Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Microsoft Security Patch Rummors

  1. #11
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Originally posted here by Soda_Popinsky
    http://en.wikipedia.org/wiki/Security_through_obscurity

    Just because linux is "indie" doesn't make secure, you still have to update it like everyone else. This discussion would still apply regardless of the OS.

    Back on track...
    Get your patches from the official source, in your case the windows update site. You can't get it a more trustworthy way unless they mail you an update CD.
    Hey Hey,

    I'm sick of the 'install Linux' **** just like everyone else... and I definately agree that you should deal with a valid source and a trustworthy one such as Windows Update... but being mailed a CD isn't really any better than email... the CD could come from anywhere.... and just be made up to look realistic... Actually it's not a bad idea for a scam... and it's one I'm surprised we haven't seen yet.

    As far as updates go.... It depends on what you're dealing with... If you have a bunch of large mission critical servers, you're going to want to test some of the more major patches in R&D before installing them in production.... the same goes for the service pack... it's also true that it's not a bad idea to hold off on the service packs for a little while.... they tend to be flaky for a while.. but then updates are released for them and it's nice to have it all installed and stable at the same time.

    That's my two cents anyways.

    Peace,
    HT

  2. #12
    I should have been more specific, of course you would request a CD, and I would trust a requested CD through the mail more than the Windows Update server. Your risk doesn't depend on the server's integrity, as well as internet risks such as MITM's, among other things. I don't know how the post office verify's a sender, but you could go to the PO and pick up a MS shipment if you really needed to verify the integrity of a update CD, such as in a corporate enviroment... or whatever you know what I mean.

    Mailing out fake update cd's... now thats aggressive, and expensive! I doubt there will be mass mailings of something like that, but I'd try it during a pen-test.

  3. #13
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Originally posted here by Soda_Popinsky
    I should have been more specific, of course you would request a CD, and I would trust a requested CD through the mail more than the Windows Update server. Your risk doesn't depend on the server's integrity, as well as internet risks such as MITM's, among other things. I don't know how the post office verify's a sender, but you could go to the PO and pick up a MS shipment if you really needed to verify the integrity of a update CD, such as in a corporate enviroment... or whatever you know what I mean.

    Mailing out fake update cd's... now thats aggressive, and expensive! I doubt there will be mass mailings of something like that, but I'd try it during a pen-test.
    Hey Hey,

    While mailing out a shitload of Windows Update CDs in a similar fashion to AOL CDs may be a little costly... there is potential for a large return depending on the malware contained on the disk and it's purpose. It'd be interesting to see the results of such an attempt and how successful they were.

    I'm sorry for bringing this thread off topic... but I find this to be a much more interesting idea than whether or not updates should be installed (which has already been answered... so if that's what you're looking for you should have stopped reading several post ago)... anyways...

    Your comments have intrigued me even further Soda... It's amusing that today we're much more security conscious than we were 20 years (then again... 20 years ago I was almost 3).. yet we still miss the basics.. That's what always catches us... The majority of the user of this site are familiar with Man-in-the-Middle (MITM) attacks.... but why must this be technology related? MITM is an interception of data for the most part... this could quite easily be pulled off with the snail mail system. It could involve technology... I, as a disgruntled employee, or someone who has already compromised the corporate infrastructure, could learn of a request for an update CD and easily forge a CD and mail it out... listing the address as Microsoft... Printers capable of printing directly to CDs would make the spoof even easier to pull off. I could also intercept the mail returning to you... Believe it or not... the post office doesn't require a lot of information to release a parcel... Sometimes just a name and other times photo ID... how many teenagers do you know going to the bar with fake ID... I know a place in downtown Toronto where I can buy ID for any state or province for $30 CDN. I pick up your mail... (or just take it from your mailbox... depending on the circumstances)... open the envelope (the MS Update CDs come in a brown manilla envelope... or mine did anyways) take the content, replace the cd and seal all the content in a new envelope... mailing it back out to you with Microsofts return address in the corner.

    Anyways.... just some random ramblings @ 3:30AM...

    Peace,
    HT

    PS... I'm 7 days away from my 2 year AO Anniversary... I prefer cash gifts. :P

  4. #14
    Senior Member
    Join Date
    Feb 2004
    Posts
    373
    PS... I'm 7 days away from my 2 year AO Anniversary... I prefer cash gifts. :P
    Well I hope nobody intercepts the check that I sent you and replaces it with monopoly money.

  5. #15
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Outer_Heaven:
    I wonder if they are trying to convey to you that you shouldn't use it update un-licensed software that has been obtained via...questionable methods? A little paranoia on their part?

    Most of the Senior AO members responses have been right on...keep your system up to date with the latest patches, from a TRUSTED source. The ONLY trusted source I know of for M$ updates is Microsoft itself. As for Linux...that's a whole different story.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  6. #16
    Although you could hijack CD's through the mail, I think it would be much more effective another way. Instead of imitating MS cd's, grab a high school directory and send out fake video game demo CD's for some fake (or real) magazine and have it say it includes demos for games (pick good ones :P). It would be much easier to pull off.

    But if you really needed to mess with a certain target, then yeah you could feasibly hijack a update CD.

    But when it comes to what I would choose for my updates, I would choose the post office instead of the 12 hops between myself and MS. At least I can point my finger at the post office or have them begin an investigation... or something.

  7. #17
    Dead Man Walking
    Join Date
    Jan 2003
    Posts
    810
    Yea but by the time you get the CD in the mail the patches need patched

  8. #18
    Outer_Heaven:
    I wonder if they are trying to convey to you that you shouldn't use it update un-licensed software that has been obtained via...questionable methods? A little paranoia on their part?
    Hmmmm, that could very well be. It is UNBELIEVABLE how much pirated crap is flying around there in the Philippines, everywhere you go and look all you see is pirated video games, dvd's and software, so that could very well be it. But why would they be concerned about it, cause it was my computers, so I would be the one to take the hit. But they pretty much told me not to download the security patches off the microsoft website cause they said it will make your computers more vulnerable and open to attack. They said that they had software, cd's, that we should use to install the patches. But now that I think of it, the cd's they had would probably be pirated, too, or, what my wife was thinking, cause we would have them service our computers every week or so, but she was thinking that maybe they were just saying that so we would have to call them to install the patches when they came out so they could make money. But she has got a bachelors in CS though, and she would get on me, too when I would check the computers for updates and install them from the microsoft website.

    So, I myself, have always been a firm believer in downloading and installing them off the microsoft website, and would always do so anyway, it was just other people telling me I shouldn't. But I was talking to my father yesterday, about this similar topic, but for the wireless laptop we got, and he said that at his work they too use the MS website to download and install patches, but, he did say that they did find a problem with one of the security patches they put out recently, I think he said security patch 2 or something? He wasn't exactly sure himself, so don't quoate me on this, but he said there was a problem with ONE of the patches they put out recently. But he said that's how his company gets their updates, too
    \"Champagne for my real friends, real pain for my sham friends\"-Ed Norton/25th Hour

  9. #19
    Dead Man Walking
    Join Date
    Jan 2003
    Posts
    810
    Service pack 2 did have some problems when it was first released but the majority of the problems with it stemed from the computer not being properly prepared. Such as spyware removed etc etc.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •