No more Active X in Windows Update
Results 1 to 9 of 9

Thread: No more Active X in Windows Update

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884

    No more Active X in Windows Update?

    Today I had quite a scare. My end users asked when we started allowing Active X through the firewall. As you can image, I nearly dropped a pile on the spot.

    Anyway, after examining the firewall, the Active X rule was still in place. I sniffed a windows update session which I confirmed no longer uses Active X controls, but instead, a mix of SSL and HTTP.

    My guess is that the litigation over Active X has caused this *very* quiet change. For all you FW admins, don't panic when end users start asking why windows update suddenly works when you know that no firewall changes were made.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi there the horse13,

    I would be very worried if my Users even knew about windows update

    I would not allow any update without it being tested on reference machines, and a roll-out plan formulated?

    Yours sounds like a kinda interesting environment?............I am referring to DoD/MoD/NATO environments BTW.

    Cheers

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    My environment is very diverse, in that there are many levels to our architecture. Some levels are able to apply patches via windows update, others are not to be touched unless a patch has been certified (an in-house process that takes eons to complete).

    My general population segment is where I allow windows update to take place (at least now that Active X is out of the picture). Besides, it is, for all intents and purposes, a test bed to see how certain apps respond to MS patches.

    --TH13

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Thanks TH13,

    Now I know why you speak so authoritatively in the Forum!..................using a part of the User community as lab rats................I LIKE it

    Cheers & Good Luck

    Johnno

  5. #5
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Is Active X really out of the picture, or did they just tunnel it ?

    I ran update while running netstat and only found ports 80 and 443 connected. But Update refused to continue unless I allowed Active X.

    I was trying to find out what type of rule you were using to block it, found this:

    COM Internet Services

    Now I am confused.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    I use a plug-in from our FW manufacturer.

    My initial guess was that they were tunneling Active X in but I was unable to grab the traffic before it was encrypted so your guess is as good as mine.

    I did run across a number of articles that say they have dropped it because of litigation. I found one on Arstechnica that pretty much sums it up.

    In case anyone is interested:
    http://arstechnica.com/archive/news/1062344128.html
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Well I am not getting a runtime error on a couple of my machines when going to the Driver Update and Windows 2000 links on windows update. I guess they have some kinks to be worked out.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    What's the old saying? If you want something done right do it yourself....

    Anyway, I have verified that Active X *is* being tunneled in via HTTPS. No good sneaky MS bastards!!

    I ran a test personally and discovered what IKnowNot had proposed. Isn't it funny what happens when you disable all 5 Ative X settings in the browser?! I had a jr admin run the test and of course I got burned for trusting that he did it correctly.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Yes I was going to ask exactly how your firewall could detect ActiveX controls being sent via HTTPS.... it's difficult to do content scanning on content that it cannot decrypt.

    Slarty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •