Original Post on 13-Sep-07 7:37pm:
In an interesting move today, it is reported that Microsoft is silently updating Windows XP and Vista. I emphasize silently. Remember Sony’s rootkit debacle? There are no reports of problems, but when my machine mysteriously decided on its own that it was time to reboot in the middle of a presentation, it made me look bad, and question my IT staff. We don’t have auto update turned off, but several of our customers do because of patching and regulatory restrictions. And this patch occurs even in the instances where customers turned off Windows Update!
Lo and behold, Microsoft itself granted privileges on every single XP and Vista system. With all the discussions about how trustworthy and secure new versions of Windows are, and the publicity surrounding Sony’s music CD installations, it stands to reason that Microsoft would not want this capability under any circumstances.
So what does this imply to an information security professional? A back door. Cisco, Symantec, and McAfee all claim their security products are rock solid, and because of encryption, digital rights management, and other safety precautions are safe to use. In their NACAttack presentation at Black Hat 2007, Dror-John Roecher and Michael Thumann showed just how safe Cisco’s security protections are, and how complexity breeds difficulty in security. Cisco puts in a ton of security measures so that hackers can’t connect to the network, and these researchers cracked it. Why make it any easier for an attacker, by giving them yet another vector to “update” files in the Operating System.
I don’t care if all of this is for the betterment of my computer experience; if I don’t want it, or insist you ask me about, you’re obligated to do just that. Explain the risks to me, then ask if I’d like to install it now. That way, if I’m in the middle of a presentation for a multi-million dollar sale, I can quietly decide that now’s not the best time for an update.