|
|
I am trying to figure out how WSUS currently determines how a patch is
missing from a server. Does it check the individual files in each patch and
then report it as missing if the files are at a previous version?
I have seen in the past that software can install previous versions of dlls,
etc that "break" patches already applied. Windows Update from the web does
not recognize them as being needed again but the vulnerability still exists.
|
|
"D Riberdy" <DRiberdy[ at ]discussions.microsoft.com> wrote in message
news:E21AC0D6-1CE3-4B9C-BCE5-49386FC84A64[ at ]microsoft.com...
[Quoted Text] >I am trying to figure out how WSUS currently determines how a patch is
> missing from a server.
The Windows Update Agent tells it that it's missing.
> Does it check the individual files in each patch and
> then report it as missing if the files are at a previous version?
The Windows Update Agent does a file level version check based on the
metadata stored in the update detection logic, which is obtained from the
WSUS Server during a detection event, provided that the update detection
metadata contains file level version data.
> I have seen in the past that software can install previous versions of
> dlls,
> etc that "break" patches already applied.
Only stupid software from stupid software developers on systems prior to
Windows 2000, where the stupid software developer failed to check the
version of the installed DLL prior to overwriting it with an older version
contained in the stupid software developer's installation package.
> Windows Update from the web does
> not recognize them as being needed again but the vulnerability still
> exists.
That really depends on what the update is; how old the update is; what
detection methodology is coded into the update package's detection logic;
what version of the operating system you're using; what version of the
Windows Update Agent you're using; and whether or not the affected DLL(s)
are actually part of any given update package.
Do you have a *specific* example you'd like to discuss?
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
The actual incident in question was installing Microsoft Application Center
SP1 that undid the fix for the Blaster virus on all the servers we installed
it on. Even though Microsoft listed it as installed and said we were
protected an audit found us vulnerable. We had to switch to a 3rd party tool
becuase the customer felt that we and Microsoft were unable to properly
manage the patching and healthiness of the environment.
So, If a, as you put it "Only stupid software from stupid software
developers" were to overlay a newer patches dll with an older version, will
WSUS then show it as missing? Or is that entirely dependent on the people
packaging the patches to insert all the proper data for WSUS to do that type
of checking ala "The Windows Update Agent does a file level version check
based on the metadata stored in the update detection logic, which is obtained
from the
WSUS Server during a detection event, provided that the update detection
metadata contains file level version data."
DR
"Lawrence Garvin (MVP)" wrote:
[Quoted Text] > "D Riberdy" <DRiberdy[ at ]discussions.microsoft.com> wrote in message > news:E21AC0D6-1CE3-4B9C-BCE5-49386FC84A64[ at ]microsoft.com... > >I am trying to figure out how WSUS currently determines how a patch is > > missing from a server. > > The Windows Update Agent tells it that it's missing. > > > Does it check the individual files in each patch and > > then report it as missing if the files are at a previous version? > > The Windows Update Agent does a file level version check based on the > metadata stored in the update detection logic, which is obtained from the > WSUS Server during a detection event, provided that the update detection > metadata contains file level version data. > > > > I have seen in the past that software can install previous versions of > > dlls, > > etc that "break" patches already applied. > > Only stupid software from stupid software developers on systems prior to > Windows 2000, where the stupid software developer failed to check the > version of the installed DLL prior to overwriting it with an older version > contained in the stupid software developer's installation package. > > > Windows Update from the web does > > not recognize them as being needed again but the vulnerability still > > exists. > > That really depends on what the update is; how old the update is; what > detection methodology is coded into the update package's detection logic; > what version of the operating system you're using; what version of the > Windows Update Agent you're using; and whether or not the affected DLL(s) > are actually part of any given update package. > > Do you have a *specific* example you'd like to discuss? > > > > -- > Lawrence Garvin, M.S., MCTS, MCP > Independent WSUS Evangelist > MVP-Software Distribution (2005-2007) > https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E> > Everything you need for WSUS is at > http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx> > And, almost everything else is at > http://wsusinfo.onsitechsolutions.com> ..... > > > > |
|
"D Riberdy" <DRiberdy[ at ]discussions.microsoft.com> wrote in message
news:BE35A31C-9AFD-441D-BDF8-C2FFE27CC7E5[ at ]microsoft.com...
[Quoted Text] > The actual incident in question was installing Microsoft Application
> Center
> SP1 that undid the fix for the Blaster virus on all the servers we
> installed
> it on.
Interesting.... but a rather ancient problem, wouldn't you agree? The
Blaster virus is almost four years old; Application Center 2000 SP1
(released: Oct 2001) actually pre-dates the Blaster virus by almost two
years; and Application Center 2000 SP2 was released four years ago to
support AppCenter2000 on Windows Server 2003.
As for the Blaster virus itself, it actually exploits an issue that was
fixed by MS03-026 (KB823980), which isn't even an active update anymore,
having been superceded by a Service Pack on every operating system except
Windows 2000.
So, lacking a *current* example, let's take this scenario in the context it
deserves.
> Even though Microsoft listed it as installed and said we were
> protected an audit found us vulnerable.
So, if I understand you correctly, you directly installed Application Center
2000 SP1 on top of a machine already containing MS03-026, and then were
surprised when a 2 year old service pack replaced some files with older
versions?
Okay... so lessons learned: [a] Always install updates in chronological
order of release. [b] Always run a security scan after applying any old
updates.
Also, keep in mind that the OS reporting an update as "Installed", merely
means that the installer successfully ran, and that the necessary registry
values were created. It indicates nothing about whether the component files
are physically present, corrupted, or overwritten with an older version by
some other installer.
> We had to switch to a 3rd party tool
> becuase the customer felt that we and Microsoft were unable to properly
> manage the patching and healthiness of the environment.
Hmmm... and, in reality, it was probably nothing more than a deployment
error in the installation of the AppCenter 2000 service pack. :-)
To that extent, the customer was probably partially correct in expressing
concern about your inability to properly manage the patching and healthiness
of the enviornment. :-\
> So, If a, as you put it "Only stupid software from stupid software
> developers" were to overlay a newer patches dll with an older version,
> will
> WSUS then show it as missing?
*TODAY*, with *WSUS* (or SMS, or WU/MU, or MBSA -- all of which use exactly
the same scanning technology) (neither of which existed when you were
installing AppCenter service packs on top of Blaster security vulnerability
patches), all patches are *DETECTED* based on the requisite file contents
and version numbers of those files.
> Or is that entirely dependent on the people
> packaging the patches to insert all the proper data for WSUS to do that
> type
> of checking
But, yes, WSUS/WUA is wholly dependent on the publisher of the UPDATE (which
is generally the product group responsible for the specific product being
updated), to properly configure the metadata for the detection logic of that
update. Ergo, the Windows Update Agent can only do what the product team
tells it to do via the update detection logic.
>"The Windows Update Agent does a file level version check
> based on the metadata stored in the update detection logic, which is
> obtained
> from the
> WSUS Server during a detection event, provided that the update detection
> metadata contains file level version data."
Exactly.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
"Lawrence Garvin (MVP)" wrote:
[Quoted Text] > But, yes, WSUS/WUA is wholly dependent on the publisher of the UPDATE (which
> is generally the product group responsible for the specific product being
> updated), to properly configure the metadata for the detection logic of that
> update. Ergo, the Windows Update Agent can only do what the product team
> tells it to do via the update detection logic.
So, what you are saying is that I am at the mercy of a patch developer doing
their job correctly to ensure that the patches will scan correctly in WSUS?
Is this a standard routine for them to do or is there currently cases where
it doesn't have the correct information? Microsoft has been known to
re-re-release patches due to improperly packaged files before.
> So, if I understand you correctly, you directly installed Application Center
> 2000 SP1 on top of a machine already containing MS03-026, and then were
> surprised when a 2 year old service pack replaced some files with older
> versions?
Actually, you understood me incorrectly. The above patch MS03-026 was
installed when the base machine was created with Windows Update. We
installed Microsoft Application Center 2000 SP1 as a complete application -
not just the SP1 patch. When we rescanned the machines at the end of the
build process, there were no updates to be found - ergo the logic built into
either the MS03-026 patch itself OR Windows Update was flawed.
Therein lies their concern as well as ours that if we hang our hats on the
WSUS product, which by the looks of the forum posts here for version 3, has
less than spectaular commentary, that it will ensure that we are patched to
the fullest extent and rescan previously installed patches to make sure
nothing like the above happens. If it falls on the product team or WSUS
directly, it still is a "Microsoft" problem that things are not scanned
correctly.
|
|
=?Utf-8?B?RCBSaWJlcmR5?= <DRiberdy[ at ]discussions.microsoft.com> wrote in
news:90CB7FB6-DE83-4035-A98C-F1B4DEDB814E[ at ]microsoft.com:
[Quoted Text] > "Lawrence Garvin (MVP)" wrote:
>
>> But, yes, WSUS/WUA is wholly dependent on the publisher of the UPDATE
>> (which is generally the product group responsible for the specific
>> product being updated), to properly configure the metadata for the
>> detection logic of that update. Ergo, the Windows Update Agent can
>> only do what the product team tells it to do via the update detection
>> logic.
>
> So, what you are saying is that I am at the mercy of a patch developer
> doing their job correctly to ensure that the patches will scan
> correctly in WSUS? Is this a standard routine for them to do or is
> there currently cases where it doesn't have the correct information?
> Microsoft has been known to re-re-release patches due to improperly
> packaged files before.
>
>> So, if I understand you correctly, you directly installed Application
>> Center 2000 SP1 on top of a machine already containing MS03-026, and
>> then were surprised when a 2 year old service pack replaced some
>> files with older versions?
>
> Actually, you understood me incorrectly. The above patch MS03-026 was
> installed when the base machine was created with Windows Update. We
> installed Microsoft Application Center 2000 SP1 as a complete
> application - not just the SP1 patch. When we rescanned the machines
> at the end of the build process, there were no updates to be found -
> ergo the logic built into either the MS03-026 patch itself OR Windows
> Update was flawed.
>
Well, Windows Update does what the patch tells it to do to detect, so
it's not flawed.
The update will look for either file versions, or more likely registry
entries. So installing MS03-026 created the requisite entries and folders
in the Windows folder. Then you load a 7 year old piece of software that
blindly clobbers a bunch of DLLs. The MS03-026 registry entries are still
there. What do you expect the detection to do? Scan version of every file
it replaces? For large patches and SPs, it would consume too much
resources on the clients.
If you want to escape responsibility and lay the blame on Microsoft, then
blame App Centre.
Personnaly at this point, I'd upgrade App Centre to the cuttent version.
Or at least, install it immediately after the OS, before patches.
> Therein lies their concern as well as ours that if we hang our hats on
> the WSUS product, which by the looks of the forum posts here for
> version 3, has less than spectaular commentary, that it will ensure
> that we are patched to the fullest extent and rescan previously
> installed patches to make sure nothing like the above happens. If it
> falls on the product team or WSUS directly, it still is a "Microsoft"
> problem that things are not scanned correctly.
>
|
|
*sigh* as Garvin noted this was an old problem. The point being we have used
other products and are now wanting to investigate WSUS as a possible solution
for patching.
Yes, I would expect that if I were to call for a scan of missing patches on
a server, it would check the file versions to ensure that they match with
what is is expected to be there. Other tools do the exact same thing and
don't seem to be consuming too many resources.
So far, I haven't really heard any good reason to vary from what we are
using to go to WSUS since we cannot expect that it would confidently tell us
what we want to know. I guess if you vary from the norm and don't kiss the
ring of Microsoft you get belittled on these forums.
"Asher_N" wrote:
[Quoted Text] > =?Utf-8?B?RCBSaWJlcmR5?= <DRiberdy[ at ]discussions.microsoft.com> wrote in
> news:90CB7FB6-DE83-4035-A98C-F1B4DEDB814E[ at ]microsoft.com:
>
> > "Lawrence Garvin (MVP)" wrote:
> >
> >> But, yes, WSUS/WUA is wholly dependent on the publisher of the UPDATE
> >> (which is generally the product group responsible for the specific
> >> product being updated), to properly configure the metadata for the
> >> detection logic of that update. Ergo, the Windows Update Agent can
> >> only do what the product team tells it to do via the update detection
> >> logic.
> >
> > So, what you are saying is that I am at the mercy of a patch developer
> > doing their job correctly to ensure that the patches will scan
> > correctly in WSUS? Is this a standard routine for them to do or is
> > there currently cases where it doesn't have the correct information?
> > Microsoft has been known to re-re-release patches due to improperly
> > packaged files before.
> >
> >> So, if I understand you correctly, you directly installed Application
> >> Center 2000 SP1 on top of a machine already containing MS03-026, and
> >> then were surprised when a 2 year old service pack replaced some
> >> files with older versions?
> >
> > Actually, you understood me incorrectly. The above patch MS03-026 was
> > installed when the base machine was created with Windows Update. We
> > installed Microsoft Application Center 2000 SP1 as a complete
> > application - not just the SP1 patch. When we rescanned the machines
> > at the end of the build process, there were no updates to be found -
> > ergo the logic built into either the MS03-026 patch itself OR Windows
> > Update was flawed.
> >
>
> Well, Windows Update does what the patch tells it to do to detect, so
> it's not flawed.
>
> The update will look for either file versions, or more likely registry
> entries. So installing MS03-026 created the requisite entries and folders
> in the Windows folder. Then you load a 7 year old piece of software that
> blindly clobbers a bunch of DLLs. The MS03-026 registry entries are still
> there. What do you expect the detection to do? Scan version of every file
> it replaces? For large patches and SPs, it would consume too much
> resources on the clients.
>
> If you want to escape responsibility and lay the blame on Microsoft, then
> blame App Centre.
>
> Personnaly at this point, I'd upgrade App Centre to the cuttent version.
> Or at least, install it immediately after the OS, before patches.
>
>
> > Therein lies their concern as well as ours that if we hang our hats on
> > the WSUS product, which by the looks of the forum posts here for
> > version 3, has less than spectaular commentary, that it will ensure
> > that we are patched to the fullest extent and rescan previously
> > installed patches to make sure nothing like the above happens. If it
> > falls on the product team or WSUS directly, it still is a "Microsoft"
> > problem that things are not scanned correctly.
> >
>
>
|
|
Asher_N wrote:
[Quoted Text] > Well, Windows Update does what the patch tells it to do to detect, so
> it's not flawed.
The detection logic is part of the Windows Update product, speaking in the
broader sense.
> What do you expect the detection to do? Scan version of every file
> it replaces? For large patches and SPs, it would consume too much
> resources on the clients.
MBSA 1.2.1 seemed to manage to do this without being very resource-hungry.
(Granted service packs are a special case.)
Probably qfecheck is the right tool to check for this class of problem.
However, it does seem that this functionality should be built into WUA, or
perhaps the OS.
... actually the other thing that puzzles me is why Windows File Protection
didn't kick in.
> Personnaly at this point, I'd upgrade App Centre to the cuttent version.
> Or at least, install it immediately after the OS, before patches.
Are you suggesting that whenever we need to run a new application we should buy
a new server? I don't think that's a feasible solution in general. :-)
Harry.
|
|
"D Riberdy" <DRiberdy[ at ]discussions.microsoft.com> wrote in message
news:90CB7FB6-DE83-4035-A98C-F1B4DEDB814E[ at ]microsoft.com...
[Quoted Text] > "Lawrence Garvin (MVP)" wrote:
>
>> But, yes, WSUS/WUA is wholly dependent on the publisher of the UPDATE
>> (which
>> is generally the product group responsible for the specific product being
>> updated), to properly configure the metadata for the detection logic of
>> that
>> update. Ergo, the Windows Update Agent can only do what the product team
>> tells it to do via the update detection logic.
>
> So, what you are saying is that I am at the mercy of a patch developer
> doing
> their job correctly to ensure that the patches will scan correctly in
> WSUS?
You'd be at their mercy even if you used Microsoft Update!
You'd also be at their mercy if you solely relied on the verbage in the MSRC
or KB document.
At some point ya either gotta trust your OS vendor to some point, or ya
gotta find a new OS vendor.
I'm afraid I can't help you much with your paranoia. ;-)
>> So, if I understand you correctly, you directly installed Application
>> Center
>> 2000 SP1 on top of a machine already containing MS03-026, and then were
>> surprised when a 2 year old service pack replaced some files with older
>> versions?
>
> Actually, you understood me incorrectly. The above patch MS03-026 was
> installed when the base machine was created with Windows Update. We
> installed Microsoft Application Center 2000 SP1 as a complete
> application -
> not just the SP1 patch.
Okay.. so either way.. what you're telling me is that you installed a
product whose release date preceeded the release date of security updates on
the system, and you never considered the need to evaluate whether those
security updates needed to be reinstalled?
> When we rescanned the machines at the end of the
> build process, there were no updates to be found - ergo the logic built
> into
> either the MS03-026 patch itself OR Windows Update was flawed.
Or, you misunderstood the significance of whatever tool you used to do the
"rescan".
But, again, that was in 2003, four years ago. It's really a pointless
discussion now.
> Therein lies their concern as well as ours that if we hang our hats on the
> WSUS product, which by the looks of the forum posts here for version 3,
> has
> less than spectaular commentary,
Eh?
> that it will ensure that we are patched to
> the fullest extent and rescan previously installed patches to make sure
> nothing like the above happens. If it falls on the product team or WSUS
> directly, it still is a "Microsoft" problem that things are not scanned
> correctly.
Like I said above.. it matters not what the PRODUCT used to scan or install
the patch is -- ultimately, in *ANY* circumstance -- you're entirely
dependent upon the Microsoft Sustained Engineeering team(s) for the various
products to forsee every possible installation environment, and be able to
detect every possible installation scenario -- including somebody who'd want
to install a two year old product onto current hotfix security patches.
Bottom line is: That's why every "best practice" document in the world says
TEST TEST TEST TEST TEST.
Prove to YOURSELF that the patch installs correctly, doesn't break anything
on your systems, and does what you need it to do, and then, when you've done
that, deploy it to production systems.
I really don't think there's much else I can say.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
"Harry Johnston" <harry[ at ]scms.waikato.ac.nz> wrote in message
news:u$YJEObuHHA.3376[ at ]TK2MSFTNGP04.phx.gbl...
[Quoted Text] > Asher_N wrote:
>
>> Well, Windows Update does what the patch tells it to do to detect, so
>> it's not flawed.
>
> The detection logic is part of the Windows Update product, speaking in the
> broader sense.
Actually, this is a misconception.
The =engine= is contained within the Windows Update Agent code.
However, the =data= that tells that engine what to do is contained within
the update package itself, and is unique to each update package.
It's generally this data that is the reason updates have "revisions", and
MSRC documents are revised. Case in point -- just today Microsoft revised
MS07-022 for issues affecting people running Windows 2000 Service Pack 4 on
NEC 98 systems.
>> What do you expect the detection to do? Scan version of every file it
>> replaces? For large patches and SPs, it would consume too much resources
>> on the clients.
>
> MBSA 1.2.1 seemed to manage to do this without being very resource-hungry.
> (Granted service packs are a special case.)
Thus my comments, elsewhere, indicting the "scanning tools" used to
determine whether the post-install AppCenter2000SP1 system was secure. MBSA
v1.2.1 didn't exist in 2003 when this incident happened. I know that it was
2003, because if it had been 2004 they surely would have installed
AppCenter2000SP2 -- although that wouldn't have been any guarantee either,
since AppCenter2000SP2 (Jun 2003) also predated MS03-026 (Jul 2003).
Hehe... so AppCenterSP2 was released *before* MS03-026, and they chose to
install a slipstreamed *downlevel* version of the application. Go figger...
but it was suicidal, at best (and, of course, we also have the benefit of
hindsight to support that appelation).
Which then makes me want to ask when this really did occur, but either way,
I think it would just complicate the decisions behind the deployment
choices -- either way, the *current* version of the application was not
installed.
> Probably qfecheck is the right tool to check for this class of problem.
> However, it does seem that this functionality should be built into WUA, or
> perhaps the OS.
>
> ... actually the other thing that puzzles me is why Windows File
> Protection didn't kick in.
Windows File Protection on a Windows 2000 Service Pack 3 system? Service
Pack 4 was only released in June, 2003, and I suspect not yet installed on
the subject system, given that they also were not installing AppCenterSP2
(Jun 2003).
>> Personnaly at this point, I'd upgrade App Centre to the cuttent version.
>> Or at least, install it immediately after the OS, before patches.
>
> Are you suggesting that whenever we need to run a new application we
> should buy a new server? I don't think that's a feasible solution in
> general. :-)
No, I don't think that's what Asher is suggesting, but then I also think
that he's misunderstood that this incident is a legacy incident, that
occurred four years ago, not in the recent past.
It's also irrelevant, because AppCenter2000 isn't a supported product at
all, any more. Mainstream Support expired in July, 2006. Only Security
Updates for AppCenter2000SP2 are available, now.
However, in either situation, the *correct* installation methodology would
have surely alleviated some of the issues experienced. The *application*
being installed was at a SP level dated from October, 2001, on top of a
patch released in July, 2003 (and possibly, even, an unsupported SP level if
this all happened after June 2004).
That means, de facto, the *application* had no knowledge of any updates
applicable to that system beyond that date -- even the most current SP for
that application could not have known.
The logical conclusion (at least to me) would be that *anything* released
after that date was subject to having been corrupted. At a minimum I would
have (RE)INSTALLED Service Pack 4 (Jun 2003), and all security patches
released after Service Pack 4 (which would have included MS03-026) -- but
then I would have also installed the product's most recent service pack as
well.
The second problem was trusting the patch tools available at that point
(Windows Update) to properly identify the deficiencies in the patch level of
the system. In 2003, all that WU did was check a registry value to determine
if a patch had been "installed" or "not installed". The only certain way to
know was to personally verify the file versions and/or simply reapply the
update(s) potentially affected -- and certainly any Critical Security
Updates -- like a Blaster patch!
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
Lawrence Garvin (MVP) wrote:
[Quoted Text] >> The detection logic is part of the Windows Update product, speaking in the
>> broader sense.
>
> Actually, this is a misconception.
>
> The =engine= is contained within the Windows Update Agent code.
>
> However, the =data= that tells that engine what to do is contained within
> the update package itself, and is unique to each update package.
Yeah, but I'd define the Windows Update *product* to include both the Windows
Update Agent and the update packages - neither can function without the other,
after all.
>> ... actually the other thing that puzzles me is why Windows File
>> Protection didn't kick in.
>
> Windows File Protection on a Windows 2000 Service Pack 3 system?
Ah. That would explain it. I hadn't quite picked up on quite how far back into
the dark ages we were looking here.
> However, in either situation, the *correct* installation methodology would
> have surely alleviated some of the issues experienced.
Sure, but that's not my point. I think that if patch corruption isn't reliably
detected - regardless of what may have caused the corruption - this is (or was!)
a legitimate concern. (It could - presumably - just as easily have happened as
the result of a recent but badly written third-party installer.)
Does Windows File Protection address this problem? It seems that it should, but
I don't know a lot about exactly what it actually does. Certainly I've seen
QFECHECK report a problem when WFP was silent - but I'm still not sure whether
or not that was a false negative or a false positive, and slipstreaming was
involved which I suppose bypasses WFP anyway.
Harry.
|
|
"Harry Johnston" <harry[ at ]scms.waikato.ac.nz> wrote in message
news:uevYfHguHHA.3376[ at ]TK2MSFTNGP04.phx.gbl...
[Quoted Text] > Lawrence Garvin (MVP) wrote:
>
>>> The detection logic is part of the Windows Update product, speaking in
>>> the broader sense.
>>
>> Actually, this is a misconception.
>>
>> The =engine= is contained within the Windows Update Agent code.
>>
>> However, the =data= that tells that engine what to do is contained within
>> the update package itself, and is unique to each update package.
>
> Yeah, but I'd define the Windows Update *product* to include both the
> Windows Update Agent and the update packages - neither can function
> without the other, after all.
I understand that propensity for the common perception -- but the
distinction is actually very significant.
There's this natural inclination to want to blame WSUS, WUA, or the WSUS/WUA
dev teams for failings that appear to be in the product, that are actually
defects in the detection -parameters- defined by the update itself.
Perhaps the most classic example I can recall off the top of my head is the
(still existing) Snafu with the JVM update (KB816093). See this article for
additional info: http://wsusinfo.onsitechsolutions.com/articles/004.htm
Those update detection parameters are solely the output of the individual
product team's Sustained Engineering groups -- and totally outside the
purview of the WSUS/WUA teams. So, in the above example, the flaw lies in
the work product of the JVM SE group -- no doubt which was long disbanded by
the time the detection flaws in KB816093 were discovered by WSUS 2 admins in
July, 2005.
It's kind of like a beer distributor. They bring the Budweiser to you, and
they're responsible if the glass is broken, or the cans are dented, but they
got nothing to do with whether the beer tastes good, or whether you prefer
MGD to Bud Select.
