Confirmation of stealth Windows Update

[stash]

Patches aren't perfect, NO software is, let's be clear about that. Patches can only work so long for so good before you need to plug the hole again. So instead of sticking a band aid on a wound over and over again, trying to fix the problem, get at the root instead!

This is why the term "patches" is a poor choice to describe security updates. Most of the time, they DO fix the root problem rather than being a temporary fix. Usually mitigations for known vulnerabilities are more analogous to a patch, since they are ways to avoid getting exploited in the absense of a fix.

With what I know, what I do, I can do the things I do. NOW did I say that was for everyone? NO.

Ever hear of the phrase "do as I say, not as I do"? This is essentially what you are telling your clients; you are saying you know better than them, so you don't need the security updates. You probably DO know better than them, but that doesn't mean you shouldn't install security updates. One's knowledge and the need to apply security fixes are not mutally exclusive. Every security expert worth anything practices secure computing, which is basically what you are describing. But they also install security updates.

Yes, you can get burned by a fix that causes other problems. This is why you test. Microsoft spends a LOT of time testing updates before they are released in the wild, but there are far too many combinations of software and hardware out there for them to catch every possible regression.

 

[DasFox]

Originally posted by: stash

Patches aren't perfect, NO software is, let's be clear about that. Patches can only work so long for so good before you need to plug the hole again. So instead of sticking a band aid on a wound over and over again, trying to fix the problem, get at the root instead!

This is why the term "patches" is a poor choice to describe security updates. Most of the time, they DO fix the root problem rather than being a temporary fix. Usually mitigations for known vulnerabilities are more analogous to a patch, since they are ways to avoid getting exploited in the absense of a fix.

With what I know, what I do, I can do the things I do. NOW did I say that was for everyone? NO.

Ever hear of the phrase "do as I say, not as I do"? This is essentially what you are telling your clients; you are saying you know better than them, so you don't need the security updates. You probably DO know better than them, but that doesn't mean you shouldn't install security updates. One's knowledge and the need to apply security fixes are not mutally exclusive. Every security expert worth anything practices secure computing, which is basically what you are describing. But they also install security updates.

Yes, you can get burned by a fix that causes other problems. This is why you test. Microsoft spends a LOT of time testing updates before they are released in the wild, but there are far too many combinations of software and hardware out there for them to catch every possible regression.

I don't tell clients anything, I'd never teach them what I do, it can't be done, that would be like wrapping up years of experience into 5mins., and try to explain to them everything to make this work, it can't be done. With customers it should always be done by the book, for the most part that is.

I always practice safe computing, I just happened to of learned some tricks along the way, and I don't have to take the path that most people typically follow to accomplish this, that's all, and I'm just as safe as everyone else. I always practice safe computing. There is more then one way to it, there is no single method to achieve this. Safe computing compromises more then one measure to achieve it.

PEACE

 

[Smilin]

Originally posted by: MaxDepth
Jesus, people. Learn to read. I didn't say we have our clients with the updates turned off, on, or disabled. I just said that when they didn't reveal a patch (look up the word, "surreptitiously") and we heard of it, we had to ensure that even with the updates disabled we still had to test to see if Microsoft had a way around that.

If AU is off then MS does not update your machine (surreptitiously or otherwise...thanks for explaining that big word to me :roll. If AU is on then AU updates will download automatically. It's right there in the dialog where you enable AU. You don't need to do any testing...just do that "Learn to read" thing you mentioned.

Also. to block all traffic from Microsoft is just as retarded as we have some pre-approved and accepted IP traffic with them already. Also, not having any Internet access at all is really quite stupid when you think about it. We have several firewalls in place as well as network monitoring at the packet level. This is not your company you run from your parent's basement.

Basically, the lesson we took from this is what can we really accept from Microsoft as being absolute?

Despite some nutbag bloggers getting all up in arms about this, MS did what they said, and said what they did. Do what you wish.

Learn to admin...gee, your momma raised a bright one didn't she?

Yep. Pretty bright I hear. Her good raisin' landed me a job at one of them thar big ole software companies. Looks like your momma raised a condescending one.

 

[MaxDepth]

If AU is off then there wouldn't be a confirmed "stealth Windows Update." Off is off, right? If I turn off the water faucet, I expect to come back at some later point and expect to not see any water in the sink or my faucet changed. That's the point here. Are you telling me that everyone else is wrong and you're the only one that's right? New word for you to look up: incredulous.

Originally posted by: Smilin
If AU is off then MS does not update your machine (surreptitiously or otherwise...thanks for explaining that big word to me :roll. If AU is on then AU updates will download automatically. It's right there in the dialog where you enable AU. You don't need to do any testing...just do that "Learn to read" thing you mentioned.

Yep. Pretty bright I hear. Her good raisin' landed me a job at one of them thar big ole software companies. Looks like your momma raised a condescending one.

Same here. However, I left IBM to join a $1 billion start-up because I am very bright. She didn't raise me to be condescending, just arrogant.

 

[Smilin]

Originally posted by: MaxDepth
If AU is off then there wouldn't be a confirmed "stealth Windows Update." Off is off, right?

YES! Exactly.

If AU is OFF then NOTHING is downloaded.

You understand now! Yay!

If I turn off the water faucet, I expect to come back at some later point and expect to not see any water in the sink or my faucet changed. That's the point here. Are you telling me that everyone else is wrong and you're the only one that's right? New word for you to look up: incredulous.

No, there are several other people here that are also right. You just aren't listening to any of them.

If we're going to do stupid analogies I prefer ones with cars but I'll roll with it for a little while...

Yes, if you turn off both your water faucet and AU and come back later you will find: No water in your sink and no updates on your computer.

Are we done now? We're now 4 pages later rehashing the same thing that was posted in the very first reply in this whole thread.

Originally posted by: Smilin
If AU is off then MS does not update your machine (surreptitiously or otherwise...thanks for explaining that big word to me :roll. If AU is on then AU updates will download automatically. It's right there in the dialog where you enable AU. You don't need to do any testing...just do that "Learn to read" thing you mentioned.

Yep. Pretty bright I hear. Her good raisin' landed me a job at one of them thar big ole software companies. Looks like your momma raised a condescending one.

Same here. However, I left IBM to join a $1 billion start-up because I am very bright. She didn't raise me to be condescending, just arrogant.

If you can't get a concept as simple as this you better cling to that job for your life because you aren't as bright as your arrogance leads you to believe.

 

[MaxDepth]

Wow, Smilin, you're an ass.

 

[SoundTheSurrender]

You guys are a bunch of Sallys for throwing names at each other arguing about how to admin right.

 

[DasFox]

So is this over with, we don't have to worry anymore about more Stealth updates?

THANKS

 

[stash]

If you're asking if the Windows Update client will continue to be updated in the same fashion that it has for several years, the answer is yes.

 

[DasFox]

Originally posted by: stash
If you're asking if the Windows Update client will continue to be updated in the same fashion that it has for several years, the answer is yes.

Well I'm asking if there are going to be anymore mysterious files added without our knowledge, I thought that was the point of this discussion, files being updated that the end-user was not aware about?

 

[MrChad]

Originally posted by: DasFox

Originally posted by: stash
If you're asking if the Windows Update client will continue to be updated in the same fashion that it has for several years, the answer is yes.

Well I'm asking if there are going to be anymore mysterious files added without our knowledge, I thought that was the point of this discussion, files being updated that the end-user was not aware about?

If you do not have Automatic Updates explicitly disabled, then the Automatic Update client will be updated automatically without any prompt or warning. This is exactly what the control panel applet tells you:

Turning on Automatic Updates may automatically update Windows Update software first, before any other updates

If you have Automatic Updates disabled, there should be no automatic "stealth" updates to the AU client.

 

[stash]

Well I'm asking if there are going to be anymore mysterious files added without our knowledge, I thought that was the point of this discussion, files being updated that the end-user was not aware about?

As discussed in the thread ad naseum, AU does not do anything without your knowledge. Which is what I said in the very first reply to this thread.

 

[DasFox]

Ok sorry I forgot what was causing the problems, I just thought if you did an update, even by clicking in the start menu and running the "Windows Update" going to MS and doing an update some things were being sneeked in.

So this was ONLY a problem when doing the Automatic Updates?

THANKS

 

[Nothinman]

So this was ONLY a problem when doing the Automatic Updates?

Currently.

 

[DasFox]

Originally posted by: Nothinman

So this was ONLY a problem when doing the Automatic Updates?

Currently.

Ok I've always kept it off...

THANKS