Slashdot Mirror
DIY Service Pack For Windows 2000/XP/2003
Karsten Violka writes "Looking for manageable Windows updates even without an internet connection? Heise's script collection
Offline Update 3.0 downloads the entire body of fresh updates for Windows 2000, XP, or Server 2003 from Microsoft's servers in one fell swoop and then uses them to create ISO-Images for CD or DVD. Included is an intelligent installer script that allows you to update as many PCs as desired." Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
2) The probability that an unpatched PC behind a firewall will get "hacked" in the moment while you are downloading it is what... 0,2?
3) What else will we whine about now... the versatility of Macintosh hardware?
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
Does MS offer a cd with patches? Even for download (or would that violate DRM/DMCA/DigitalDarkAges laws/technologies)?
I know Apple offers their patches as download, complete with SHA1 sig.
"We are all geniuses when we dream"
- E.M. Cioran
This sounds like a useful script. I know people who manage Windows Updates for corporate networks, and they've mentioned these sorts of ISOs before. Effectively, it allows an admin. to read the KB articles on microsoft.com and pick-and-choose which updates to make available to the corporate network. There's a lot of updates! A backup ISO of the updates you've chosen to make available allows you to easily rebuild the update server if anything happens to it, and to build update servers for other networks based off work you've already done.
As to circumventing WGA: it's already been circumvented for XP SP2. You actually have to download and run the WGA executable to destroy a cracked XP SP2 install (Windows Update doesn't push it to you). Vista may be a different story though.
mandelbr0t
"Please describe the scientific nature of the 'whammy'" - Agent Scully
A "danger" that is eliminated with a rinky $25 NAT router.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
i keep a up-to-date copy for my dialup friends, which most are.
Autopatcher!
Gone!
Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.
Or you could just buy the firewall you really should have anyway and be done with it. Seriously, I can't imagine anyone would try to argue that it's acceptable to put a server out on the net without a firewall in front of it, so why should a desktop PC be any different? That way you get to protect your unpatched Linux box too.
It's official. Most of you are morons.
Hasn't this one already been done with AutoPatcher? I am still gonna play with this and see how it compares. AutoPatcher works fairly well, usually there are only a few items left to download after starting with a fresh install of SP2. For one, something like this that automates downloading the patches to be installed on multiple computers really helps out with the time it takes to patch a system. One download vs the 7 I will be doing here in a little bit is nice. Also along these lines is Update Accelerator for IPcop. Basically, it's a web cache for Windows Updates. You download the updates once, it stores them on the IPcop system and they are delivered from IPcop in the future, makes things take a lot less time and it's free (minus some old hardware and time).
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
I've been using nLite and RyanVM's update pack to do this for a while now. Great stuff, even works with my Dell OEM version of XP.
LOAD "SIG",8,1
Who do you refer to, exactly? Heise? Heise is not a him, it's a big (and trustworthy) publisher of computer magazines in Germany (c't and iX).
nlite does almost the same thing and is much more flexible and easier to use
http://www.nliteos.com/
For anyone interested in this sort of thing, you might also want to check out RyanVM:
http://www.ryanvm.net/msfn/
This allows you to produce updated Windows installation CDs, that actually have the service packs and post-service pack hotfixes *already integrated into the installation*. This saves the extra time normally taken to install Windows *then* go apply all the updates.
...a Windows zealot slagged for saying "How are you supposed know how to configure support in *nix if you can't get on the internet to do it?" Seriously...
;)
"Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates." - Who the heck said you should connect the unpatched machine to the 'net to grab this stuff? FFS, I bet ol' Karsten would go to town of the Windows zealot for playing stupid.
Loading...
This is a useful tool for my particular environment where we use RapiDeploy to re-image boxes. The image gets a little stale and we have to go through a quarantine network before our Cisco Clean Access authenticates us--we're essentially in a leper colony while we're trying to catch up on patches. It's a bit of a catch 22.
Having the patches on hand would really help when we don't have a little router on hand on field calls.
I might know what I'm talkin' about, but then again, this is Slashdot...
is still just slipstreaming - you don't need any special downloaded software for this.
Eloi are stupid, throw morlocks at them!
Yes but no Polish (or any other than few) language version is supported. So it is useless for me.
It just shows how retarded update management is in Windows. It is like 10 years behind Linux and 5 behind OSX. And Vista is no different either.
I wish the big Linux distros would start doing this. Being unable (or unwilling) to patch a linux box without a broadband connections is one of my biggest pet peeves with the current crop of distros.
I wonder what Microsoft thinks about this, right now I'm downloading updates that I wouldn't be able to get since I don't use a legal version of their software.
:D
Thank you
So what's the point of using a reg.exe from the NT 4.0 resource kit? Rename a self extracting zip to reg.exe?
In short, don't play with strange links posted by anonymous cowards...
Jonah HEX
Horror & SciFi Erotic Nudes
Its called Autopatcher and its WAYYYY sexier. Lots of installable extras and sexy registry patches to make windows life easier.
http://www.autopatcher.com/
This is my sig. There are many like it, but this one is mine.
Yes, there is. Every time MS releases an updated WGA .dll, the pirates release a cracked copy. Shows up all over the place. Download, overwite the files in WINDOWS/SYSTEM32, and presto, no more nags, and you can use Windows Update manually too.
I have a feeling it won't be quite so cut and dried with Vista though.
"Many exploits work just fine through NAT if you're actually using the machine to surf the web or read email, and way too many people seem to not understand this."
Or connect to a torrent server. Watch the number of attacks on your PC's FW skyrocket the instant you run BT and connect to a tracker. Lot's of hackers run torrent servers just to mine the connection information and find new, unprotected computers to attack.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
On a Windows desktop PC behind a firewall, you are vulnerable to scripts and viruses that it come in from emails, documents & web pages but if you stick the PC on the network and don't use it for any of those things *until* you've put on all the updates, then nothing is going to happen to it. So let's get rid of this stupid notion that the moment you put an unpatched PC on a firewalled LAN, it's going to get swamped with viruses and rootkits - it just won't happen.
No, I'm no Microsoft fan but let's stick to facts rather than "science fiction" FUD stories...
Gentoo Linux - another day, another USE flag.
They say one of the benefits of doing this is updating older systems because of the worms spreading the internet. Does anyone who is working with a windows system and needing to install updates (and one who knows how) even directly connect any computer to the internet? In this day and age, I'd bet that nearly everyone is behind a firewall already.
In the rush to be first post, you seem to have missed that all the source code to the tools (and even gpl.txt) are included in their zip file. You need to trust AutoIt to build some of them. I see a few binaries that don't have source included, but they're generic ones like mkisofs.exe and wget.exe that could easily be replaced with trusted versions.
Right. That's of course if you don't have of one the following:
1) 3rd party firewall on the box
2) the OS's firewall (who says you're installing without an SP?)
3) a hardware firewall
4) a home router/switch that does NAT for you (and of course a home network that's not 0wn3d)
5) IPsec policy on the box preveting connections to the ports
6) File & Print sharing + naughty services turned off.. (anyone out there??)
Yea so those are all pretty good... #6 not being full proof but definitely highly recommended regardless. These CDs might be a good [neat] idea. Then again why not just setup your own WUS box and get your patches from your local LAN while not routing out. That way you can save time, touches, and bandwidth!! wowzers.
> No, I'm no Microsoft fan but let's stick to facts
> rather than "science fiction" FUD stories...
These are not SF FUD stories. There are a lot of people who:
- don't know shit about security
- don't know shit about patching
- own USB xDSL modem or connect to *untrusted* network with wifi or something similar (do you carry a $50 router with your laptop?)
- use computer to Just Work With it - as a tool - you know
And Windows is not uber-user-friendly there. In fact I think you need to be relatively skilled to set up XP so it is relatively secured. Not something your mom or dad (I assume) can do with their computers.
Recently a friend of mine reinstalled Windows (since it was wrecked to the point of no other option, at least for her) from CDs (sans SP) which came with her laptop. After 1 minute the system was infected and unusable it havent even a slight CHANCE of updating itself.
MS made some stupid decissions few years ago and now they pay the price. This is not FUD. People do not have the latest Vista and so on. Some of them use 5 year old computers since they tend to work for them.
I can surely install old version of Linux distribution or OSX and do not get infected in 10 minutes after connecting to untrusted network.
I agree - but I've set up a number of these NAT routers recently for friends and colleagues, and apart from some simple configuration for ADSL accounts (and some wireless security if needed), these things now work pretty much out of the box. They are a whole heap of good security for little cost that are easy to setup - and protect you from about 90% of the bad things out there on the Internet the moment you switch them on.
And for your information, I carry round a Linux laptop with a fully locked down kernel firewall that I *carefully* open up as I need to if I'm on an unprotected (un-NAT-ed) Internet connection. :-)
> And Windows is not uber-user-friendly there. In fact I think you need to be relatively skilled to set up XP so it is relatively secured. Not > something your mom or dad (I assume) can do with their computers.
I agree again - which is why I recommend a NAT router to anyone I know with ADSL; and if they refuse to buy one, I refuse to offer them any help when their PC goes wrong! :-)
> MS made some stupid decissions few years ago and now they pay the price. This is not FUD. People do not have the latest Vista and so on. Some of them > use 5 year old computers since they tend to work for them.
Again, I agree. But, if anything, Windows 9x didn't have a complete enough IP stack to allow much to be run in the way of services out to the Internet - so it could be argued that unpatched and out of the box, a 9x machine is more secure than XP.
> I can surely install old version of Linux distribution or OSX and do not get infected in 10 minutes after connecting to untrusted network.
It depends on what's out there. Before I moved house last year, on my old ISP I ran an SSH (Secure Shell) server out to the Internet and my log files were filled with scripted access attempts against the server - just pounding away at my server with common account names hoping that one of them would allow entry.
Yes, a secured Linux server is always going to be more secure than a secured Windows server but please don't get complacent about it - it just takes one stupid mistake on either OS and someone will get into it.
Gentoo Linux - another day, another USE flag.
But if it was a public (=valid) IP address then it probably just wouldn't work, or not make a great deal of difference, depending on what the NAT routed did. If the NAT router treated it like a private IP address and put the WAN (Internet) IP in the header in it's place, then I don't see there would be any difference in functionality; if it left the public IP in place, then it just wouldn't work because a router somewhere along the way would just route it to the *real* network where that public IP actually is.
Someone correct me if I'm wrong, BTW. I'm a LAN and OS man, not a Cisco or router guru.
Gentoo Linux - another day, another USE flag.
I'm afraid you'd need to have mapped those ports through to the private network on the router first before you saw anything - and in my post I did quite clearly state usage of a NAT router...
Gentoo Linux - another day, another USE flag.
MS sent out SP2 CDs when it came out to anyone who asked, completely free of charge. They still do it now; you just have to pay shipping. Not to mention MS have *always* offered tools to let you slipstream updates into a custom installation CD.
What's purple and commutes? An Abelian grape.
In Capitalist West you burn cd for unsafe consumer operating system.
In Soviet Union unsafe CIA operating system burns you.
Domestic spying is now "Benign Information Gathering"
Since every directed IP packet on the Internet contains the sender and receiver IP address, any Internet router that sees a private address in either the source or destination address will drop the packet and not route it. Consequently, no-one on the Internet can get to a PC in the private address range - not only that but there are probably thousands of PCs using anyone of those private IP addresses at any moment in time.
The trick of a NAT router is that when one of your PCs connects through the router to the Internet, the NAT router substitutes the private source IP address in each packet coming from one of those PCs with the real IP address on the Internet side of the router. So when a response comes back from, say, a web server one of your PCs is accessing, the response hits the router's Internet IP and the router puts the private IP address back in to send it back to the right PC.
It is possible to forward incoming connections to the router onto a PC in the private address space but this feature has to be manually configured on the router and is turned off by default.
So, yes, you can still download a nasty email or script from a server on the Internet, even with a NAT router in place - but then you just don't use a PC for those purposes until you've fully patched them.
Gentoo Linux - another day, another USE flag.
Besides, this is about adding a good *additional* layer of security in a NAT router. Without one, your PC owns the Internet IP address meaning that it's directly exposed to the Internet - with a NAT router, the router has that IP address meaning that your PC only gets stuff that the router allows through.
Gentoo Linux - another day, another USE flag.
Well, it can be, but doesn't have to. Behind a decently-configured firewall, the machine can download patches without any connections from the outside getting through. YOU might ruin things by initiating connections to non-trusted sources, but that's your fault, not the OS. Of course, the security of other machines on the same network is important, but it's easy enough to maintain a seperate, firewalled network for "fresh" machines, or any sort of machine you're not sure of.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
I prefer UpdateHF.vbs
8 31
Once you've installed Installer 3.1 and BITS2 , it downloads and installs all the updates from the Windows update site
http://www.wsus.info/forums/index.php?showtopic=6
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
With *BSD, it's entirely possible to set up a low-level firewall that offers just as much protection as NAT without actually doing any address translation. It does this by monitoring the traffic at the packet-level, and can be configured to block certain ports, to ignore all unrequested traffic, or any number of QoS-type monitoring/filtering features that are a royal pain in the ass to set up on a NAT box. Really, the biggest advantage of NAT is that the DHCP allows you to have more than one computer on the network. (granted, that's a pretty big advantage).
There's even a howto on NetBSD's website that explains exactly how to go about setting such a box up.
But you're right... generally, it's easier to go with NAT in the long run.
If you believe everything you read, you'd better not read. - Japanese proverb
The unfortunate fact about OS security is that it is a case of "survival of the fittest". It's pretty safe to assume that as long as there is an Internet, then there will be crackers out there trying to break into PCs that sit on the Internet. From their perspective, if they crack open a PC then they are happy and that the longer it takes them to break into a PC, the more likely they are to just give up and try another one.
Consequently, the more "walls" you put in the way of a cracker, the more the chances that you'll reach the limit of his abilities & make him give up. So security is all about doing *multiple* things against attacks - disabling well-known account names, using strong passwords, deploying software firewalls *AND* NAT routers, turning off unnecessary services, tightening the configuration of needed services to only allow certain hosts to access... these are all *ADDITIONAL* steps to just applying software updates.
Sure, a lot of these processes are tricky for new users but a lot of them are also very simple to deploy - and any of those that you do deploy put you one step ahead of the people who don't deploy them and who are, consequently, put at more risk from attack by crackers.
Gentoo Linux - another day, another USE flag.
I am genuinely interested because I've deployed Linux boxes (successfully) as firewalls in a few SOHO environments - but if BSD does an even better job of it then I'll definitely need to go take a look at it.
Gentoo Linux - another day, another USE flag.
While you're absolutely right that an unpatched PC should be behind a firewall/NAT, the trouble of course is that quite often this is not "possible".
Case in point: A few months ago my mother got a shiny new ADSL connection. Since it's a triple-play (net, tv and phone over ADSL) offering it comes with a ok router; nothing spectacular, but I've seen worse, and thus I thought everything was fine (not!). A week or so later her connection basically went down (you'd have to be lucky to get on-line), also IE windows began popping up (pushing some scum-ware called SystemDoctor2006) this despite the fact that she's using Firefox. Yes, she had a virus, and it had gotten in from the internet without the need for IE.
It turned out that the router was set up to put the PC in the DMZ (probably to save the ISP from support calls asking why Bit Torrent isn't working properly), thus exposing it to $Deity knows what. The morale therefore being that routers may NOT be set up properly for security thus exposing the PC even when you think it's secure.
The ISP, by the way, is Neuf (http://www.neuf.fr), so if you know someone that uses them be nice and check their router configuration.
(If it seemed a bit confused: It's 01.00 here, I'm Danish, have a slight cold, am tired and about to go to bed. YAY!)
VPS-like shared hosting, on under-crowded servers.
Here is another script for slipstreaming updates into an ISO:
http://smithii.com/slipstream_xpsp2
I use it for my unattended share. Works great.
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
nat/firewall is like a one way mirror on the 1 side its transparent on the other side its a mirror.
If you try to shoot a target on the other side you don't know
1 who is on the other side
2 how many whos are on the other side
3 what configuration the whos are (any cops/feds/military dudes wearing what)
4 where which who is
plus if the "mirror" is any good its also tempered/Bulletproof so you would need armour peircing bullets
Any person using FTFY or editing my postings agrees to a US$50.00 charge
this would be about as bad as going to octoberfest getting BLASTED and then going down the autoban with the pedal to the metal and playing chicken with a semi (or an M1-A1) driving a RABBIT
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Unfortunately, these tools aren't exactly automated.
/please tell me I'm wrong.
Well, it's not completely automated, no. It does involve typing a few commands into a command prompt (six in total); but that shouldn't really be a problem for most of the people on Slashdot. Full instructions here (it looks like quite a long page, but the bottom 2/3 is just screenshot-by-screenshot guide on how to burn a bootable CD in 3 different CD burning programs, so it's not as long as it looks).
What's purple and commutes? An Abelian grape.
Yeah okay, but that's for one update. There's between 2^5 and 2^6 updates out for windows xp since sp2, so that gets boring really fast.
I have a feeling it won't be quite so cut and dried with Vista though.
Why? Never underestimate the power of piracy. Remember how "secure" WinXP was supposed to be? in a few weeks, a WPA killer was already making the rounds? WGA killers ABOUND.
Piracy has been around forever and always will. A huge company in Redmond won't be changing that.
"No freeman shall ever be debarred the use of arms." -- Thomas Jefferson
The only special software I needed was to rip the floppy boot image from the original Windows CD so I could boot from the CD.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
I just tried it, selected Windows 2K english, per selected platform. It instantly pops up a CMD window with a wget error:
.
Starting download (v. 3.02)
Copying Microsoft registry console tool...
Downloading Microsoft ifmember tool...
Can't timestamp and not clobber old files at the same time.
Usage: wget [OPTION]... [URL]...
ERROR: Download failure.
Press any key to continue . .
Looking at the components it's not clear if there's an erroneous parameter passed to wget or something, as several things are less then obvious-- what the error means, exactly what wget command it's trying to run, etc.. No log file in sight... Not looking good...
BSD has the ability to firewall just like Linux with iptables/netfilter. What I'm talking about is a different ability, though. You can set it up at the hardware bridge mode, to set up an invisible firewall. One of the great features is in forcing everybody on the net to use your proxy server... you can tell it that if outbound traffic on port 80 doesn't originate from 192.168.1.5, for example, then it gets redirected to 192.168.1.5:8080. It's a great way to stealthily force your entire network to use a proxy without having to manually configure it in every computer.
I *think* that's the real reason that the system was developped. But it also makes a great way to set up firewalling: all inbound traffic on all ports can be ignored, redirected to your DMZ host, or treated however you want. It's also able to do it transparently, so you could simply drop an appropriately configured NetBSD box between your existing gateway and the world. Not a lot of point in doing it that way, though. As I said, the real advantage is in being able to quietly force traffic to go through proxies of your choice.
If you believe everything you read, you'd better not read. - Japanese proverb
that's all fine and dandy, but we may have to wait for these
Then reboot in Windows to install them.
Someday there will be threats to the Mac OS, so you can download the Mac updates from the Windows half of your Mac...
...omphaloskepsis often...
Actually I connected a freshly reinstalled XP box up to the internet(my disk is really old so it's pre SP1 and I didn't have a copy of SP2 lying around), without installing the firewall and AV software before I connected to the internet(I was tired and stupid at the time). On 8/1 ADSL my PC was pwned to the point that I couldn't download any files(including spyware scanners) that weren't corrupted before I could finish getting the windows updates. This was through a NAT router with no open ports. Without at least SP2 preinstalled NAT won't save you. A virus scanner and a reasonable software firewall plus NAT will, but not just NAT, and I'm far from ignorant about computers.
I made a service pack 7 for Windows NT some while ago, but it is still in late alpha. When this installs, it does so as "Revised service pack 6A". Still, i use one further patch file to deliver updates, like the 2k3 NTLOADER / NTDETECT.COM, sol.exe and cmd.exe from Windows 2000, and a few other "fixes".
There are, none the same, a number of useful projects to slipstream fixes etc into both OS/2 and Windows.
One might for OS/2, try UPDCD, and compare this with the various Windows versions: NLITE, HFSLIP, and USP5 for Win2k. The UPDCD, NLITE and HFSLIP projects are multi-versions, while USP5 is for 2000 only.
Windows 3.1 did not check any files, and one has always been able to update the stuff. I managed to add all of the fixes to PC-DOS 6.31, once one gets a hold of compress.exe v 1.0.
OS/2 - because choice is a terrible thing to waste.
The reg_x86.exe is actually a winzip file (it can be opened in any zip utility), the relevant file contains reg.exe, along with a readme file (suggesting the file goes to c:\reskitnt). I have been incliding reg.exe in the various update files etc.
OS/2 - because choice is a terrible thing to waste.
People keep repeating it, but it's just not true. It is TRIVIALLY easy to send packets to private addresses behind an open NAT.
First off, the way in which packets sent to a NAT box disappear is like waving a big red flag that says "NAT". Then all it takes is a little bit of forging of header address, and a couple packets, and you can discover the exact addresses of all the machines on the private net, and send whatever you want to them.
The two ways I like to explain it (for brevity) is source routed packets, and gateways.
Sequentially ping the broadcast addresses of the private networks (like 10.255.255.255) setting a source-route of the public IP address of the NAT box. The routers between the two of you will forward the packets to the NAT box. Then, being the good little router it is, it will see the packet is supposed to go to the private network, and forward it there. The ICMP replies will be sent back to you, and you now have a list of (most of) the running systems behind the NAT. Now you can send whatever payload you want, to any one of those privately-addressed machines.
Another very simple way (which gets around blocked source-routed packets) is to get an address on the same public subnet as your target. Most providers have their public addresses grouped in a
Needless to say, there are many, many other ways to trick the NAT into forwarding packets to the privately addressed machines, but they are a bit too involved for a short post on
For about two decades now, it has been trivially easy to setup a machine to do stateful packet filtering, which actually WILL stop penetration attempts. There's no reason NOT to do it. And for any kind of security, that's precisely what you need.
The warm fuzzy feeling you get with a NAT box, because you're ignorant of how easy they are to bypass, won't stop your computers from being turned into zombies.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
You can, but you have to install autopatcher first (I would imagine on the build that you're going to create the "nLitened" install disk), then navigate to the program directory and manually copy the hotfixes (which are in individual folders for each hotfix...) to a suitable single directory location. It will be much easier with this script, though - as they will already be in one location.
You can also add whatever application you want to the $OEM$ folder and create a batch to run them on first boot, but you'll most likely have to remove some of the components from the original cd if you want to put a few things on there (languages and keyboard layouts are best - you'll get about 80 MB). You can of course use one of the presets, but I wouldn't recommend this. I used the "safe" preset once, added my drivers and hotfixes and it removed my IDE drivers - so even though it installed from cd, when I booted into Windows (I only have SCSI and SATA HDs), I had no CD/DVD drives!!!
One of the things that has been putting me off from trying Boot Camp is that I have to re-purchase Windows XP to get it with SP2 on the disc (the machine I used this copy on has been decomissioned for now and I haven't built a replacement). I'm wondering if doing this would produce a disc that would work with Boot Camp or Parallels?
Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
XP service pack 3 and Vista SP1 Beta can be downloaded here then installed offline. Remember to choose the "alternate install" ISO.
:%s:work:/.:g