-
September 10th, 2003, 04:31 PM
#1
No more Active X in Windows Update?
Today I had quite a scare. My end users asked when we started allowing Active X through the firewall. As you can image, I nearly dropped a pile on the spot.
Anyway, after examining the firewall, the Active X rule was still in place. I sniffed a windows update session which I confirmed no longer uses Active X controls, but instead, a mix of SSL and HTTP.
My guess is that the litigation over Active X has caused this *very* quiet change. For all you FW admins, don't panic when end users start asking why windows update suddenly works when you know that no firewall changes were made.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
September 10th, 2003, 07:46 PM
#2
Hi there the horse13,
I would be very worried if my Users even knew about windows update
I would not allow any update without it being tested on reference machines, and a roll-out plan formulated?
Yours sounds like a kinda interesting environment?............I am referring to DoD/MoD/NATO environments BTW.
Cheers
-
September 10th, 2003, 08:05 PM
#3
My environment is very diverse, in that there are many levels to our architecture. Some levels are able to apply patches via windows update, others are not to be touched unless a patch has been certified (an in-house process that takes eons to complete).
My general population segment is where I allow windows update to take place (at least now that Active X is out of the picture). Besides, it is, for all intents and purposes, a test bed to see how certain apps respond to MS patches.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
September 10th, 2003, 08:59 PM
#4
Thanks TH13,
Now I know why you speak so authoritatively in the Forum!..................using a part of the User community as lab rats................I LIKE it
Cheers & Good Luck
Johnno
-
September 10th, 2003, 09:06 PM
#5
Is Active X really out of the picture, or did they just tunnel it ?
I ran update while running netstat and only found ports 80 and 443 connected. But Update refused to continue unless I allowed Active X.
I was trying to find out what type of rule you were using to block it, found this:
COM Internet Services
Now I am confused.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
September 10th, 2003, 09:11 PM
#6
I use a plug-in from our FW manufacturer.
My initial guess was that they were tunneling Active X in but I was unable to grab the traffic before it was encrypted so your guess is as good as mine.
I did run across a number of articles that say they have dropped it because of litigation. I found one on Arstechnica that pretty much sums it up.
In case anyone is interested:
http://arstechnica.com/archive/news/1062344128.html
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
September 10th, 2003, 09:20 PM
#7
Well I am not getting a runtime error on a couple of my machines when going to the Driver Update and Windows 2000 links on windows update. I guess they have some kinks to be worked out.
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
-
September 10th, 2003, 09:42 PM
#8
What's the old saying? If you want something done right do it yourself....
Anyway, I have verified that Active X *is* being tunneled in via HTTPS. No good sneaky MS bastards!!
I ran a test personally and discovered what IKnowNot had proposed. Isn't it funny what happens when you disable all 5 Ative X settings in the browser?! I had a jr admin run the test and of course I got burned for trusting that he did it correctly.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
September 11th, 2003, 01:30 AM
#9
Yes I was going to ask exactly how your firewall could detect ActiveX controls being sent via HTTPS.... it's difficult to do content scanning on content that it cannot decrypt.
Slarty
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|