Slashdot Mirror
NTBUGTRAQ Bashes Windows Update
BigBadBri writes "Russ Cooper, keeper of the NTBUGTRAQ list, has a few concerns (to put it mildly) with the trustworthiness of Microsoft's Windows Update."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
Since when did we trust Microsoft / Windows?
Please direct all bug reports to
It is a feature to keep you aware of other features. Unfortunately it has a feature in itself which keeps the feature from featuring.
Siggy Say, Siggy Do
This shouldn't surprise anyone at all. Anyone involved in computer security or stability is going to have doubts about any sort of update technology, especially if it's from Microsoft. All it takes is a 'minor' 'bug', like the one in the article, and we could be facing a much lerger numbers of CodeRed targets, or zombie machines, or who knows what else.
Oh, by the way, youre car is just fine. No, no recalls at all for it. Well, one, but it's only important if you actually drive, so you're fine, I'm sure...
It's been proven time and time again that people don't patch their systems by hand. Windows Update is at least a step in the right direction, even if it does have some flaws. I can only imagine the outcry if M$ DIDN'T have a Windows Update. It would be an evil scheme or something.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
Bugtraq hasn't trashed Microsoft Windows - just the Microsoft Windows Update.
"has a few concerns (to put it mildly) with the trustworthiness of Microsoft's Windows Update."
Good.
If you keep throwing chairs, one day you'll break windows....
To sum up the last few posts: Electronic Voting can't be trusted, NVidia can't be trusted, Microsoft Update can't be trusted... that's enough for one day. I'll go to sleep right now.
The site www.ntbugtraq.com is running Microsoft-IIS/5.0 on Windows 2000. p. So, close.
Get your own free personal location tracker
I've read a number of depressed perspectives on how we've got to accept a broken technology because it is patent-encumbered, closed source, or whatever, and I wonder "Where's your initiative, people?" To use a cooking analogy: the Koreans and the Dutch couldn't be much more different geographically, but at approximately the same time in history they faced a similar crisis involving an abundance of fuel and a pittance of foodstuffs -- the Koreans invented stir-frying, which allowed a maximum amount of heat in a minimum amount of time to sear their food, while the Dutch came up with the Dutch Oven, which is an ancient European equivalent of the Crock-Pot where food was cooked in its own vapors in a covered environment at a low temperature over an extended period of time.
This is only one of a number of similar examples throughout history of almost-parallel development. People have constantly had to reinvent the wheel for any number of reasons, but most importantly the process was influenced by cultural and social factors that ultimately lead to different approaches towards the same problem. Thus we can choose from the solutions the one that is most efficient or most effective... the strength of Open Source.
I guess the point is that there is almost always more than one way to solve a problem, and generally it's the optimists that get to it. I see too many good ideas sunk by naysayers that won't give a concept a fair shake; irregardless, who could have predicted the computer, air travel, or the mysteries of the atom a mere century ago? Hope for even the best of the future and it will yet exceed your expectations.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
I'll voice an opinion that'll surely prove to be unpopular around these parts: I like Windows Update.
Sure, like any given piece of software, you may run into glitches and bugs at some point. But, overall, Windows Update has provided me with an extremely easy and painless way to keep my systems updated.
Even my Mom can use it, which says a lot. It's better than any alternatives I've seen which require too much geek knowledge to operate. (Admittedly I've never seen how MacOS X handles updates.)
-Teckla
Man it seems like every day we find out how to define the 'trustworthy' in "trustworthy computing"
:)
First Windows, then the Outlook bugs, then the Hotmail bugs, now the Windows Update security issues - not to mention the Shatter Exploit (fundamental unfixable Win API flaws)
Mmm I love days like today.
-- -=innocent ramblings from the mind of an insomniatic programmer=-
I have had windows update tell me that i'm clean, when i've only just done a fresh install, but i don't take it personally, you'd only complain if it examined every bit of your disk to ensure that it got it right... make your minds up people!!
Last week I spent all day downloading patches for an XP laptop that we are evaluating. Today we (my notoriously adorable assistant) received a notification that there are (surprise!) more patches to download. When I looked at the list, some of them were going back to Feb of 2002. We looked at what patches and Q#'s show as installed, and several of these are the same ones WUS show as needed. Needless to say, we are yanking the XP OS and going back to W2K. Oh, that we could use Linux in our production environment!!!!
BS BS BS BS BS BS BS
BS BS BS BS BS BS BS
Yes, their patches do on occasions break things. Not defending that, they need to be more careful sometimes...
But "MORE OFTEN THAN NOT" is FAR from the truth, and I am sure you know this. But, with your M$ $ucks patch sewn directly on your forehead, you kinda hafta make remarks like this, right?
On the few occasions things break they are rarely of the "blow up the server" variety, and MORE OFTEN THAN NOT *grin* they are of the "when the stars align" kind that you HEAR about in bug reports but don't experience first hand.
---"What did I say that sounded like 'Tell me about your day?'"---
Although I haven't had many problems with them, installing Win2k SP3 on a Vmware image causes it to fail to boot. Microsoft has a knowledge base article on it, but in order to receive the patch, you need to *call* them, which is damn expensive.
AS for WU - remember most of its audience is the home user. It tries to do a worthwhile job, but from experience unless you've got a fat pipe it takes ages (10MB isn't unusual) and it craps over your settings, it DOES scan and return info on what's on your machine .......
This is very true, and if anyone doubts it, grab yourself a copy of vmware for linux systems (ironicly, thats the ad at the top of this page) and fire up windows XP, then, do a tcpdump on the interface that vmware is using, run strings on the data inside the packets....its quite interesting what you see when you reassemble all the packets going to v4.windowsupdate.microsoft.com.
This is also true when win98 is run within VMware, and windows update sends that nice message box saying "this is done without sending data to microsft"
Windows, its whats for dinner
Is it better? Here's a quote from the article:
Let me put it this way. Since the inception of Windows Update millions of computers have been infected with Trojan's that are today allowing individuals to conduct en-masse DDoS attacks. Read that how you want, but its a fact. Here's another. Since the inception of Windows Update Microsoft has gone to producing patches almost every week. Few if any business' have found Microsoft trustworthy enough to permit automatic updates
Many people will also tell you that a false positive is far worse than a false negative. For example, if Windows Update is misconfigured and tells you that you're up to date when you're really not, that's arguably worse than not being up to date and knowing that you're not up to date. (Because in the latter situation at least you can do something about it)
Even if technically windows update is better than nothing, it's utterly pathetic that this is the best one of the richest and most powerful corporations on the planet can do for their customers.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
Not a Windows update per se, but SP3 for SQL Server broke one of our applications and we had to roll back. That was not pretty at all.
And once you get one bad patch that throws your systems into chaos, you get real wary of other ones in the future.
if you dont like error reporting - turn it off.
1.Start>Run
msconfig.exe
2.Goto Services tab and uncheck the error reporting service there.
Siggy Say, Siggy Do
I haven't experienced a single problem due to a Windows update.
I have. My Wife's XP system stopped booting after a Windows Update. It's a semi-random thing - 75% of the time, after POST (and the "Windows failed to start properly last time" screen) we get a blank screen, black, forever. Power down and try again. Another 10% of the time, we get a black screen with white bars across the bottom. Power down and try again. Maybe 15% of the time, XP boots cleanly.
Using the different boot options doesn't help, either - same results, if you're bringing up Windows and not a command prompt. Rolling back the system to two weeks prior to the behavior starting didn't fix it, either. Now, when she gets it to boot, she leaves it on (and hopes it doesn't crash and shut down when she changes users to let our daughter play Barbie games), and we fight through multiple attempts when we reboot.
Someday, she'll get upset enough to let me reimage it for her and reinstall XP (yes, she has to use MS-only software for her job). Until then - we try, try again....
I love vegetarians - some of my favorite foods are vegetarians.
Isn't the security aspect, its the fact that MS hasn't gotten patching down yet. Patches from Microsoft CONSTANTLY slow down and screw up peoples computers. Every time you download a patch its like playing russian roulette.
I just experienced this two days ago. My friend had me reinstall XP on his laptop so I started with a disc that had XP SP1 included. Now considering the huge list of known problems SP1 causes both he and myself were happy with how the system preformed after install. It seemed snappy and worked well. But then after I ran windows update and pulled down like 15 security updates, boom instant slowdown. I'd say its about 15-20% slower now. I might as well have pulled out his PIII900 and dropped in a PIII600. (And yes I specifically avoided 811493)
When will MS stop having to reissue patches and stop slowing down and screwing up systems because they can't figure out how to make software with some decent security built in? I mean screw the security track record of other OS's, Microsoft is the one with 40 billion in the bank. They are also the ones who still don't get it and are just now telling their programmers that security needs to be considered when designing software. For about the fact that OSS exists, I still can't believe people can people can have faith in a company like that.
If you wanna get rich, you know that payback is a bitch
""More often than not"? Really? That hasn't been my experience. In fact, I haven't experienced a single problem due to a Windows update."
You want examples? Try using Win2K and WebTrends Web Analyzer (and don't change the subject by suggesting a different log analysis tool - this is required by the company).
Somewhere, after a raft of updates last winter, the damn system kept locking-up in the middle of analysis. So we rip it down, build it back up fresh and remove anything that could cause issues. Same problem. The machine's a Dell Optiplex PIII 450, with 384MB of RAM and 40GBs of drive space - and it can't reliably run a logfile of 2MB without locking-up hard. And so we do it again. And again. Feh!
We're all baffled. Anything else can run, and WebTrends says they'e compatible but quietly acknowledges (via a help person) that Win2K people have been having update issues. I've spoken to others so this bit of anecdotal information strikes a nerve.
WinXP has given me issues with media player codec problems, window redraws, explorer.exe running wild (climbing to 99% of processor time) after servicepak 1.
Windows sucks. Period. We all know it. We're the smart ones, but the other 90% of the user base is either too frightened/lazy to change to something that works, or too cynical to even consider change. The damn system is mystery to most users - they just pray it works, and when it doesn't, all they can do is rip it out and start over.
This is not the way it's supposed to be.
I don't know about you but I've had a ton of windows updates fail. Of course, they usually fail by saying they succeeded, but then the next day it wants to download the update again. This has happened to me with a number of updates. In each case they eventually fixed the patch installer and the problem went away.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I never visit windows update anymore, one too many times of it installing an update that hosed my system. Shavlik still develops HFNetChk, http://hfnetchk.shavlik.com/, and it's still free. Just run it and then go to http://www.microsoft.com/security to get the updates it says you need. A bit more of a pain, but a lot more piece of mind.
Please give your basis for that statement. How many updates have you installed and how many things have broken because of those updates?
In my case almost certainly more than you have since I worked on the Windows Update team at MS. I know how well they tested the updates, what kind of things were bugged and not fixed and in general their level of quality control.
More often than not patchs installed via WU will work fine, but I've seen them cause BSOD that require a reinstall to fix often enough that I don't use it.
Providing the solution is not his job. In a more general sense, the people who are best suited to notice and complain about problems are by definition not the people who are best suited to fix them. This is why programmers don't do all of their own QA. "This is broken" is a completely legitimate thing to say, even if you're not going to be the one to fix it.
It's called a testing environment, then go live.
What is even more maddening, is that in the test environment (different hardware, I know in a perfect world it would be identical) it worked fine.
Heh, same goes for you. Please explain how do you think he could give a solution to that. I mean, this isn't Open Source. He can't just download the tar.gz and make a patch for it. All he could do is perhaps call MS, *paying for the call*, and hope that somebody there fixes the problem.
In Open Source, complaining like this might be frowned upon sometimes. After all, we understand that not every OSS developer works for IBM, and has time and resources to fix every bug.
However, this is commercial software, and closed source to boot. Why should anybody solve Microsoft's problems? Isn't that why people pay for work being done for them in the first place? I think he's doing pretty much the best thing he can do, complaining in public. That's the one thing that seems to work pretty well to get the attention of large companies.
Actually I found getting my FreeBSD system up to date easier than Windows Update.
At one time, it seemed the Windows Update site was having problems - but the messages I got and the apparently relevant MS knowledgebase docs weren't helpful, so I thought the problem was with my system and wasted many hours because of that.
And as Russ points out, even if you run Windows Update successfully, you shouldn't be surprised if your system isn't really up to date.
With FreeBSD once I synchronized sources and rebuilt, I could be pretty certain what I had sitting on my HDD, AND so could others. If I have a problem, I can state the release I synced to, and the devs will know what I'm talking about. That makes support easier.
But with MS, the process is such that you can't really be sure esp when there are problems. Even if you can it may take so much time to be sure that you might as well wipe and reinstall everything.
Trustworthy? Not. Convenient? Yes.
Um, arn't MS Windows users paying MICROSOFT to figure this out? MS does have the in-house talent to come up with a solution for this, they just choose not to address the problem. They just go on pretending that everything is fine.
What Russ is attepting to do is tell MS to wake the hell up and fix it, and that if you are a Windows user that you should know that Windows Update is basically a pile of shit and that you can't trust it.
So I guess don't quite understand you beef. Is MS paying Russ to solve Windows Update problems and he isn't doing the job or something?
As an end-user to commercial software, your job when it comes to bugs is to report them. Not fix them.
I doubt it. I've had a similar problem on laptop where things acted haywire after a windows update. I restored a Ghost image from a month prior and everything was okay. Just to confirm I ran windows update again and installed the same patches I did before. Things started going nuts again.
Prevent email address forgery. Publish SPF records for y
Actually, I have made suggestions as to how Windows Update could be better. The second link in my post pointed to an article I wrote last year to NTBugtraq with suggestions. That message was discussed widely within Microsoft according to people there I have spoken with, yet despite that, WU continues to suck.
Almost everything I said in this recent message is a suggestion. They need to be more informative about the activities of the application. What's the point of doing a scan and saying you need no patches if it failed in the process and recorded a message in an obscure log on your machine? The suggestion is it shouldn't do that, it should say on the web page that the scan failed, and, provide something more of an explanation than an 8-digit error message.
Read my message again with that mindset and I think you'll see many suggestions.
Cheers,
Russ - NTBugtraq Editor
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor