Automatic Updates

How does one know that an automatic update that pops up
with the icon at the bottom right of the screen is a
genuine Microsoft update and not some intruder with a
harmful update?

Chuck
Sun Nov 30 15:33:11 CST 2003

On Sun, 30 Nov 2003 04:17:00 -0800, "Louis Cabot" <louicabot@aol.com>
wrote:

>How does one know that an automatic update that pops up
>with the icon at the bottom right of the screen is a
>genuine Microsoft update and not some intruder with a
>harmful update?

Louis,

The automatic update agent is itself a Microsoft product, and will
only get genuine Microsoft updates. We hope. Surely if update
spoofing becomes a possibility, Microsoft will fix that right fast.
;)

That said, you do need to ensure that the automatic update you see on
your computer IS the Microsoft product. Know every application and
service running on your computer. Checking for malware of all kinds
should be as routine to you as checking for viruses. I regularly use
AdAware, HijackThis, and Spybot S&D, all of which are free.
AdAware: <http://www.lavasoft.de/software/adaware/>
HijackThis / Spybot
<http://forums.spywareinfo.com/index.php?showtopic=5187>

If you want to be more secure, disable the Microsoft automatic update
agent (System Properties - Automatic Updates - Select "Turn off
automatic updating"). Use their website
<http://windowsupdate.microsoft.com> regularly to check manually for
what needs to be updated. Read the descriptions of the recommended
updates. Read independent analyses of the updates. Be an informed
Microsoft customer.

Cheers,

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

Bill
Tue Dec 02 00:49:53 CST 2003

"Chuck" <none@example.com> wrote in message
news:oanksvo0guaia2o3v2v16h6vrn47kisgg9@4ax.com...
>
> If you want to be more secure, disable the Microsoft automatic update
> agent (System Properties - Automatic Updates - Select "Turn off
> automatic updating"). Use their website
> <http://windowsupdate.microsoft.com> regularly to check manually for
> what needs to be updated. Read the descriptions of the recommended
> updates. Read independent analyses of the updates. Be an informed
> Microsoft customer.

Just to be a devil's advocate: I'm not sure this is more secure. Surely
there are myriad opportunities here for errors or re-direction. Suppose he
goes to http://windowsupdate.mircosoft.com ?

The auto-update process is carefully designed to be secure--I'd trust it
until you here of a test that indicates a vulnerability.

Karl
Tue Dec 02 05:55:05 CST 2003


"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
news:#KmYxBKuDHA.3196@TK2MSFTNGP11.phx.gbl...

> The auto-update process is carefully designed to be secure--I'd trust it
> until you here of a test that indicates a vulnerability.

I disagree. Unless I'm mistaken, I can think of a number of potential
problems that affect all three methods of downloading patches being
discussed here as well as web browsing in general.

My answer would be that Automatic Updates is just as secure [or insecure] as
any other method of downloading patches, and that while there is a small
theoretical risk, you're better off worrying about other more likely threats
to your computer. In the meantime, I'm not aware of any way to easily
validate patches or pop-up windows you receive through Automatic Updates.

Microsoft, this would be a good future enhancement for SUS / WU.

Chuck
Tue Dec 02 10:10:12 CST 2003

On Tue, 2 Dec 2003 01:49:53 -0500, "Bill Sanderson"
<Bill_Sanderson@msn.com.plugh.org> wrote:

>"Chuck" <none@example.com> wrote in message
>news:oanksvo0guaia2o3v2v16h6vrn47kisgg9@4ax.com...
>>
>> If you want to be more secure, disable the Microsoft automatic update
>> agent (System Properties - Automatic Updates - Select "Turn off
>> automatic updating"). Use their website
>> <http://windowsupdate.microsoft.com> regularly to check manually for
>> what needs to be updated. Read the descriptions of the recommended
>> updates. Read independent analyses of the updates. Be an informed
>> Microsoft customer.
>
>Just to be a devil's advocate: I'm not sure this is more secure. Surely
>there are myriad opportunities here for errors or re-direction. Suppose he
>goes to http://windowsupdate.mircosoft.com ?
>
>The auto-update process is carefully designed to be secure--I'd trust it
>until you here of a test that indicates a vulnerability.

I think you misread my comments. I am sure that the automated update
process is very secure - Microsoft has their reputation riding on it.
Though I'd bet that there's a hacker or two out there trying to find a
way to use it - talk about a fox in the henhouse.

I advocated using the manual update process simply because I recommend
knowing what changes are made to your computer - not just trusting M$
blindly.

Obviously Microsoft can't setup a domain name for every possible
variant of "microsoft". Or can they? If you key the name wrong,
you're fair game. Google doesn't get your traffic if you type
"googlle" either.

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

Bill
Tue Dec 02 17:19:07 CST 2003

"Chuck" <none@example.com> wrote in message
news:e1dpsvgtj1os5tnr9shosmo06e7877iaij@4ax.com...
> On Tue, 2 Dec 2003 01:49:53 -0500, "Bill Sanderson"
> <Bill_Sanderson@msn.com.plugh.org> wrote:
>
> >"Chuck" <none@example.com> wrote in message
> >news:oanksvo0guaia2o3v2v16h6vrn47kisgg9@4ax.com...
> >>
> >> If you want to be more secure, disable the Microsoft automatic update
> >> agent (System Properties - Automatic Updates - Select "Turn off
> >> automatic updating"). Use their website
> >> <http://windowsupdate.microsoft.com> regularly to check manually for
> >> what needs to be updated. Read the descriptions of the recommended
> >> updates. Read independent analyses of the updates. Be an informed
> >> Microsoft customer.
> >
> >Just to be a devil's advocate: I'm not sure this is more secure. Surely
> >there are myriad opportunities here for errors or re-direction. Suppose
he
> >goes to http://windowsupdate.mircosoft.com ?
> >
> >The auto-update process is carefully designed to be secure--I'd trust it
> >until you here of a test that indicates a vulnerability.
>
> I think you misread my comments. I am sure that the automated update
> process is very secure - Microsoft has their reputation riding on it.
> Though I'd bet that there's a hacker or two out there trying to find a
> way to use it - talk about a fox in the henhouse.
>
> I advocated using the manual update process simply because I recommend
> knowing what changes are made to your computer - not just trusting M$
> blindly.
>
> Obviously Microsoft can't setup a domain name for every possible
> variant of "microsoft". Or can they? If you key the name wrong,
> you're fair game. Google doesn't get your traffic if you type
> "googlle" either.
>
> Chuck
> I hate spam - PLEASE get rid of the spam before emailing me!
> Paranoia comes from experience - and is not necessarily a bad thing.

I'm in full agreement with the necessity of becoming an informed customer
and user of your software and hardware.

I can't agree that turning off AutoUpdate and depending on regular checking
of WindowsUpdate makes you more secure. Although routine security updates
are now scheduled for second Tuesdays of each month, it may well be the
non-routine release that is crucial to a given customer--and if that comes
more quickly through auto-update, that customer is better served.

Of course this choice may well differ for a server administrator versus a
home user.

Bill
Tue Dec 02 17:23:41 CST 2003

"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:%23P%23v%23qMuDHA.560@TK2MSFTNGP11.phx.gbl...
>
> My answer would be that Automatic Updates is just as secure [or insecure]
as
> any other method of downloading patches, and that while there is a small
> theoretical risk, you're better off worrying about other more likely
threats
> to your computer. In the meantime, I'm not aware of any way to easily
> validate patches or pop-up windows you receive through Automatic Updates.
>
> Microsoft, this would be a good future enhancement for SUS / WU.
>
We ought to have this discussion with Microsoft at some point. My
understanding is that the patches themselves are validated in a number of
ways which I can't spout the technical details of. As to validating the
alert notification dialogs, I agree that this is a detail which might be
improved on--the way to do this now is to note the name and details of the
proposed downloads or installs, and check them out directly via
http://www.microsoft.com/technet/security I'm not sure how to do this
"right", though.