Let's kill this rumor right now. There are no plans from Microsoft to
automatically patch remote systems in a realtime update mode.

Microsoft has released an XML database containing information about
security patches and hotfixes. Microsoft also makes available the
OfficeUpdate and WindowsUpdate sites that will evaluate your local system
to determine which patches are needed on your system. The Update sites are
database driven, and are only updated with new data every three weeks or
so. This means that a new patch might take as long as five weeks between
the time a patch is released to the world, and it appears on WindowsUpdate
(the patch is tested for the Update site, and is then queued to be posted
in the next cycle - if the patch is released too soon to a new update, it
has to wait for the next update, and this could be up to five weeks.)

WindowsUpdate does not contain Server fixes (IIS, FP, etc.) It contains
only those fixes that are usually required for a home user. Sometimes not
all home user fixes are included in WindowsUpdate.

For those that are concerned about security - they should be subscribed to
the security notification mailing list from MS, and/or should be checking
the security bulletin website
(www.microsoft.com/technet/security/current.asp) for their products of
choice, and should install the patches from the patch links in the
bulletins. Don't rely upon WindowsUpdate to give you the latest and
greatest security fixes. Spend the time to research the issues and apply
the patches from the web page above.

At 10:04 AM 5/1/2001 +0100, Pybus, David wrote:
>There is no way I would allow Microsoft or any other vendor to apply
>realtime updates to my systems. The consequences could be disastrous.
>Supposing the system elected to apply a patch that broke a piece of bespoke
>software, I would probably have discovered this in non-production machine
>testing - I would like to know how a realtime system would have figured this
>out. If this is genuinely what Microsoft is going for I would like to know
>what their market drivers for such functionality are.
>
>The other risk would be if someone compromised a machine responsible for
>issuing these realtime updates. The machine could then be used to upload a
>backdoor onto every system that trusted this machine for its realtime
>updates. If the hacker was really cute then they could just leave it for a
>few hours compromise enough machines out on the net and then remove all
>trace that they had ever been there.
>
>Zones of trust are a dangerous thing if not treated with due respect.
>
>David Pybus
>
>-----Original Message-----
>From: M. Burnett [mailto:mburnettXATO.NET]
>Sent: 30 April 2001 22:23
>To: FOCUS-MSSECURITYFOCUS.COM
>Subject: Re: [FOCUS-MS] Windows Update and Hot fixes
>
>
>Although many of the hotfixes appear on Windows update, we have found a
>number of them that have not made it there in the past. Furthermore, there
>are some things such as the FrontPage server extensions updates that never
>seem to make it there. Microsoft's response to us was that not all updates
>should be installed in every case, although it seems that they are moving
>away from that strategy.
>
>Eventually Windows update will be going to an entirely new realtime system
>based on a central XML file that will include updates, hotfixes, and vendor
>drivers.
>
>For now I would use both the www.microsoft.com/technet/security and
>download.microsoft.com sites to keep up with hotfixes and other updates.
>Then after installing everything, jump over to Windows Update to see if
>anything else was missed.
>
>M. Burnett
>Xato Network Security
>www.xato.net
>
>
>
> > -----Original Message-----
> > From: Focus on Microsoft Mailing List
> > [mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Kevin Brown
> > Sent: Sunday, April 29, 2001 9:10 PM
> > To: FOCUS-MSSECURITYFOCUS.COM
> > Subject: Windows Update and Hot fixes
> >
> >
> > Are the most recent hot fixes included on the Windows Update site, or do
> > they need to be downloaded separately? My question is for both NT 4 and
> > Win2K. Thanks.
> >
> > Brownfox
>
>
>**********************************************************************
>COLT Telecommunications
>Registered in England No. 2452736
>Registered Office: Bishopsgate Court, 4 Norton Folgate, London E1 6DQ
>Tel. 020 7390 3900
>
>This message is subject to and does not create or vary any contractual
>relationship between COLT Telecommunications, its subsidiaries or
>affiliates ("COLT") and you. Internet communications are not secure
>and therefore COLT does not accept legal responsibility for the
>contents of this message. Any view or opinions expressed are those of
>the author. The message is intended for the addressee only and its
>contents and any attached files are strictly confidential. If you have
>received it in error, please telephone the number above. Thank you.
>
>
>**********************************************************************

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]