>>> ... actually the other thing that puzzles me is why Windows File
>>> Protection didn't kick in.
>>
>> Windows File Protection on a Windows 2000 Service Pack 3 system?
>
> Ah. That would explain it. I hadn't quite picked up on quite how far
> back into the dark ages we were looking here.
<VBG>
>> However, in either situation, the *correct* installation methodology
>> would have surely alleviated some of the issues experienced.
>
> Sure, but that's not my point. I think that if patch corruption isn't
> reliably detected - regardless of what may have caused the corruption -
> this is (or was!) a legitimate concern.
I absolutely agree with you.
But the appropriate procedures in 2003-2004 are entirely different than the
appropriate procedures in 2007.
In 2003, the situation require a much greater involvment of *human*
verification and validation.
> (It could - presumably - just as easily have happened as the result of a
> recent but badly written third-party installer.)
Granted, but either way, there's still a certain amount of undenyable
responsibility that sits in the lap of the person at the console.
> Does Windows File Protection address this problem?
*Today* on a Win2003 or WinXP system, yes, WFP would definitely have
prevented that snafu.
Actually, the whole updated patch mechanism built into XP and 2003, which
makes use of the %windir%\$hf_mig$ update cache folder, would have
automatically replaced that downgraded DLL needed by MS03-026.
In fact, just the other day I hit a wall with WFP trying to downgrade a WUA
to do testing on the WUA upgrade patch for WSUS 3.0. Because the wups.dll
files were installed from the WUA v7 package, and covered under WFP, when
the WUA v5.8 installer tried to overwrite them via use of the /wuforce
switch -- or when I tried to manually delete them and replace them with the
v5.8 files -- WFP simply replaced the v7 files.
In fact, it's this very technology that's obsoleted the legacy practice (on
WinNT and Win2000) of having to 'reinstall' the latest service pack after
every OS "life changing" event.
> and slipstreaming was involved which I suppose bypasses WFP anyway.
Possibly. I'd have to look at this. WFP is supposed to be protecting core
"RTM" files also, so by that standard, slipstreamed updates should also be
protected. On the other hand, if slipstreaming doesn't properly update the
WFP registration database, WFP would have no way of knowing that a newer
version had been replaced. Also, WFP is quite dependent on the "cache" copy
of those files in the dllcache folder, and if they're not there, they
wouldn't be replaceable.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
Lawrence Garvin (MVP) wrote:
[Quoted Text] >> Yeah, but I'd define the Windows Update *product* to include both the
>> Windows Update Agent and the update packages - neither can function
>> without the other, after all.
>
> I understand that propensity for the common perception -- but the
> distinction is actually very significant.
>
> There's this natural inclination to want to blame WSUS, WUA, or the WSUS/WUA
> dev teams for failings that appear to be in the product, that are actually
> defects in the detection -parameters- defined by the update itself.
I hadn't thought of looking at it that way. Certainly the actual update is not
part of the Windows Update product; for example, if the update doesn't actually
close the vulnerability it is supposed to address, that certainly isn't a
Windows Update problem. By analogy, then, the detection parameters also aren't
part of Windows Update, though the implementation of those parameters is.
Harry.
|
|
"Harry Johnston" <harry[ at ]scms.waikato.ac.nz> wrote in message
news:e9AoMxhuHHA.4476[ at ]TK2MSFTNGP03.phx.gbl...
[Quoted Text] >> There's this natural inclination to want to blame WSUS, WUA, or the
>> WSUS/WUA dev teams for failings that appear to be in the product, that
>> are actually defects in the detection -parameters- defined by the update
>> itself.
>
> I hadn't thought of looking at it that way. Certainly the actual update
> is not part of the Windows Update product; for example, if the update
> doesn't actually close the vulnerability it is supposed to address, that
> certainly isn't a Windows Update problem. By analogy, then, the detection
> parameters also aren't part of Windows Update, though the implementation
> of those parameters is.
Exactly.
--
Lawrence Garvin, M.S., MCTS, MCP
Independent WSUS Evangelist
MVP-Software Distribution (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-4774-BD62-D095EB07B36E
Everything you need for WSUS is at
http://technet2.microsoft.com/windowsserver/en/technologies/featured/wsus/default.mspx
And, almost everything else is at
http://wsusinfo.onsitechsolutions.com
.....
|
|
|