Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Full Disclosure>
  3. Full-Disclosure
RE: Windows 2000 Service Pack 3 now available.
nick at virus-l
Aug 1, 2002, 4:43 PM
Post #1 of 4 (935 views)
Permalink
Colin Stefani <cstefani@tideworks.com> wrote:

> Be sure to read the new EULA/privacy statement for Windows update, it has an
> interesting portion about how Windows Update and Automatic Update (which
> gets installed with SP3) can, by agreeing to this license, send the
> following pieces of info to Microsoft, this was posted on the MS focus list
> by Javier Sanchez:
>
> "With the latest version of Windows Update (essentially a mandatory download
> and now part of SP3) you consent to sending the following information to
> Microsoft:
>
> * Operating-system version number and Product Identification number
> * Internet Explorer version number
> * Version numbers of other software
> * Plug and Play ID numbers of hardware devices

This adds further irony to the blurb about enabling scripting and
ActiveX, should you visit those pages with (a browser masquerading
as) IE with no scripting nor ActiveX support:

If you are on a Web site that you trust (in this case, Windows
Update), and the ActiveX Control is provided by a publisher you
trust (in this case, Microsoft), it is safe to click Yes in the
dialog box to accept the certificate and allow the control to be
installed.

Seems MS is attempting to redefine "trustworthy" how it once tried to
redefine "open" (who else remembers the early NT launches??).

It seems the option "trust MS enough to run its software but not with
any possibly identifying information" falls outside the gambit of
"trustworthy" in MS-think! I hope they point this out _in advance of
taking their money_ to all future potential customers...


--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
RE: Windows 2000 Service Pack 3 now available. [ In reply to ]
nick at virus-l
Aug 1, 2002, 4:43 PM
Post #2 of 4 (914 views)
Permalink
Colin Stefani <cstefani@tideworks.com> wrote:

> Be sure to read the new EULA/privacy statement for Windows update, it has an
> interesting portion about how Windows Update and Automatic Update (which
> gets installed with SP3) can, by agreeing to this license, send the
> following pieces of info to Microsoft, this was posted on the MS focus list
> by Javier Sanchez:
>
> "With the latest version of Windows Update (essentially a mandatory download
> and now part of SP3) you consent to sending the following information to
> Microsoft:
>
> * Operating-system version number and Product Identification number
> * Internet Explorer version number
> * Version numbers of other software
> * Plug and Play ID numbers of hardware devices

This adds further irony to the blurb about enabling scripting and
ActiveX, should you visit those pages with (a browser masquerading
as) IE with no scripting nor ActiveX support:

If you are on a Web site that you trust (in this case, Windows
Update), and the ActiveX Control is provided by a publisher you
trust (in this case, Microsoft), it is safe to click Yes in the
dialog box to accept the certificate and allow the control to be
installed.

Seems MS is attempting to redefine "trustworthy" how it once tried to
redefine "open" (who else remembers the early NT launches??).

It seems the option "trust MS enough to run its software but not with
any possibly identifying information" falls outside the gambit of
"trustworthy" in MS-think! I hope they point this out _in advance of
taking their money_ to all future potential customers...


--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Re: RE: Windows 2000 Service Pack 3 now available. [ In reply to ]
guninski at guninski
Aug 2, 2002, 2:11 AM
Post #3 of 4 (921 views)
Permalink
Nick FitzGerald wrote:

>
> This adds further irony to the blurb about enabling scripting and
> ActiveX, should you visit those pages with (a browser masquerading
> as) IE with no scripting nor ActiveX support:
>
> If you are on a Web site that you trust (in this case, Windows
> Update), and the ActiveX Control is provided by a publisher you
> trust (in this case, Microsoft), it is safe to click Yes in the
> dialog box to accept the certificate and allow the control to be
> installed.

"Publisher you trust"??? - just check - http://www.guninski.com/signedactivex2.html
for some fun with valid microsoft signatures.
RE: Windows 2000 Service Pack 3 now available. [ In reply to ]
javier at msmc
Aug 7, 2002, 9:11 AM
Post #4 of 4 (926 views)
Permalink
Here's what I did to make myself feel better.
1. Downloaded the full SP3.exe.
2. Disabled my network adapter
3. Ran the SP3 update
4. Rebooted.
5. Disabled Automatic Updates
6. Re-enabled the network adapter

However, this won't accomplish much if you use the WindowsUdate site, as
both the website and the Auto-update client will both transmit the same
information.

As some consolation, the following text is also provided by Microsoft:
"Because Windows Update does not collect personally identifiable
information, the configuration information and GUID cannot be used to
identify you. "

<SOAPBOX>
I must agree with Darren Reeds comments - SP2 was the last "free"
Service Pack. Microsoft has crossed the point of no return, and it
would be naive to believe that they are alone. Other vendors will
follow. Bruce Schneier crystalized the point one or two Blackhats ago
when he stated that people believe that, because its computer related,
somehow its magically different than the real world. This, not only
applies to security, but it also applies to our privacy. We tolerate
these voilations of our privacy, when we install software, surf the web,
etc. Most of the time without giving it a great deal of thought or
concern. Beacuse its cyberspace? Who do you think runs those systems?
People. I don't have any answers but I ask that we all stay vigilant.
</SOAPBOX>


Javier I. Sanchez


-----Original Message-----
From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk]
Sent: Thursday, August 01, 2002 7:44 PM
To: bugtraq@securityfocus.com; full-disclosure@lists.netsys.com
Subject: RE: Windows 2000 Service Pack 3 now available.


Colin Stefani <cstefani@tideworks.com> wrote:

> Be sure to read the new EULA/privacy statement for Windows update, it
has an
> interesting portion about how Windows Update and Automatic Update
(which
> gets installed with SP3) can, by agreeing to this license, send the
> following pieces of info to Microsoft, this was posted on the MS focus
list
> by Javier Sanchez:
>
> "With the latest version of Windows Update (essentially a mandatory
download
> and now part of SP3) you consent to sending the following information
to
> Microsoft:
>
> * Operating-system version number and Product Identification number
> * Internet Explorer version number
> * Version numbers of other software
> * Plug and Play ID numbers of hardware devices

This adds further irony to the blurb about enabling scripting and
ActiveX, should you visit those pages with (a browser masquerading
as) IE with no scripting nor ActiveX support:

If you are on a Web site that you trust (in this case, Windows
Update), and the ActiveX Control is provided by a publisher you
trust (in this case, Microsoft), it is safe to click Yes in the
dialog box to accept the certificate and allow the control to be
installed.

Seems MS is attempting to redefine "trustworthy" how it once tried to
redefine "open" (who else remembers the early NT launches??).

It seems the option "trust MS enough to run its software but not with
any possibly identifying information" falls outside the gambit of
"trustworthy" in MS-think! I hope they point this out _in advance of
taking their money_ to all future potential customers...


--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal