No more Active X in Windows Update

***thehorse13*** · September 10th, 2003, 04:31 PM

Today I had quite a scare. My end users asked when we started allowing Active X through the firewall. As you can image, I nearly dropped a pile on the spot.

Anyway, after examining the firewall, the Active X rule was still in place. I sniffed a windows update session which I confirmed no longer uses Active X controls, but instead, a mix of SSL and HTTP.

My guess is that the litigation over Active X has caused this *very* quiet change. For all you FW admins, don't panic when end users start asking why windows update suddenly works when you know that no firewall changes were made.

--TH13

**nihil** · September 10th, 2003, 07:46 PM

Hi there the horse13,

I would be very worried if my Users even knew about windows update

I would not allow any update without it being tested on reference machines, and a roll-out plan formulated?

Yours sounds like a kinda interesting environment?............I am referring to DoD/MoD/NATO environments BTW.

Cheers

***thehorse13*** · September 10th, 2003, 08:05 PM

My environment is very diverse, in that there are many levels to our architecture. Some levels are able to apply patches via windows update, others are not to be touched unless a patch has been certified (an in-house process that takes eons to complete).

My general population segment is where I allow windows update to take place (at least now that Active X is out of the picture). Besides, it is, for all intents and purposes, a test bed to see how certain apps respond to MS patches.

--TH13

**nihil** · September 10th, 2003, 08:59 PM

Thanks TH13,

Now I know why you speak so authoritatively in the Forum!..................using a part of the User community as lab rats................I LIKE it

Cheers & Good Luck

Johnno

***IKnowNot*** · September 10th, 2003, 09:06 PM

Is Active X really out of the picture, or did they just tunnel it ?

I ran update while running netstat and only found ports 80 and 443 connected. But Update refused to continue unless I allowed Active X.

I was trying to find out what type of rule you were using to block it, found this:

COM Internet Services

Now I am confused.

***thehorse13*** · September 10th, 2003, 09:11 PM

I use a plug-in from our FW manufacturer.

My initial guess was that they were tunneling Active X in but I was unable to grab the traffic before it was encrypted so your guess is as good as mine.

I did run across a number of articles that say they have dropped it because of litigation. I found one on Arstechnica that pretty much sums it up.

In case anyone is interested:
http://arstechnica.com/archive/news/1062344128.html

***CXGJarrod*** · September 10th, 2003, 09:20 PM

Well I am not getting a runtime error on a couple of my machines when going to the Driver Update and Windows 2000 links on windows update. I guess they have some kinks to be worked out.

***thehorse13*** · September 10th, 2003, 09:42 PM

What's the old saying? If you want something done right do it yourself....

Anyway, I have verified that Active X *is* being tunneled in via HTTPS. No good sneaky MS bastards!!

I ran a test personally and discovered what IKnowNot had proposed. Isn't it funny what happens when you disable all 5 Ative X settings in the browser?!

I had a jr admin run the test and of course I got burned for trusting that he did it correctly.

***slarty*** · September 11th, 2003, 01:30 AM

Yes I was going to ask exactly how your firewall could detect ActiveX controls being sent via HTTPS.... it's difficult to do content scanning on content that it cannot decrypt.

Slarty

Thread: No more Active X in Windows Update

Thread Tools

Display

No more Active X in Windows Update?

Posting Permissions