Nate Clinton a program manager for Windows Update has posted the details on the "Silent" update from Windows Update that had been reported this week. The bottom line is that Windows Update does perform a silent update in the event it it needs to update itself. Which makes sense. The reasoning is that they must update Windows Update itself periodically to ensure it operates reliably. Why is it updated if they have opted to not install without notfication? The logic there is that if someone opt back into the service they should actually be able to use it. Which is a good thing, right? I applaud them for the disclosure, but here is what I think still needs to happen:
1.) No silent updates - If there is a need to update the Windows Update service use the Windows update engine and display the usual balloon notifications, etc. unless they ahve chosen a full silent install for all updates. Allowing silent updates will only breed paranoia and can lead to nothing but bad publicity.
2.) Public disclosure before any updates - Post a press release or security bulletin as well as make available an opt in email notification system for home users that will notify anyone prior to any update to the Windows Update service.
3.) Define the exact files that are involved in an update and make it publicly available. Not sure if this is already there but if this hasn't been done use Windows Service hardening to specify only the above files can be touched via the service.
(edited for innacuracies..my bad)
What do you think? Any more you can think of?
Posted
Sep 13 2007, 06:39 PM
by
Josh Phillips
Follow Me on Twitter
Did you enjoy this article? If yes, then subscribe to our
or
