Microsoft distributes free CDs in Japan to patch Windows
Jack Bates
jbates at brightok.net
Mon Sep 8 19:16:34 UTC 2003
Sean Donelan wrote:
>
> If infected users have an offline method for obtaining patches, then we
> don't need to figure out a way to keep their buggy, infected computers
> connected to the network long enough to download the patches.
>
And wouldn't it be nice if someone developed a good protocol that
allowed the ISP to mandate specific patch revisions for various software
before allowing the user to be connected and a way to push the revisions
to the end user in the event that they weren't up to date?
AOL can of course pull tricks like this due to the custom architecture.
Currently, a standard PPP setup with M$ or other O/S doesn't have this
level of support. VPN and various corporate security policies support
pushing policies and mandating patches in their software.
At some point, patching and maintaining security needs to be handled at
the connection. If the protocol is written, the ISP supports it, then
those with connection software supporting the protocol will maintain
security while those circumventing it with other connection methods will
not. However, given that the consumer base in question usually utilizes
a default M$ install, if M$ incorporated it into their DUN, dhcp, pppoe,
then a large portion of the problem would be solved.
Would people honestly object to keeping a security patch server locally
which received patches from the various software vendors to be pushed
out to their customers?
-Jack
More information about the NANOG
mailing list