Force https on MS Updates

Talk about internet security, computer security, personal security, your social security number...

Force https on MS Updates

Postby Tom T. » Sun Mar 22, 2009 11:49 pm

It doesn't seem to be widely known, but you can obtain Microsoft Updates through an https SSL-secured connection.

[This is an answer, not a question, but one of the recent upgrades to NS was forcing https on sites, so it seems pertinent as well as safety-related. If the admin or many members feel it's O/T and should be deleted, cool. On the other hand, if he wants to make it sticky, that's OK too. Or just delete this paragraph.]

First, if you have Automatic Updates enabled, either disable them or set them to "Notify me but don't download or install them". This is done through Control Panel > Automatic Updates. (I personally disable them completely, but if anyone wants to discuss why/why not, that's a topic for a separate thread.)

Add the following to your list of Trusted sites in IE: (IE Tools or Control Panel; > Internet Options > Security > click Trusted > Sites.

https://update.microsoft.com
https://www.update.microsoft.com (both needed, per MS.)

When you are notified, especially on Patch Tuesday, (second Tuesday of each month, Redmond, Washington, USA time, UTC-8 in winter and UTC-7 in summer), expand the descriptions and decide which ones you want. Otherwise, you end up with garbage like SP3 or IE7. Then "cancel" the Auto-Update box on your desktop. Of course, you can check for updates any time you like, especially if you hear or read about a vulnerability so terrible that even MS patches it without waiting for Tuesday of next month.

Now go to https://update.microsoft.com, in your admin-privilege IE browser. (Discussion later about how to do it in Fx.) I personally have deleted the Windows Update shortcut and replaced it with an IE bookmark to the secure site. If you get a dialog box:

"You are about to view pages over a secure connection", > OK.

At some point, you will get a second dialog box:

"This page contains both encrypted and unencrypted content. Do you wish to view the unencrypted items?" (or something close.) You must check "NO", or else you immediately will be taken back to the insecure update page.

Be sure to check "Custom" scan. "Express" will again sneak unwanted updates onto your machine.

The scan for pertinent updates will happen. (MS literature seems to indicate that this scan itself is over a secure connection by default, although no browser icons or anything else seem to indicate that.)
You then review them (they're the same ones you saw in the Auto-Update box), uncheck the ones you don't want, Review And Install Updates, and the process continues normally. They download over your secure connection, install as usual, and prompt you to restart as usual. Done.

Aside from safety issues, phishing, etc., this will cost MS a lot of money for bandwidth and server capacity if everyone does it. Seems like a good argument in favor right there. Let's let them know that there *are* security-conscious people out there (even people who run Windows lol). Maybe they'll get a clue.

**************************

If you have disabled Automatic Updates completely, you need to do the following before going to the Update site, else you get an error message that says to do these. Might as well do them first.

[quote=MS]The site cannot continue because one or more of these Windows services is not running:

Automatic Updates (allows the site to find, download and install high-priority updates for your computer)
Background Intelligent Transfer Service (BITS) (helps updates download more quickly and without problems if the download process is interrupted)
Event Log (keeps a record of updating activities to help with troubleshooting, if needed)

To make sure these services are running:

1. Click Start, and then click Run.
2. Type services.msc and then click OK.
3. In the list of services, double-click on Automatic Updates and then click Properties.
4. In the Startup type list, select Automatic and click Apply.
5. Verify that the Service status is started, if the Service Status is Stopped click on the Start Button.
6. In the list of services, double-click on Background Intelligent Transfer Service (BITS) and then click Properties.
7. In the Startup type list, select Manual and click Apply.
8. Verify that the Service status is started, If the Service Status is Stopped click on the Start Button.
9. In the list of services, double-click on Event Log and then click Properties.
10. In the Startup type list, select Automatic and click Apply.
11. Verify that the Service status is started, If the Service Status is Stopped click on the Start Button.[/quote]

(No reboot is required for these changes -- TT)
**************************************
Note that you might get a failure message from the Auto-updater, since you did not let it do its thing. But you got them manually. If any doubt, after reboot go to Control Panel > Add/Remove Programs, make sure "Show updates" is checked, and check the list near the bottom for the kb numbers of the desired updates. The date is a dead giveaway, too. But also check back again sometime after midnight on Patch Tuesday, i. e. about 1200 UTC on Wednesday. I've seen some updates released early in the day and others released later in the evening.

If you had Automatic Updates completely disabled, you will need to set it back to that after doing this. Also check back in the Services window (Start > Run type services.msc .> Enter.) Double-click "Automatic Updates" and "Background Intelligent Transfer Service" and set each to Manual. Since this takes effect only on the next boot, stop these services now, too. (I would keep "Event Log" on Auto for other purposes.) Saves RAM, CPU, battery, time, etc., and stops the machine from continuing to query the AU server.

Feedback on this post is *very* welcome.

Is anyone interested in knowing how to get the updates securely through Fx, *without* any IE-emulation stuff and without adding ActiveX support to Fx?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Force https on MS Updates

Postby Alan Baxter » Mon Mar 23, 2009 12:44 am

Although this article is academically interesting to me, I think it would go in something like an InformAction Tech forum, if we had one. It's not a NoScript support question at all, or even a Firefox one. You've put a lot of research into this, Tom, so please don't delete it. Would moving it over to NoScript General be a little better? You ought to post it to MozillaZine Tech too. You might get a lot of informed feedback over there.

I use Automatic Updates with "Notify me but don't download or install them". That interface allows me to untick any update I don't want, such as the Malicious Software Removal Tool, SP3, or the gigantic 284MB "Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update" high-priority update which none of my programs need. Then press "Download". The download might not take place immediately, but it happens silently in the background. I can even turn off my computer. The download happens eventually and Automatic Updates notifies me when the updates I selected are ready to install. That said, I did use Microsoft Update to download and install SP3 and the latest Update for Root Certificates for IE7.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
Alan Baxter
Ambassador
 
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Force https on MS Updates

Postby Giorgio Maone » Mon Mar 23, 2009 9:05 am

Alan Baxter wrote:It's not a NoScript support question at all, or even a Firefox one.

Moved to Security.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
User avatar
Giorgio Maone
Site Admin
 
Posts: 7322
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: Force https on MS Updates

Postby Tom T. » Tue Mar 24, 2009 12:08 am

I *love* the addition of the new "Extras" category, expanding "Metaforum" with "General Web Tech" and especially "Security". After all, in the "big picture", "Security" is why we're all here in the first place. There are some great minds here, and I'm here too :lol: , so I would expect a lot of cross-pollination -- some of which might eventually result in being of use in NS.

Thanks, Giorgio, for donating your bandwidth and hosting capacity. I have a hunch this site is growing to grow very rapidly.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Force https on MS Updates

Postby Tom T. » Tue Mar 24, 2009 12:15 am

Alan Baxter wrote: That interface allows me to untick any update I don't want, such as the Malicious Software Removal Tool

Alan, I'm curious: What's wrong with MSRT? It runs once on reboot, lets you know if it found anything, then goes to sleep until next month's updates. Yes, it will report to MS if it finds one of the prevalent viruses it lists, but that should be firewall-blockable. In ZoneAlarm, I would presumably get an alert: "Malicous SW Tool is trying to access the Internet" (Deny.)

If you don't like having 25 Mb of disk space wasted, then after it's run once, go to C:\windows\system32 (or whatever is your %windir%\system32) and delete MRT.EXE. It's not even under Windows File Protection, so it won't fuss at you for deleting it.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Force https on MS Updates

Postby Alan Baxter » Tue Mar 24, 2009 4:40 am

Tom T. wrote:What's wrong with MSRT?

1) The docs say it will automatically delete anything it finds. I've been burned by automatic deletion of false positives by anti-malware, so I won't run anything which does more than just report and let me decide what to do. That's how I have my AV set up.
2) It's unnecessary. Don't get me wrong, MSRT is a terrific idea, especially for systems which might not have an up-to-date anti-malware program. If I needed it, I'd use it. It is necessary for MS to include it. They need to cover their ass and say they're doing everything they can to keep their machines clean. I'm glad they are.
3) Privacy's not an issue in this case.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
Alan Baxter
Ambassador
 
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Force https on MS Updates

Postby Tom T. » Tue Mar 24, 2009 5:36 am

Alan Baxter wrote:1) The docs say it will automatically delete anything it finds.

We must be looking at different docs. http://support.microsoft.com/kb/890830 says,

Microsoft Help and Support, kb890830 wrote:Removing malicious files

If malicious software has modified (infected) files on your computer, the tool prompts you to remove the malicious software from those files. If the malicious software modified your browser settings, your homepage may be changed automatically to a page that gives you directions on how to restore these settings.

You can clean specific files or all the infected files that the tool finds. Be aware that some data loss is possible during this process. Also, be aware that the tool may be unable to restore some files to the original, pre-infection state.

It's not that I'm a big fan. I konw that it looks only for the *most prevalent* malwares. I just didn't see the harm in letting it do its thing. I could live without it as well.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Force https on MS Updates

Postby Tom T. » Tue Mar 24, 2009 5:39 am

Alan Baxter wrote:I use Automatic Updates with "Notify me but don't download or install them". That interface allows me to untick any update I don't want, such as the Malicious Software Removal Tool, SP3, or the gigantic 284MB "Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update" high-priority update which none of my programs need. Then press "Download". The download might not take place immediately, but it happens silently in the background. I can even turn off my computer. The download happens eventually and Automatic Updates notifies me when the updates I selected are ready to install. That said, I did use Microsoft Update to download and install SP3 and the latest Update for Root Certificates for IE7.

Is there some reason why you would not want to do all of that over a secure, encrypted connection, as the OP suggests?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Force https on MS Updates

Postby therube » Tue Mar 24, 2009 3:30 pm

Eh, are you not the OP, or are you quoting from somewhere else?

Why would someone want to do this over a secure, encrypted connection rather then simply using the MS mechanisms (Automatic Updates & BITS & such)?

Sure post the FF method.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090303 SeaMonkey/1.1.15
User avatar
therube
Ambassador
 
Posts: 4900
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Force https on MS Updates

Postby Alan Baxter » Tue Mar 24, 2009 5:06 pm

Tom T. wrote:
Alan Baxter wrote:1) The docs say it will automatically delete anything it finds.

We must be looking at different docs. http://support.microsoft.com/kb/890830 says

Hmm. It looks like I might have misunderstood its description in Windows Update. Sounds safe enough after all. Thank you for pointing that out.

The tool focuses on the detection and removal of active malicious software. Active malicious software is malicious software that is currently running on the computer. The tool cannot remove malicious software that is not running. However, an antivirus product can perform this task.

I'm not currently running any malicious software, so I'll be surprised if MSRT reports anything. If it does, then I'll follow up with a full scan from my AV and anti-malware apps.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
Alan Baxter
Ambassador
 
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Force https on MS Updates

Postby Alan Baxter » Tue Mar 24, 2009 5:34 pm

Just downloaded MSRT and started running it. Here's what the dialog box says, the emphasis was added by me:
The tool is scanning your computer for prevalent malicious software, and removing any that is found.

After this operation completes, the tools will provide you with a report of the malicious software that was detected and removed.

Uh, no, all I want is detection, not removal. I clicked Cancel. If I recall correctly, it was the "remove" language that I didn't like in its description from Automatic Updates. I think I'll stick with my AV and other anti-malware tools. I'm sure they won't do any automatic removal. And surely they already know about anything that MSRT does.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
Alan Baxter
Ambassador
 
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Force https on MS Updates

Postby Tom T. » Tue Mar 24, 2009 10:52 pm

Hmmm... a discrepancy between what MS documentation says will happen vs. what actually happens. Who would ever have expected that from Microsoft? :mrgreen: Good catch -- if you feel like it, email MS and point out the discrepancy. (That's not as futile as you'd think. After discovering the secure update site above, I would get browser security warnings of "mismatch between site name on certificate and actual site name". It was a trivial difference, but I wrote them, the person said, "That's not my job, but I'll pass it on", and a couple of months later, it was fixed.)

I've always just let it run invisibly on reboot, so haven't watched it. I guess I'm lucky not to have had any false positives. I agree this makes it even less useful. Yes, all my AV tools notify me and give me choice. Thanks for the good catch.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Force https on MS Updates

Postby Tom T. » Tue Mar 24, 2009 11:00 pm

therube wrote:Eh, are you not the OP, or are you quoting from somewhere else?
I guess I thought maybe OP could stand for "original post" as well as "original poster". Sorry for the confusion.
therube wrote:Why would someone want to do this over a secure, encrypted connection rather then simply using the MS mechanisms (Automatic Updates & BITS & such)?

This *does* use the MS mechanisms; it just does it over a secure connection. I could think of reasons, (MITM attack, maybe?) but I guess my feeling is that if you can do anything securely, why not? (I think the entire web should go to https, but that's just a personal opinion.) If you have AU set to "notify only", rather than to "off", it's hardly any more time.
Sure post the FF method.

OK, will do a bit later. I need to take some time to make sure the post is clear, simple, and accurate. Thanks for your interest.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Force https on MS Updates

Postby GµårÐïåñ » Thu Apr 09, 2009 3:45 am

I know this is splitting hair but how about moving it to WebTech section? :mrgreen:
Either way good information so it doesn't really matter where it goes.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
[ Major's Blog ] .:. [ Security Pack ] .:. [ Productivity ]
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 NoScript/1.9.1.7 FlashGot/1.1.8.5 FirePHP/0.2.4
User avatar
GµårÐïåñ
Lieutenant Colonel
 
Posts: 2918
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA

Re: Force https on MS Updates

Postby Tom T. » Thu Apr 09, 2009 5:32 am

GµårÐïåñ wrote:I know this is splitting hair but how about moving it to WebTech section?.

My perception was that the issue would be preventing a MITM from corrupting your updates or otherwise interfering or accessing your machine or connection (that's the idea behind SSL, right?) so it was a "Security" issue. No strong feelings, but the minute someone mentions https or ssl, I think "security". YMMV. Thanks.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US and very good at it, so please write properly; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 which is much better than 3.x
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Next

Return to Security

Who is online

Users browsing this forum: No registered users and 1 guest