Slashdot Mirror

← Back to Stories (view on slashdot.org)

DIY Service Pack For Windows 2000/XP/2003

Posted by kdawson on from the patch-it-yourself dept.

Karsten Violka writes "Looking for manageable Windows updates even without an internet connection? Heise's script collection Offline Update 3.0 downloads the entire body of fresh updates for Windows 2000, XP, or Server 2003 from Microsoft's servers in one fell swoop and then uses them to create ISO-Images for CD or DVD. Included is an intelligent installer script that allows you to update as many PCs as desired." Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.

17 of 197 comments (clear)

  1. Well Einstein by El+Lobo · · Score: 2, Informative
    1) Who says that you must download it from an unpatched PC?

    2) The probability that an unpatched PC behind a firewall will get "hacked" in the moment while you are downloading it is what... 0,2?

    3) What else will we whine about now... the versatility of Macintosh hardware?

    --
    It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
    1. Re:Well Einstein by Shakrai · · Score: 2, Informative

      Home desktops aren't usually behind firewalls

      Depends on your service provider. In my experiences most DSL providers use NAT routers -- even for single PC connections. Most cable providers seem to use bridges and your PC gets a globally valid address, which tends to be a problem for a Windows PC.

      Then there's dialup users. But if you have to use dialup to do a complete set of Windows updates on a brand new PC it's an even money bet that you'll die from old age before they finish and in this scenario who cares about being pwned?

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
  2. Corporate Windows Update by mandelbr0t · · Score: 2, Informative

    This sounds like a useful script. I know people who manage Windows Updates for corporate networks, and they've mentioned these sorts of ISOs before. Effectively, it allows an admin. to read the KB articles on microsoft.com and pick-and-choose which updates to make available to the corporate network. There's a lot of updates! A backup ISO of the updates you've chosen to make available allows you to easily rebuild the update server if anything happens to it, and to build update servers for other networks based off work you've already done.

    As to circumventing WGA: it's already been circumvented for XP SP2. You actually have to download and run the WGA executable to destroy a cracked XP SP2 install (Windows Update doesn't push it to you). Vista may be a different story though.

    mandelbr0t

    --
    "Please describe the scientific nature of the 'whammy'" - Agent Scully
    1. Re:Corporate Windows Update by LurkerXXX · · Score: 2, Informative

      I don't know any admin who would use these for a corporate network. ISOs are typically a thing you use when you only have one or a handful of individual machines to update. WSUS makes things easy to customize for what computer receives what individual patches without messing with DIY patch ISOs. WSUS Server chaining, replicas, or offline updates allows you to copy settings to other WSUS servers without worrying about 'backup ISOs' of what you have selected. It does it all for you.

  3. autopatcher has been doing this for a while now by schnikies79 · · Score: 4, Informative

    i keep a up-to-date copy for my dialup friends, which most are.

    Autopatcher!

    --
    Gone!
  4. nLite by Nasarius · · Score: 4, Informative

    I've been using nLite and RyanVM's update pack to do this for a while now. Great stuff, even works with my Dell OEM version of XP.

    --
    LOAD "SIG",8,1
  5. Trust him? Do you know what Heise is? by Anonymous Coward · · Score: 2, Informative

    Who do you refer to, exactly? Heise? Heise is not a him, it's a big (and trustworthy) publisher of computer magazines in Germany (c't and iX).

  6. Check out RyanVM too by SteWhite · · Score: 2, Informative

    For anyone interested in this sort of thing, you might also want to check out RyanVM:

    http://www.ryanvm.net/msfn/

    This allows you to produce updated Windows installation CDs, that actually have the service packs and post-service pack hotfixes *already integrated into the installation*. This saves the extra time normally taken to install Windows *then* go apply all the updates.

  7. Re:Danger? by LodCrappo · · Score: 4, Informative

    A NAT in front of your windows box does do a lot to prevent trouble while you're patching up a new install. As long as you immediately get up to date (before using the machine for anything else) then I'd think this is fine. The problem is people who rely on a NAT device for some sort of security *in place of* security patching. Many exploits work just fine through NAT if you're actually using the machine to surf the web or read email, and way too many people seem to not understand this.

    --
    -Lod
  8. Yes but... by kosmosik · · Score: 1, Informative

    Yes but no Polish (or any other than few) language version is supported. So it is useless for me.

    It just shows how retarded update management is in Windows. It is like 10 years behind Linux and 5 behind OSX. And Vista is no different either.

  9. Already been done in a better form by cHiphead · · Score: 5, Informative

    Its called Autopatcher and its WAYYYY sexier. Lots of installable extras and sexy registry patches to make windows life easier.

    http://www.autopatcher.com/

    --

    This is my sig. There are many like it, but this one is mine.
    1. Re:Already been done in a better form by MCraigW · · Score: 4, Informative

      I've been using Autopatcher for quite some time now, and I'm quite happy with it. It also has some extra utilities that it will install if you select them, and the ability to make various UI tweaks. I find it is a nice way to install everything on a new PC. I download the latest version, write it to a CD and take it to the new PC. The new PC never has to be connected to the internet to get the latest MS updates.

  10. Stop with the "unpatched PCs are insecure" rubbish by pandrijeczko · · Score: 3, Informative
    Anyone with any knowledge of security knows that if you deploy a NAT router/firewall between your unpatched PC and the Internet, whether a simple £50 box in a home environment or behind a DMZ in a corporate environment, then that PC, whether running Windows, Linux or any other OS, is pretty safe as long as you don't run any services out onto the Internet with it and don't do too much else with it. And if you run an Internet connection without one of these in place then more fool you...

    On a Windows desktop PC behind a firewall, you are vulnerable to scripts and viruses that it come in from emails, documents & web pages but if you stick the PC on the network and don't use it for any of those things *until* you've put on all the updates, then nothing is going to happen to it. So let's get rid of this stupid notion that the moment you put an unpatched PC on a firewalled LAN, it's going to get swamped with viruses and rootkits - it just won't happen.

    No, I'm no Microsoft fan but let's stick to facts rather than "science fiction" FUD stories...

    --
    Gentoo Linux - another day, another USE flag.
  11. Re:Stop with the "unpatched PCs are insecure" rubb by pandrijeczko · · Score: 4, Informative
    PCs behind a NAT router should be given "private" IP addresses - either fixed ones or DHCP assigned ones. These private addresses are in the ranges 10.x.x.x, 172.16.x.x to 172.31.x.x, and 192.168.x.x.

    Since every directed IP packet on the Internet contains the sender and receiver IP address, any Internet router that sees a private address in either the source or destination address will drop the packet and not route it. Consequently, no-one on the Internet can get to a PC in the private address range - not only that but there are probably thousands of PCs using anyone of those private IP addresses at any moment in time.

    The trick of a NAT router is that when one of your PCs connects through the router to the Internet, the NAT router substitutes the private source IP address in each packet coming from one of those PCs with the real IP address on the Internet side of the router. So when a response comes back from, say, a web server one of your PCs is accessing, the response hits the router's Internet IP and the router puts the private IP address back in to send it back to the right PC.

    It is possible to forward incoming connections to the router onto a PC in the private address space but this feature has to be manually configured on the router and is turned off by default.

    So, yes, you can still download a nasty email or script from a server on the Internet, even with a NAT router in place - but then you just don't use a PC for those purposes until you've fully patched them.

    --
    Gentoo Linux - another day, another USE flag.
  12. Re:encountered (again) another win box without NAT by KillerBob · · Score: 3, Informative

    With *BSD, it's entirely possible to set up a low-level firewall that offers just as much protection as NAT without actually doing any address translation. It does this by monitoring the traffic at the packet-level, and can be configured to block certain ports, to ignore all unrequested traffic, or any number of QoS-type monitoring/filtering features that are a royal pain in the ass to set up on a NAT box. Really, the biggest advantage of NAT is that the DHCP allows you to have more than one computer on the network. (granted, that's a pretty big advantage).

    There's even a howto on NetBSD's website that explains exactly how to go about setting such a box up.

    But you're right... generally, it's easier to go with NAT in the long run.

    --
    If you believe everything you read, you'd better not read. - Japanese proverb
  13. Re:Does MS offer this by SuneSpeg · · Score: 2, Informative

    It seems like people are totally unaware of the lovely thing from M$ called WSUS (Windows Server Update Services). Which is a local server that works as an update proxy. It saves tons of bandwidth and time!

  14. Re:Stop with the "unpatched PCs are insecure" rubb by evilviper · · Score: 2, Informative
    Consequently, no-one on the Internet can get to a PC in the private address range - not only that but there are probably thousands of PCs using anyone of those private IP addresses at any moment in time.

    People keep repeating it, but it's just not true. It is TRIVIALLY easy to send packets to private addresses behind an open NAT.

    First off, the way in which packets sent to a NAT box disappear is like waving a big red flag that says "NAT". Then all it takes is a little bit of forging of header address, and a couple packets, and you can discover the exact addresses of all the machines on the private net, and send whatever you want to them.

    The two ways I like to explain it (for brevity) is source routed packets, and gateways.

    Sequentially ping the broadcast addresses of the private networks (like 10.255.255.255) setting a source-route of the public IP address of the NAT box. The routers between the two of you will forward the packets to the NAT box. Then, being the good little router it is, it will see the packet is supposed to go to the private network, and forward it there. The ICMP replies will be sent back to you, and you now have a list of (most of) the running systems behind the NAT. Now you can send whatever payload you want, to any one of those privately-addressed machines.

    Another very simple way (which gets around blocked source-routed packets) is to get an address on the same public subnet as your target. Most providers have their public addresses grouped in a /24 subnet, or larger, which gives you at least 253 chances. That should be trivially easy to accomplish, and is left as an exercise for the reader. Once you've done that, all you have to do is set your default gateway as the NAT box's public IP, and you can just directly address all those machines by their private address, directly. No skill needed at all. The NAT box is only too happy to forward your packets, and return the replies.

    Needless to say, there are many, many other ways to trick the NAT into forwarding packets to the privately addressed machines, but they are a bit too involved for a short post on /. Suffice it to say, NAT is common enough that I suspect a very large number of crackers have automatic routines to penetrate them, and your NAT isn't going to even slow them down.

    For about two decades now, it has been trivially easy to setup a machine to do stateful packet filtering, which actually WILL stop penetration attempts. There's no reason NOT to do it. And for any kind of security, that's precisely what you need.

    The warm fuzzy feeling you get with a NAT box, because you're ignorant of how easy they are to bypass, won't stop your computers from being turned into zombies.
    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant