Google
 

vineri, 14 septembrie 2007

Microsoft downplays stealth update concerns

Microsoft Corp. today essentially called the concerns over undercover updates to Windows XP and Windows Vista a tempest in a teapot, saying that silent modifications to the Windows Update (WU) software have been a longtime practice and are needed to keep users patched.

"Windows Update is a service that primarily delivers updates to Windows," said Nate Clinton, program manager in the WU group on the team's blog today. "To ensure ongoing service reliability and operation, we must also update and enhance the Windows Update service itself, including its client-side software."

Microsoft was moved to respond after the popular "Windows Secrets" newsletter looked into complaints that WU had modified numerous files in both XP and Vista, even though users had set the operating system to not install updates without their permission. In many cases, users who dug into Windows' event logs found that the updates had been done in the middle of the night.

Windows gives users some flexibility in how their PCs retrieve and install updates and patches from the company's servers. In Vista, for example, users can turn off Automatic Updates entirely; allow the operating system to check for, but neither download or install, any fixes; or allow it to download files but not install them.

Clinton tackled the stealth install issue in some detail. "One question we have been asked is why do we update the client code for Windows Update automatically if the customer did not opt into automatically installing updates without further notice? The answer is simple: Any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available."

Failing to do so, he argued, would have ultimately run counter to what a user wants and needs. "Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications." The result, he said, would be to leave users at risk to attack via vulnerabilities Microsoft has patched. "That would lead users to believe that they were secure, even though there was no installation and/or notification of upgrades."

In fact, the practice has been going on for some time, Clinton claimed. "The Windows Update client is configured to automatically check for updates anytime a system uses the WU service, independent of the selected settings for handling updates. This has been the case since we introduced the Automatic Update feature in Windows XP. In fact, WU has autoupdated itself many times in the past," he said.

That would be news to the majority of people who filled several threads on Microsoft's own support newsgroups starting in late August. "I found this information by myself, checking the Windows directories," griped someone identified as Frank. "But the point is that I didn't allow the update (Automatic Update properties on 'notify') and there is no information about this update on Microsoft [Web pages]. Why [didn't] Microsoft publish any information about this update?"

Clinton also disputed user accounts of stealth updates to WU even when they had completely disabled the automatic update feature in the operating system. "WU does not automatically update itself when Automatic Updates is turned off, this only happens when the customer is using WU to automatically install upgrades or to be notified of updates," said Clinton.

He did issue a mea culpa -- of sorts. Although he stopped short of apologizing for the lack of information, he said Microsoft is considering changes. "[This] is not to suggest that we were as transparent as we could have been," he admitted. "To the contrary, people have told us that we should have been clearer on how Windows Update behaves when it updates itself. We are now looking at the best way to clarify WU's behavior to customers so that they can more clearly understand how WU works."

That's crucial for both end users and companies, said Andrew Storms, director of security operations at nCircle Network Security Inc., a security and compliance vendor. "The question is, why haven't users been more clearly educated that this is the way [WU] updates work?" Storms asked. "I'm glad to see software updated, but the better tack would have been to fully explain this.

"Frankly, this surprises me a bit. Microsoft's making an effort to provide us with more information, especially in the last year."

Microsoft didn't completely address one question Storms had, however: In corporations, where system integrity is not only demanded, but often crucial, how is Microsoft handling these kinds of updates to the WU client files on machines patched through Windows Server Update Services (WSUS), the server-side update manager?

Microsoft's Clinton mentioned WSUS in passing. "[For] enterprise customers who use WSUS or Systems Management Server, [the now-obsolete predecessor to WSUS], all updating, including the WU client, is controlled by the network administrator, who has authority over the download and install experience."

Microsoft's own technical documentation is unclear as to exactly what control administrators have over Automatic Updates. In a page headlined "Automatic Updates client self-update feature," WSUS administrators are told much the same as consumers, in some of the same language Clinton used in his blog. "Each time Automatic Updates checks the public Web site or internal server for updates, it also checks for updates to itself. This means that most versions of Automatic Updates can be pointed to the public Windows Update site, and they will automatically self-update," the document reads.

That's exactly how the process works for users not connecting to a WSUS-equipped server.

Even the alternative -- "You can also use the WSUS server to self-update the client software," the document said -- doesn't spell out what oversight administrators have over the modifications. In fact, this approach relies on the Internet Information Services (IIS) component of Windows Server to ping the same public servers Microsoft uses to push WU updates to anyone not using WSUS.

IIS, according to another support document, feeds the updates to a virtual directory named "Selfupdate" under the Web site running on port 80 of the WSUS server. Dubbed the SelfUpdate Tree, this folder contains the WSUS-compatible Automatic Updates software, said Microsoft.

The company did not provide more information on how, or whether, silent updates are processed by WSUS.

"This could be a very big deal to enterprises," said Storms, depending on exactly what happens in a WSUS environment. "You just don't want unknown files installed or changed."

And it's the not-knowing that bothers him. "What's really interesting here is that we don't know, do we?" said Storms. "We're looking for a more holistic view of what WU does. And Microsoft hasn't given it to us."

Help wanted: IT workers with server virtualization skills

SAN FRANCISCO – As more organizations adopt server virtualization software, they're also looking to hire people who have worked with the technology in live applications. But that experience is hard to find, as Joel Sweatte, director of IT at East Carolina University's College of Technology and Computer Science, recently discovered when he advertised for an IT systems engineer.

Sweatte received about 40 applications for the job at the Greenville, N.C.-based college, but few of the applicants had any virtualization experience, and he ended up hiring someone with none. "I'm fishing in an empty ocean," Sweatte said.

To give the new employee a crash course in virtualization, Sweatte brought him to market leader VMware Inc.'s annual user conference here this week. "That's a major expenditure for a university," Sweatte said of the conference and travel costs. "[But] I wanted him to take a drink from the fire hose."

Sweatte isn't the only one who has had trouble finding IT workers with virtualization skills. VMware said VMworld 2007, which ends today, drew more than 10,000 attendees -- up from about 7,000 at last year's event. But in interviews at the conference, it was common to find attendees who were new to virtualization and largely self-taught on the technology.

For instance, Jeff Perry, IT manager at HealthBridge, a not-for-profit organization in Cincinnati that electronically connects area hospitals and other medical facilities so doctors can exchange patient data, began deploying virtualization software six months ago. He came to VMworld to pick up some more technical skills and said he plans to spend a lot of time teaching himself about virtual systems.

The conference was a good starting point for learning about the technology, Perry said, "but there is so much research that you have to do after this."

And there's no question in Perry's mind that virtualization has become a critical IT component. "Hardware right now is so underutilized," he said. "To carve out spaces for virtual machines is the wave of the future."

IT professionals can certainly train themselves to work with virtualization software, VMworld attendees said. But, they added, it helps to have a broad base of data center skills beforehand.

"In the old days, you really just needed to understand the server –- now you have to understand not just the server, but the command lines of the Linux operating system, networking, how switches work, storage and fiber connections," said Kirk Marty, a senior systems engineer at Minneapolis-based Jostens Inc., which makes class rings, yearbooks and other products.

Michael Youngers, a lead systems administrator for the storage and storage-area networking groups at Carter & Burgess Inc. in Fort Worth, Texas, said that when the engineering and consulting firm decided to adopt virtualization about six months ago to improve its disaster recovery capabilities, he taught himself how to use the software. "I stumbled into it," he said.

But after seeing how virtualization has led to server consolidation, the removal of old hardware and lower power and cooling costs at Carter & Burgess, Youngers is convinced that it's a need-to-know technology for IT workers. "You are going to have to get on board," he said.

Peter Marx, chief IT architect at Knorr-Bremse Gmbh, a Munich-based manufacturer of truck and railroad components, has been involved in x86 server virtualization for several years, making his company a relatively longtime user. When Knorr-Bremse started out with the technology, Marx couldn't hire anyone with virtualization skills. Such people "simply weren't available then," he said.

Workers at the company attended some training programs, Marx said. But mostly, "they simply did it," he added. "It's more of a German-type approach."

Macs on the network: Time to panic?

They're coming. Gleaming all-in-ones, metallic slimline notebooks and hand-size "mini" machines.

For network admins, the Macintosh has always been the purview of advertising agencies, entertainment companies, educators and home computer users. Mac OS X is merely a minor support issue in a Microsoft-dominated organization.

Yet as the consumer market begins to meld with the corporate world even more, and employees expect to use their preferred gadget (and operating system) for work and home life, the Mac could make inroads at large corporations.

The facts reveal a coming resurgence. Apple sold 36% more Macs in the second quarter than the same quarter last year. The company has sold more than 1 million iPhones and 110 million iPods to date. There also just seems to be "something in the air" -- or at least the blogosphere -- suggesting a Mac resurgence. Blogs such as Engadget.com post about Apple constantly, and even IT analyst firms that have usually downplayed the Mac as "niche" are talking about the platform in the corporate world again.

"We expect that much of today's IT infrastructure is going to be turned upside down by the invasion of consumer technologies," said Andrew Jaquith, an analyst at Yankee Group Research Inc. in Boston. "Consumerization is going to make IT's job harder, and platforms like the Mac are going to become increasingly common, in many cases in spite of the wishes of management."

Minimal changes or maximum stress?

For the most part, connecting a Mac to a corporate LAN doesn't have a world-shattering effect on performance or support. According to William Green, director of networking at the University of Texas in Austin, the Mac has had a minimal impact on the school's infrastructure.
"All OSs behave differently; if you have a multivendor environment, you have to deal with the differences," said Green. "There have not been any special problems related to Macs."

Green did mention a few bugaboos, however, among his generally positive comments about the Mac. He said his group has seen more support issues related to the Cisco VPN for Mac than the version for Windows XP, although they have fewer support calls for the native VPN client for OS X.

"There have been problems with OS patches affecting wireless connectivity for a small portion of Mac laptops in the past -- specifically related to 802.1X," he said. "Those appear to have been corrected. We have found the Mac OS X client much easier for users to configure for wireless and 802.1X. It has been a benefit not having to deal with all the third-party drivers that come from the PC/XP world since this has caused a lot of problems for XP users during our 802.1X wireless rollout."

Yankee's Jaquith mentioned another pitfall. Admins have found they can turn on the outbound firewall in Windows XP SP2 for each network adapter independently through the GUI. With OS X, however, admins have to use a command-line parameter in the OS X IPFW tool to enable the feature, turn on logging and enable stealth mode so the Mac doesn't reply to network pings.

Computer consultant Bryan Bowers at Bowers Technologies Inc. in Rancho Santa Margarita, Calif., said his clients have had problems with strong network security working with the Mac, likely related to signed server message block connections. Jaquith downplayed this glitch, noting that most corporations probably don't have server security protocols set so high that the Mac operating system would have trouble accessing shares.

Bowers also mentioned his clients have trouble connecting to network printers from a Mac, and that e-mail server configuration can sometimes prove problematic, because the servers must be reconfigured to support Internet Message Access Protocol and Post Office Protocol 3 for inbound mail and Simple Mail Transport Protocol for outbound traffic.

The fact that Microsoft hasn't updated its Entourage client for the Mac in several years suggests that its OS X support is waning, although a new Office 2008 version for the Mac with a new e-mail client is due in January.

Jaquith mentioned that network backup support for the Mac platform could pose a problem for admins, because corporate backup tools often don't support the platform. "Some admins use a Unix command called 'rsync' to back up Mac hard drives on a scheduled basis," he said. "There are also some Mac-specific tools, like EMC's Retrospect, that I've heard work well."

For remote management, the Mac provides the Remote Management tool that works in the OS X GUI and allows admins to run AppleScripts remotely to change client settings.

Will the Macs invade?

Even with OS X-specific support tools, good compatibility with the network layers in a company and a wide range of desktop applications, the one "gorilla in the room" for widespread Mac adoption in bigger companies is the fact that many customized corporate applications won't work on the Mac.

Some companies get around this conundrum by using virtualization software from SWsoft Parallels or VMware Fusion, or by loading Apple Boot Camp on Mac computers so that end users can boot into OS X or Windows.

Jaquith also noted that companies are hesitant to introduce the Mac because they want to focus on as few operating systems as possible and, he said, "favor a monoculture in which all machines are the same." Most corporations are continually looking for ways to manage their infrastructure more consistently and measure network performance, and the Mac (and, for that matter, Linux) just introduces another variable. Many companies also prefer the "old familiar technology" that Windows XP provides.

Another common argument against the Mac is that Apple is the only hardware vendor, although many companies choose one primary hardware vendor, such as HP or Dell, to gain consistency in the environment.

Apple itself seems uncomfortable with the corporate world and doesn't actively advertise to the corporate market, suggesting the company is happy continuing life as a consumer darling and has no plans to compete with Microsoft.

If Jaquith and others are right, it's the consumer who will bring the platform into the corporate world and, it seems, force network managers to support the operating system.