Security Watch

Installation Woes

Why can't vendors get it together when it comes to pop-up warnings and automatic updates?

We definitely have a problem with every vendor wanting to use automatic updates. What occurs on setup of a new PC these days is simply ridiculous. The other day I purchased a new HP Media Center PC, an m7360n to be exact. I thought I'd share my thoughts about the installation experience with you.

Of course, Windows wanted to do updates, so did Symantec. HP wanted to do updates of its own, and Sun's Java Runtime wanted to be updated. I was instantly inundated with a ton of requests for updates, registrations and more updates.

I sat there frantically trying to respond to each new prompt, "Yes, get HP Updates...," "Sure, grab whatever Windows Update wants to give me...," "Sure, register Sonic and this and that..." Each time I received numerous warnings from Internet Explorer or Norton that I may be doing something I might not want to...uh, well, how should I know...I mean, after all, I'm simply registering software and letting it update itself, right?

What's the average mom or dad to do after getting something like this for their kids?

After responding to everything that was popping up in front of me, I sat back and waited for something to complete. First it was Windows Update telling me the system needed to be rebooted...but other tools hadn't finished with what they were doing. Should I let it reboot, or should I wait? Who knows? I rebooted.

So I started over again...more updates from Windows Update...all it had done the first time was download the Microsoft Genuine Advantage tool...gee, don't I feel special.

Throughout this experience I couldn't get the HP updater to do anything. It just sat there spinning its wheels in the sand. I proceeded to check out the logs on my router, which, by the way, was reasonably configured to prevent all but HTTP out of my network from new machines.

To my surprise, I discovered a number of somewhat (at least to me) arcane and rarely used protocols being blocked:

  • tnETOS, UDP 377, trying to get to an HP network address. Hmm...
  • saft, TCP 487, trying to get to the same HP network address. Well, OK, Simple Asynchronous File Transfer seems reasonable, and at least its TCP.
  • FTP! To a different HP network address. Say what?

Who the heck uses FTP anymore on such a broad scale? Just what kind of holes do they want in my firewall just so I can get updates? What the heck is wrong with using HTTP file transfers anyway?

So I poked some very specific holes in my router configuration and the HP updater went merrily on its way. Nowhere could I find any information regarding the need for these holes. I did read an interesting support article from HP that talked about potentially having problems with firewalls. It gleefully suggested I disable the firewall to avoid problems due to its presence...the article, unfortunately, said nothing about re-enabling it at some point.

Given that most cable modems today come with some sort of rules configuration, it seems to me that HP's lack of acknowledgement of the potential for an external firewall device suggests they think most people are still using dial-up. Get with the program, HP.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

If there's anything that makes people turn off pop-up warnings, it's that installation experience. With a new machine in hand, all you want to do is get to the goodies, try it out with your favorite game, or get your business software installed. You sure don't take the time to examine everything that's popped up in front of you. Once the warnings are disabled and the firewall warnings ignored, seemingly everything went OK. You've just been taught a lesson you won't soon forget -- namely, forget warnings, they don't usually foretell problems anyway.

To solve this mess, PC vendors need to figure out how to get new machines set up at the consumer's home without this flourish. Shroud the process in an application that directs all of the tools they provide to update themselves without prompting. Alternatively, schedule the updating processes of the various tools so one completes and then moves on to the next, in an order the vendor knows will work. Rebooting while some tool is still downloading can't be good.

Finally, start with a page that explains what is required to get the job done properly. It cannot include instructions on how to disable a firewall, but instead must describe every port that will be needed, for what and for how long.

I won't go into my frustration over the lack of domain support in Windows Media Center -- that's been discussed many times elsewhere. Suffice it to say that everyone reading this article will eventually run into this obstacle if you purchase OEM systems. Media Center can join a domain if it's installed as an upgrade to XP Pro that has already been in a domain...the only problem is that few vendors give you actual installable Media Center media, so it's impossible to install XP Pro on such a system and upgrade it to the Media Center license you've been given by the vendor. On top of that, you'd likely be unsupported in the end anyway. Microsoft seriously needs to reconsider this decision given how attractive Windows Media Center is to OEMs.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular