Microsoft distributes free CDs in Japan to patch Windows
As some of you know, the standard Microsoft OS distribution sold in stores on CD is a year or so old, and doesn't include any recent patches. You needed to download recent patches from Microsoft's web site. Unfortunately, with the latest round of worms, Windows doesn't survive on the net long enough to downdload patches. In Japan, Microsoft will be distributing "free" CD's with patches through its distribution channels, eletrical appliance and personal computer shops. The anti-virus vendors are apparently packaging their wares along with the Microsoft patches. Symantec and Trend will be the first. Symantec is distributing 15,000 CDs on Wednesday, and Trend Micro is distributing 10,000 CDs on Thursday. http://www.japantimes.co.jp/cgi-bin/getarticle.pl5?nn20030823b2.htm No word if Microsoft will be distributing any patch CDs in the USA. However, many universities have created their own CDs for students moving into dorms. It is the start of the school year in in North America, and high speed network connections and new unpatched Microsoft Windows on computers are a bad combination.
Sean Donelan wrote:
As some of you know, the standard Microsoft OS distribution sold in stores on CD is a year or so old, and doesn't include any recent patches. You needed to download recent patches from Microsoft's web site. Unfortunately, with the latest round of worms, Windows doesn't survive on the net long enough to downdload patches.
Which is why Microsoft should issue a software equivelant of a recall. Systems shouldn't be sold vulnerable without at least a patch CD. -Jack
On Mon, 25 Aug 2003 08:35:43 CDT, Jack Bates <jbates@brightok.net> said:
Which is why Microsoft should issue a software equivelant of a recall. Systems shouldn't be sold vulnerable without at least a patch CD.
The problem is that you need to look at the sum of (lead time) + (time patch CD spent on shelf). Given a lead time of 4-6 weeks, and sitting on the shelf for 2-3 weeks... and suddenly you're looking at a 2 month old patch CD. Now take a look at the last few year's Microsoft advisories, and ask yourself: What percent of the time was the *last* remote-exploitable major hole more than 2 months old? And getting the lead time down to 4-6 weeks would be a challenge - remember you have to *ship* the re-mastered patch CD to every retailer and get it on the shelves. That's going to hit your bottom line. And keep in mind that Microsoft doesn't have to answer to its customers, it has to answer to its shareholders. As long as security problems don't affect it's bottom line, we're not going to see any change at all.
In article <3F4A10AF.7080903@brightok.net>, Jack Bates <jbates@brightok.net> writes
Which is why Microsoft should issue a software equivelant of a recall. Systems shouldn't be sold vulnerable without at least a patch CD.
Perhaps Windows could be delivered complete with a package whose function was to firewall off everything except the update site (or maybe employ some kind of VPN), and deny a more general Internet connection, until sufficient updates had been downloaded? The next step would be to find a secure way for Microsoft to turn that firewall back on again remotely, if a sufficiently serious update was required. (This could case havoc is misused, so some care would needed!) Meanwhile, in the UK it's commonplace to buy monthly computer titles with a CD (of useful shareware and demos) mounted on the cover. If these don't already include the most recent Microsoft patches, perhaps they should. -- Roland Perry
Hmm, and how would you protect the remote controlled MS firewall software from: 1. Vulnerabilities itself since MS is building it? 2. the "remote control" being hijacked by someone besides MS? 2a. Hey I'd love to be able to shut folks that were killing my network off until they update, but is it my right? Thanks, Pablo On Mon, 2003-08-25 at 10:08, Roland Perry wrote:
In article <3F4A10AF.7080903@brightok.net>, Jack Bates <jbates@brightok.net> writes
Which is why Microsoft should issue a software equivelant of a recall. Systems shouldn't be sold vulnerable without at least a patch CD.
Perhaps Windows could be delivered complete with a package whose function was to firewall off everything except the update site (or maybe employ some kind of VPN), and deny a more general Internet connection, until sufficient updates had been downloaded?
The next step would be to find a secure way for Microsoft to turn that firewall back on again remotely, if a sufficiently serious update was required. (This could case havoc is misused, so some care would needed!)
Meanwhile, in the UK it's commonplace to buy monthly computer titles with a CD (of useful shareware and demos) mounted on the cover. If these don't already include the most recent Microsoft patches, perhaps they should. -- Paul A Bradford Senior Network Engineer Adelphia Cable Communications 814-274-1353
In article <3F4A2914.6000103@brightok.net>, Jack Bates <jbates@brightok.net> writes
Automatic cutoff until update check every 7 days?
That's the sort of thing, although I'd make different rules for different types of connection. From broadband users who can do it daily, to those connected by mobile phone (who are of no practical use to these virus/worm writers anyway) whenever they next get at least 28.8K . -- Roland Perry
In article <1061823669.17113.3.camel@aiden.noc.adelphia.net>, Paul A. Bradford <paul.bradford@adelphia.com> writes
Hmm, and how would you protect the remote controlled MS firewall software from:
1. Vulnerabilities itself since MS is building it? 2. the "remote control" being hijacked by someone besides MS? 2a. Hey I'd love to be able to shut folks that were killing my network off until they update, but is it my right?
It's not that different from (my perception of) the current technology used for XP Activation. Presumably an unactivated XP ise prevented from accessing the Internet (as well as being prevented from doing all the other normal user things), but is still capable of accessing the activation server. And is the mechanism of a hypothetical remote de- activation very far from what I was suggesting (maybe as a sort of "ask the activation server for permission" at regular intervals)? Are there any "XP activation" exploits yet? -- Roland Perry
Are there any "XP activation" exploits yet?
who knows, i'm losing track of all the different exploits, worms, viruses etc floating around at the moment.. whats up, did all the script kiddies find themselves with too much time on their hands over summer breaks? my perception of the past couple of weeks is that they are the busiest that i've ever seen for abuse activity (including filtering our own traffic and getting customers to fix their broken machines). and yet i'm seeing nothing in the way of media interest etc, when melissa came out a couple years ago it was on the news for a week.. did they get bored of covering "yet another computer virus" ? Steve
In article <Pine.LNX.4.44.0308251657520.26400-100000@MrServer>, Stephen J. Wilcox <steve@telecomplete.co.uk> writes
my perception of the past couple of weeks is that they are the busiest that i've ever seen for abuse activity (including filtering our own traffic and getting customers to fix their broken machines). and yet i'm seeing nothing in the way of media interest etc, when melissa came out a couple years ago it was on the news for a week.. did they get bored of covering "yet another computer virus" ?
That's because things only (normally) get in the news if there's someone trying very hard to get it in the news. They will often have their own agenda. At the same time there are people paid large sums to make sure certain things *don't* get in the news. And then you have to factor in how hungry the media are for something extra to stop the adverts from bumping into one another [1]. Therefore reality, and "what's in the news", are rarely the same. [1] A couple of weeks ago, the only, and I mean *only* story, reported by many USA news stations was the blackouts. Nothing else got a look-in. -- Roland Perry
On Mon, Aug 25, 2003 at 11:50:10AM -0400, Roland Perry wrote:
In article <1061823669.17113.3.camel@aiden.noc.adelphia.net>, Paul A. Bradford <paul.bradford@adelphia.com> writes
Hmm, and how would you protect the remote controlled MS firewall software from:
1. Vulnerabilities itself since MS is building it? 2. the "remote control" being hijacked by someone besides MS? 2a. Hey I'd love to be able to shut folks that were killing my network off until they update, but is it my right?
It's not that different from (my perception of) the current technology used for XP Activation. Presumably an unactivated XP ise prevented from accessing the Internet (as well as being prevented from doing all the other normal user things), but is still capable of accessing the activation server. And is the mechanism of a hypothetical remote de- activation very far from what I was suggesting (maybe as a sort of "ask the activation server for permission" at regular intervals)?
You can access the Internet with an unactivated copy of XP for 30 days before it shuts off on you. You can do normal user things with an unactivated copy for 30 days before it shuts off on you. MS doesn't do remote deactivation, just timed deactivation. Theoretically it could be possible, but with all the filter-happy people around today who are spooked by packets from Windows machines they don't understand, they might end up filtering off something like oh say...Windows Update, causing unreachability and tons of support calls to Microsoft. Believe me, no matter how much you charge, no one likes support calls, not even Microsoft at whatever obscene rate it is per pop. Why do you think XP now comes with 'Remote Assistance' so a friend can help you instead of having to call Microsoft? Also, perhaps Microsoft put that high per-call rate into play to SLOW DOWN the amount of calls they were getting, not because "Bill Gates is greedy". Hey, NetZero did it too. Let me stop before I get completely off-topic. Another rant, another day.
Also, perhaps Microsoft put that high per-call rate into play to SLOW DOWN the amount of calls they were getting, not because "Bill Gates is greedy".
Microsoft isn't charging for support calls regarding the worm & patching problems. Its free to anybody who calls. - Robbie -- Robbie Foust, IT Analyst Systems and Core Services Duke University
On Mon, Aug 25, 2003 at 03:15:06PM -0400, Robbie Foust wrote:
Also, perhaps Microsoft put that high per-call rate into play to SLOW DOWN the amount of calls they were getting, not because "Bill Gates is greedy".
This was a theory, not an interpretation.
Microsoft isn't charging for support calls regarding the worm & patching problems. Its free to anybody who calls.
I was not talking about the worm, this was in regards to an automatic deactivation/activation system based on patches applied, that can and will break due to improper filtering resulting in a higher call rate to Microsoft.
Microsoft has a task scheduler that people should learn to use to remind them to check update to make sure their patches are current, it is located in the control panel and labled Scheduled Tasks and has an Add Scheduled Tasks icon to add update, FYI -Henry Jack Bates <jbates@brightok.net> wrote: Sean Donelan wrote:
As some of you know, the standard Microsoft OS distribution sold in stores on CD is a year or so old, and doesn't include any recent patches. You needed to download recent patches from Microsoft's web site. Unfortunately, with the latest round of worms, Windows doesn't survive on the net long enough to downdload patches.
Which is why Microsoft should issue a software equivelant of a recall. Systems shouldn't be sold vulnerable without at least a patch CD. -Jack
Henry Linneweh wrote:
Microsoft has a task scheduler that people should learn to use to remind them to check update to make sure their patches are current, it is located in the control panel and labled Scheduled Tasks and has an Add Scheduled Tasks icon to add update, FYI
And that helps a fresh store bought computer how? It'll be infected before it can even download the first initial patches. -Jack
At 05:02 PM 8/25/2003, Jack Bates wrote:
Henry Linneweh wrote:
Microsoft has a task scheduler that people should learn to use to remind them to check update to make sure their patches are current, it is located in the control panel and labled Scheduled Tasks and has an Add Scheduled Tasks icon to add update, FYI
And that helps a fresh store bought computer how? It'll be infected before it can even download the first initial patches.
Purchase of a $60 NAT/router and inserion of that between computer and cable modem deters this type of attack, and allows the user the chance to download patches. So does enabling the firewall feature Microsoft put into XP, but didn't enable (and have now decided to enable).
On Mon, 25 Aug 2003 13:57:44 PDT, Henry Linneweh <hrlinneweh@sbcglobal.net> said:
Microsoft has a task scheduler that people should learn to use to remind them to check update to make sure their patches are current, it is located in the control panel and labled Scheduled Tasks and has an Add Scheduled Tasks icon to add update, FYI
"It's Tuesday, time to download patches. Please connect to the Internet to download any critical patches. Estimated download Time: 25 minutes. Estimated Probe frequency: 5 minutes" A good idea, but needs work. :)
On Mon, 25 Aug 2003, Henry Linneweh wrote:
Microsoft has a task scheduler that people should learn to use to remind them to check update to make sure their patches are current, it is located in the control panel and labled Scheduled Tasks and has an Add Scheduled Tasks icon to add update, FYI
As I read that, I wondered why it is that I haven't patched any of my windows systems if it was just as simple as reminding myself to do so. It occurred to me that I just simply don't trust Microsoft to properly patch my systems. I keep all things Windows behind firewalls of different types at all times. So far it has proved to be an effective solution. I don't trust Microsoft to get the patch right, not arbitrarily delete my data, or change my machine in some unexpected fashion that I will not approve of. Granted, I, nor are most people on this list, the average Joe PC user, but I can't imagine I'm alone. There are deeper fundemental problems here. Software quality and security has been thoroughly beat to death, but will not improve in the near future. The trust issue that I just mentioned is another. These problems and dependence on a single corporate closed source entity will get people killed if they haven't already. These issues put our country at risk. I was none to plussed to see the monitors as my wife delivered our first were all windows based. Windows in the finacial industry http://www.theinquirer.net/?article=11130 Windows in the NAVY http://www.gcn.com/archives/gcn/1998/july13/cov2.htm Windows in healthcare http://www.microsoft.com/resources/casestudies/CaseStudy.asp?CaseStudyID=131... It all scares the hell out of me. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
On Mon, Aug 25, 2003 at 06:03:15PM -0500, Andy Walden wrote:
I don't trust Microsoft to get the patch right, not arbitrarily delete my data, or change my machine in some unexpected fashion that I will not approve of. Granted, I, nor are most people on this list, the average Joe PC user, but I can't imagine I'm alone.
I've been patching for years, only had one problem applying SP4 on Windows 2000, but I shrugged that off as some random problem because I didn't install that machine. I reinstalled Windows 2000 and reapplied SP4 with no problems. *shrug*
participants (11)
-
Andy Walden
-
Daniel Senie
-
Henry Linneweh
-
Jack Bates
-
Omachonu Ogali
-
Paul A. Bradford
-
Robbie Foust
-
Roland Perry
-
Sean Donelan
-
Stephen J. Wilcox
-
Valdis.Kletnieks@vt.edu