Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

patch redistribution

from [George Monkey] Network Security [Permanent Link]
Subject: patch redistribution
Date: Mon, 27 Sep 2004 09:27:33 -0700 
Much of the higher education sector's support personnel know this information 
already, but the rest of the world may not, and I suspect that more than a few 
heads will turn at this information. This is information is similar to the 
recent BitTorrent headlines, but has implications closer to home.

Microsoft is strictly enforcing it's license agreements with respect to 
redistribution of security patches to "third parties".

This means that you may not share/give a CD of Microsoft patches that you 
burned to someone else for use on a computer that you do not own. 
Institutionally, the same restriction applies. You can't patch any computer 
that your institution doesn't own with a patch that doesn't come directly from 
Microsoft's Windows Update or a certified CD from Microsoft.

In the higher education world this means that universities are severely 
restricted from assisting students in patching their computers, because 
students are considered third-parties by Microsoft. Essentially, students must 
either acquire an authorized CD, burn their own copy from a fully-patched 
computer, or go online (unpatched!) and get the patches.

In your network of family and friends the same scenario applies. They have to 
acquire their own patches.

There are some caveats and additional horrors.

SUS is not exempt from this idiocy. You may not redistribute patches to 
computers that your institution does not own via SUS. If a non-licensed 
computer (i.e. a computer that your institution doesn't own, and also isn't 
covered under a license as if it was owned by your institution) connects to 
your SUS server and downloads patches, then your institution is legally at 
fault. SUS is clearly designed to be an open patch distribution system (e.g. 
anonymous access is part of the design). These licensing issues severely limit 
the usefulness of SUS to organizations with strict intranets, and in practical 
terms mean that universities and other open organizations can't run SUS at all.

But wait you say ... what if I simply buy the external connector license so 
that 3rd parties can connect to my SUS server? Well, then they could legally 
connect, but the licenses of the individual patches themselves prohibit 3rd 
party distribution. So no go.
Some of Microsoft's licenses allow you to skirt this patch redistribution 
issue. But they are few and far between, and represent a greatly increased 
financial burden if you can find one. MSDN-AA (designed for academia) is one 
example.

In many cases, Microsoft employees have misled their clients into thinking that 
unlimited redistribution of patches was OK. You should proceed with extreme 
caution if you are counting on a similar verbal hand-waving.

The bottom line seems to be that the security initiative takes a back seat to 
other priorities within Microsoft.

References:

http://www.microsoft.com/Education/HEVDP.aspx contains text buried within it 
that first introduced this issue.

Follow-up conversations through official Microsoft support channels provided 
the details summarized above.

Some of these details are documented on the sp2-issues mailing list hosted by 
Educause. See 
http://listserv.educause.edu/cgi-bin/wa.exe?A1=ind0409&L=sp2-issues.

Two noteworthy posts from that mailing list include:

Final Q&A from 8/26 Web Cast
http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0409&L=sp2-issues&T=0&F=&S=&P=2064

and

Windows XP SP2 Update - NEW INFORMATION REGARDING BLOCKING SP2 DOWNLOADS VIA AU 
AND WU
http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0409&L=sp2-issues&T=0&F=&S=&P=1005

both from a Microsoft employee who was "authorized" to dialogue with the Higher 
Education community about this issue.


---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • patch redistribution, George Monkey <=
Previous by Date:  Automatically passing NTLM authentication credentials on XP, urity
Next by Date:  Re: Windows Update / Office Update again!, Geoff Vass
Previous by Thread:  Automatically passing NTLM authentication credentials on XP, urity
Next by Thread:  WindowsUpdate V5 on XPSP1 broken, Jim Garrison
Indexes:  [Date] [Thread] [Top] [All Lists]