so).
It seems to me that the main issue here is not the ease of use of systems to provide security patches (up2date, apt-get, Windows Update are all easy to use), but how much you trust the vendor / free software organisation not to break your system if you download them automatically. Personally, I haven't (yet) been burnt by RedHat's patches, and upgrade them automatically, but don't trust MS to always get things right.
Phil
There is no place like ~!
It's called a testing environment, then go live.
What is even more maddening, is that in the test environment (different hardware, I know in a perfect world it would be identical) it worked fine.
I doubt it. I've had a similar problem on laptop where things acted haywire after a windows update. I restored a Ghost image from a month prior and everything was okay. Just to confirm I ran windows update again and installed the same patches I did before. Things started going nuts again.
Prevent email address forgery. Publish SPF records for y
Actually, I have made suggestions as to how Windows Update could be better. The second link in my post pointed to an article I wrote last year to NTBugtraq with suggestions. That message was discussed widely within Microsoft according to people there I have spoken with, yet despite that, WU continues to suck.
Almost everything I said in this recent message is a suggestion. They need to be more informative about the activities of the application. What's the point of doing a scan and saying you need no patches if it failed in the process and recorded a message in an obscure log on your machine? The suggestion is it shouldn't do that, it should say on the web page that the scan failed, and, provide something more of an explanation than an 8-digit error message.
Read my message again with that mindset and I think you'll see many suggestions.
Cheers,
Russ - NTBugtraq Editor
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor