From: "Joe Barr" 




Date:   Wed, 14 May 2003 16:42:10 -0400 Reply-To:   Windows NTBugtraq
Mailing List  Sender:   Windows
NTBugtraq Mailing List  From:   Russ

Subject:   Windows Update is a dog, again! Content-Type:   text/plain;
charset="iso-8859-1"


Well, looks like Windows Update has once again shown how untrustworthy
Microsoft can be. For at least the past several days Windows Update has
been providing consumers with false information. WU users would connect,
initiate the scan, the scan would complete and inform the user their system
needed no patches. Wonderful, a clean bill of health, or so the consumer
thought.

In reality, some flaw in the Windows Update process has led it to conclude
that a system, in need of critical security patches, is instead clean and
good to go on the Internet. In other words, if the security check fails,
tell consumers they're just fine and don't need anything.

It's good that we don't need elaborate checklists and voodoo mojo security
tools to check our systems; we only have to make a quick visit to Windows
Update to be sure. Finally, with the introduction of Automatic Updates, we
no longer even need to make that visit manually, we can trust that
Microsoft will supply us with a properly tested security patch within 24
hours and patch our systems for us (unless we're running Windows XP and got
MS03-013 when it was released to WU.)

A year ago I complained about Windows Update, with its registry only
checking and myriad other problems. At the time Microsoft was distributing
Shavlik's HFNetchk, and so at least with tools from Microsoft we could see
the error of Windows Update's ways. That cry of disgust caused Microsoft to
yank HFNetchk, because they hadn't licensed it and didn't have a formal
agreement for its promotion. "Consumers be damned, make darn sure
they're not getting conflicting information from us" seemed to be the
rallying cry at Microsoft.

I questioned the Trustworthy Computing Initiative's value then because of
that debacle. When asked by the media at the new year how I felt the
Trustworthy Computing Initiative had progressed, I gave it an
"F", or failing grade. Some wondered why, and pointed to things
which the public hadn't seen as justification for TCI's benefits. Seems too
many never bothered to read Bill Gates' memo. They failed to grasp the fact
that TCI was in response to a public perception that Microsoft was not
sufficiently trustworthy.

Has Microsoft done anything to change that perception? No, absolutely not I
say! (emphatically)



Read the rest at:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0305&
L=ntbugtraq&F=P&S=&P=4505




--

--- BBBS/NT v4.01 Flag-4