Coffeehouse Thread

56 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Why is Windows Update HTTP/HTML based?

Back to Forum: Coffeehouse
  • User profile image
    manickernel
  • User profile image
    Sven Groot

    Just to add something in the mix: I think if I have to compare the /usr/bin story of Linux, combined with the way Windows does it, I actually prefer the Windows way (this is of course assuming applications that play nice, and actually use the registry and Documents and Settings folders the way they're used to, and don't store user settings in the Program Files folder). There's things to be said in favour of both mechanisms, but in the end I find that I prefer to have all application-related files grouped in one place than to have all files of a specific type grouped in one place. For RPM this isn't so much of a problem, but for instance I sometimes install mono from source (not anymore though since the System.Windows.Forms team started releasing updated assemblies separate from the main Mono releases), and uninstalling it was a pain. I'd have to trudge into half a dozen folders /usr/local/bin, /usr/local/etc, /usr/local/lib etc. and remove anything that I think might've something to do with mono (I'm not even talking about the possibility of accidentally removing something else). Sure it doesn't matter much if each and every app out there installed by RPM, but that's just not the case.

    Under Windows, if an app's uninstaller fails (or heavens forbid, didn't provide one), you can delete its application folder and be sure you got 80% of its files. Of course it may have installed some files in the System32 folder, but there the situation is neither better nor worse than under Linux.

    One thing I would like to get rid of is all the exe files in the Windows directory. There's no good reason why calc.exe must be in C:\Windows. Unfortunately, there are too many applications that rely on the file being there for it to be feasible to move at this point.

  • User profile image
    figuerres

    Beer28 wrote:
    figuerres wrote: Hey Beer: 

    two things:

    1)  libraries on Linux and app depenancy issues can drive me nuts... some times the mass of different projects all pushing new builds can lead to a real mess  a reqires x.1.2  x.1.2 needs y.2.1  y needs b.3.1   and that needs u.2.4  and before I can get one depend fixed I have been grabbing 5-10 different packages.... perhaps it's RedHat?


    How can this possibly be?, are you downloading the rpms yourself and trying to install them?
    if you run up2date or yum and a dependant package is missing it downloads it and installs it before it installs the package you requested.

    Say you install gtkmm2-devel or gtkmm20-devel, up2date is going to know that gtkmm2 the runtime library is a prerequisite for the gtkmm20 development rpm, and it will download it first.



    well not all software *is* in the nice distro sites.

    sure if all I needed was to load say "Gimp" thats fine and works good.

    but what if you need to update something thats not in the up-2-date etc... servers...

    then you have to get the rpm and install it -- or try to.

    examples I have just recently had:

    PPTP VPN with support for MPPC and MPPE
    requires one of serveral options each of them is not on the auto-update system why is not in scope here...
    they are not you have to go find them and install them.

    Linux Remote Desktop Client:  for RDP 5.2 you need new versions of stuff not found in the std. distro.

    in both cases this was Fedora Core 3.

    in the past I had this problem with Firewall Builder
    but not this time around.

    the new RDP support is out there... but after several hours of trying to make it work I nuked the laptop and installed WIndows 2000 on it then downloaded the updated remote desktop installer and I was up and running.

    I wanted to run Fedora on that laptop .... but If I could not remote into my windows box it was not going to work for all the things I needed.

    which was sad :--(

    And yes I tried to find an update on the update system... but I could not.

    now that ither means I was dumb or that there is a problem with how Fedora / Linux handles the update system:  I still have not seen a way to "find" packages that use the update magic unless the update system is publishing them....
    and some packages have been around for a long time
    -- like the MPPC / MPPE fixes

    and are just not published in the system...

    but this is not the core of the topic... it was just an aside on the fact that every system has it's bugs...

    as I read the end of you comments and think of other things you have posted:


    Beer,

    Sure we have choices. Sure MSFT is changing.
    I'd love to see some other OS'es that we can all use.

    but take what I just said about updating some stuff...
    I think my skills are a bit better then "Joe Average" but I find that Linux can be as bad as WIndows for some things....

    and Look at what RedHat did:  no more $40 RedHat in the stores....
    the new shrink wraped box is I think the same price as Windows XP Pro.

    the stength of the Open Linux codebase in the developer world is the sword that cuts both ways...
    for Linux to "WIn" over Windows you need a strong core of things that Linux does not seem to have:

    example:  if I write an app for WIndows 2000 and XP then I can build it one time and know that 99% of the installs will work out-of-the-box for all the users.
    If I build the same app for Linux I have to check for a whole bunch of almost the same but not quite the same builds of Linux  and support lib's

    if my app is not big enought to be in the distro then I am going to have to do a lot of work getting the app to work for all my users.

    Sorry but thats true.  and for "Off the shelf" the users should not have to compile the app. nor should they have to jump thru hoops knowing which flavor of linux they have etc...

    *I LIKE LINUX*  *I USE IT*
    I just do not see how it can be the answer for the "Masses" of mere mortal users.

    I think if someone was going to kill windows they would need to start with a clean slate.

    the answer would not be to have a core that is based on any UNIX / LINUX or WIndows Code.

    but it would be a big jump to make...  as big as the first Mac OS was compared to DOS and UNIX.

  • User profile image
    shreyasonli​ne

    Manip wrote:
    Name three advantages a client application has over the web site with ActiveX control?


    SECURITY !!!

    A lame user can be easily redirected to a fake website very easily and the user will promptly update his machine with Critical updates of NetBus or Back Oriface Trojan.

    Shreyas Zare

  • User profile image
    dotnetjunkie

    W3bbo wrote:
    Nearly 30,000,000 Firefox downloads and 50,000,000 supposed installations now


    That's not very logical!  There are always LESS installations than downloads, because people tend to just download it again if they have to reformat, reinstall, change computers, etc...

    So it'll be more like 30M downloads, 20M installations...

    (Personally, I have downloaded it 3 or 4 times, but have 0 installations at the moment Smiley)

  • User profile image
    Sven Groot

    shreyasonline wrote:
    SECURITY !!!

    A lame user can be easily redirected to a fake website very easily and the user will promptly update his machine with Critical updates of NetBus or Back Oriface Trojan.

    Shreyas Zare

    A lame user can just as easily be redirected to a website that tells him/her to install an updated version of the update client. This problem isn't solved by a client app.

  • User profile image
    shreyasonli​ne

    Sven Groot wrote:
    shreyasonline wrote: SECURITY !!!

    A lame user can be easily redirected to a fake website very easily and the user will promptly update his machine with Critical updates of NetBus or Back Oriface Trojan.

    Shreyas Zare

    A lame user can just as easily be redirected to a website that tells him/her to install an updated version of the update client. This problem isn't solved by a client app.


    Thats true, but why to take chances and let someone fool a lame user in beliving that the site he is surfing is windowsupdate.microsoft.com .... this may happen if the user already has a trojan installed. The trojan may put a entry in HOSTS file so that windowsupdate.microsoft.com points to a zombie which has a absolutely similar copy of windowsupdate.microsoft.com website.

    A client app does not need to download any ActiveX, and can install it without keeping the IE window open (which gets frized) till the update is over.

  • User profile image
    W3bbo

    dotnetjunkie wrote:
    W3bbo wrote:Nearly 30,000,000 Firefox downloads and 50,000,000 supposed installations now


    That's not very logical!  There are always LESS installations than downloads, because people tend to just download it again if they have to reformat, reinstall, change computers, etc...

    So it'll be more like 30M downloads, 20M installations...

    (Personally, I have downloaded it 3 or 4 times, but have 0 installations at the moment )


    You're forgetting big corporate rollouts. A single download redistributed to all the machines on the LAN.

    Some major "high profile" and more than a dozen Fortune 100 companies have installed Firefox... that would not necessarily require a download for all the machines.

    Rather, I think it would be more accurate for the Firefox UA to phone-home on every non-upgrade installation.

  • User profile image
    Sven Groot

    shreyasonline wrote:
    Thats true, but why to take chances and let someone fool a lame user in beliving that the site he is surfing is windowsupdate.microsoft.com .... this may happen if the user already has a trojan installed. The trojan may put a entry in HOSTS file so that windowsupdate.microsoft.com points to a zombie which has a absolutely similar copy of windowsupdate.microsoft.com

    If a trojan was already on the system, there's much more interesting things it can do than modify the hosts file. Once they're in, your system is pwnd anyway.

  • User profile image
    W3bbo

    Sven Groot wrote:
    If a trojan was already on the system, there's much more interesting things it can do than modify the hosts file. Once they're in, your system is pwnd anyway.


    Only if you run with elevated priveledges.

  • User profile image
    Sven Groot

    W3bbo wrote:
    Sven Groot wrote: If a trojan was already on the system, there's much more interesting things it can do than modify the hosts file. Once they're in, your system is pwnd anyway.


    Only if you run with elevated priveledges.

    But if you don't, it can't modify the HOSTS file either, so that's a moot point.

  • User profile image
    shreyasonli​ne

    Sven Groot wrote:
    shreyasonline wrote: Thats true, but why to take chances and let someone fool a lame user in beliving that the site he is surfing is windowsupdate.microsoft.com .... this may happen if the user already has a trojan installed. The trojan may put a entry in HOSTS file so that windowsupdate.microsoft.com points to a zombie which has a absolutely similar copy of windowsupdate.microsoft.com

    If a trojan was already on the system, there's much more interesting things it can do than modify the hosts file. Once they're in, your system is pwnd anyway.


    Well, if a trojan updates itself using the forged windows update website by using the HOSTS file, it beats the Firewall as the website is already added in "Trusted Websites" list by default and IE has full access over the internet through the firewall and that makes it more powerful than than earlier as it has now some updates using which it can defeat the firewall itself without any help.

    Shreyas Zare

  • User profile image
    shreyasonli​ne

    W3bbo wrote:
    Sven Groot wrote: If a trojan was already on the system, there's much more interesting things it can do than modify the hosts file. Once they're in, your system is pwnd anyway.


    Only if you run with elevated priveledges.


    Anyways, you need to be a admin to do windows update.

  • User profile image
    shreyasonli​ne

    Sven Groot wrote:
    shreyasonline wrote: SECURITY !!!

    A lame user can be easily redirected to a fake website very easily and the user will promptly update his machine with Critical updates of NetBus or Back Oriface Trojan.

    Shreyas Zare

    A lame user can just as easily be redirected to a website that tells him/her to install an updated version of the update client. This problem isn't solved by a client app.


    If a trojan some how breaks in and uses the HOSTS file modification to forge the windows update website, forget the lame user, I bet that even many admins would be fooled to belive that they are really updating windows. The "Trusted Site" message in the statusbar makes this easier.

  • User profile image
    Tyler Brown

    Sven Groot wrote:
    For one thing, it is simple to ensure that everybody uses the latest version. Once a new version is deployed, everybody will use it, because the old version is gone. It also makes it possible for the programmers to make small changes (changes that do not require modification of the ActiveX control) without having to distribute new clients to everyone.

    This could easily be accomplished using ClickOnce deployment. A user simply runs the application and if there is an updated client, it is automatically installed in the background.

    Sven Groot wrote:

    The updates would still need to come from the Internet, so it would do nothing to stop someone spoofing the Windows Update download servers with a DNS attack, but fortunately WU and AU already take steps to ensure the authenticity of the downloaded updates.

    This could also be easily accomplished with an application that verifies the MD5 CheckSum after download.

    I personally have been thinking for about a month or two that Microsoft is intending on moving to a rich client for Windows Update and that they are just waiting for the .NET 2.0 framework to be finalized and distributed.

  • User profile image
    W3bbo

    Tyler Brown wrote:
    This could also be easily accomplished with an application that verifies the MD5 CheckSum after download.


    I can't really see that happening for something like Windows Update.

    Microsoft has "MD5" and "hashing" associated with the "evil OSS community" and so prefers expensive file signing.

    The only time I've seen "MD5" and "Microsoft" in the same paragraph is in the MSDN Documentation.

  • User profile image
    Jaz

    microsoft offer an MD5 checker

  • User profile image
    Cider

    W3bbo wrote:
    dotnetjunkie wrote:
    W3bbo wrote: Nearly 30,000,000 Firefox downloads and 50,000,000 supposed installations now


    That's not very logical!  There are always LESS installations than downloads, because people tend to just download it again if they have to reformat, reinstall, change computers, etc...

    So it'll be more like 30M downloads, 20M installations...

    (Personally, I have downloaded it 3 or 4 times, but have 0 installations at the moment )


    You're forgetting big corporate rollouts. A single download redistributed to all the machines on the LAN.

    Some major "high profile" and more than a dozen Fortune 100 companies have installed Firefox... that would not necessarily require a download for all the machines.

    Rather, I think it would be more accurate for the Firefox UA to phone-home on every non-upgrade installation.


    And where are you getting your information about Fortune 100 companies from?

    I've Googled that, come up with nothing and it sounds like rubbish.  After all, it would be very unusual for a big company to go public on things like this.  As it goes, I do know of some very big installations, mainly because I have been indirectly involved because of the tool I wrote, but I wont tell you who or the numbers.

    Ultimately the numbers matter not, especially in the case of Firefox, the numbers don't matter because, IE is still there.  The only people who care are those on sites like "Spread Firefox", inbetween spazzing on with ways of crippling IE on sites.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.