R. Fink | These patches are being pushed too far

The Packet Rat | Commentary: Pushing through patches without notifying systems administrators? The paranoia strikes deep

Packet Rat

The Rat was shocked, shocked to learn that Microsoft had
apparently designed the Windows update service so that it could
force patches to be installed without the user authorizing
them.


“Now I know what all that fine print in the end-user
license agreement is for,” he snickered as he and his systems
management team went through patch logs with a finetoothed comb.
Microsoft’s update service is normally turned off on most
enterprise desktops, so administrators can control when the fixes
occur. And even on systems with the service turned on, Windows
Update can be configured to ask permission before installing
patches.


But now, word is sweeping across the Internet that Microsoft pushed
past such roadblocks on some computers and installed new software
without getting permission. Although there wasn’t any proof
of damage done by patches Microsoft had force-fed users —
they were in fact patches to the update system itself — the
revelation, which came out of the Windows Secrets newsletter, drove
many into a tizzy because of the potential power it gives Microsoft
over deployed computers outside of the usual patch-testing process.

Given how much testing the Rat does on patches before he lets
them be rolled out to his desktop PCs, the news from the Windows
Secrets newsletter got him all wound up, too, even though
he’s suspected that Microsoft had built in back channels to
push in fixes ever since he first heard of Windows Genuine
Advantage.


The patch, according to Microsoft, was a “consumer
only” release, and it didn’t show up in the Rat’s
logs. But the question remains whether Microsoft has done similar
hardwiring of Windows Update in the Professional edition of Windows
XP and the Business and Enterprise versions of Vista. And that, of
course, makes him wonder if someone else could hack that back
door.


“Oh, now’s who spreading Fear, Uncertainty and
Doubt?” his Windows sysadmin asked him as he floated that
theory.


The cyberrodent smiled. “Well, even if it’s only
Microsoft that controls that back door, what makes that OK? I mean,
how do I certify my network as safe if someone in Redmond could
nuke all my desktops on a whim?”


The Windows guy cocked his head. “But they wouldn’t
do that.”


The Rat cackled. “Maybe not on purpose. There was that
patch three years ago that made some Windows 2000 machines seize
up, though. But I’m certain that all Microsoft’s
mistakes are well-intentioned ones.”


Leaving his sysadmins to study that particular thought
experiment, the wirebiter wandered off to see if he could find any
more security concerns to get people to panic about.
“Hmmm,” he thought as he made his way down the hall,
“this Second Life vulnerability in Internet Explorer should
get a rise out of some people in Human Factors…



Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above