Why can't vendors get it together when it comes to pop-up warnings and automatic updates?
We definitely have a problem with every vendor wanting to use automatic updates.
What occurs on setup of a new PC these days is simply ridiculous. The other
day I purchased a new HP Media Center PC, an m7360n to be exact. I thought I'd
share my thoughts about the installation experience with you.
Of course, Windows wanted to do updates, so did Symantec. HP wanted to do updates
of its own, and Sun's Java Runtime wanted to be updated. I was instantly
inundated with a ton of requests for updates, registrations and more updates.
I sat there frantically trying to respond to each new prompt, "Yes, get
HP Updates...," "Sure, grab whatever Windows Update wants to
give me...," "Sure, register Sonic and this and that..."
Each time I received numerous warnings from Internet Explorer or Norton that
I may be doing something I might not want to...uh, well, how should I know...I
mean, after all, I'm simply registering software and letting it update
What's the average mom or dad to do after getting something like this
for their kids?
After responding to everything that was popping up in front of me, I sat back
and waited for something to complete. First it was Windows Update telling me
the system needed to be rebooted...but other tools hadn't finished
with what they were doing. Should I let it reboot, or should I wait? Who knows?
So I started over again...more updates from Windows Update...all it
had done the first time was download the Microsoft Genuine Advantage tool...gee,
don't I feel special.
Throughout this experience I couldn't get the HP updater to do anything.
It just sat there spinning its wheels in the sand. I proceeded to check out
the logs on my router, which, by the way, was reasonably configured to prevent
all but HTTP out of my network from new machines.
To my surprise, I discovered a number of somewhat (at least to me) arcane and
rarely used protocols being blocked:
- tnETOS, UDP 377, trying to get to an HP network address. Hmm...
- saft, TCP 487, trying to get to the same HP network address. Well, OK,
Simple Asynchronous File Transfer seems reasonable, and at least its TCP.
- FTP! To a different HP network address. Say what?
Who the heck uses FTP anymore on such a broad scale? Just what kind of holes
do they want in my firewall just so I can get updates? What the heck is wrong
with using HTTP file transfers anyway?
So I poked some very specific holes in my router configuration and the HP updater
went merrily on its way. Nowhere could I find any information regarding the
need for these holes. I did read an interesting support article from HP that
talked about potentially having problems with firewalls. It gleefully suggested
I disable the firewall to avoid problems due to its presence...the article,
unfortunately, said nothing about re-enabling it at some point.
Given that most cable modems today come with some sort of rules configuration,
it seems to me that HP's lack of acknowledgement of the potential for
an external firewall device suggests they think most people are still using
dial-up. Get with the program, HP.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
If there's anything that makes people turn off pop-up warnings, it's that installation
experience. With a new machine in hand, all you want to do is get to the goodies,
try it out with your favorite game, or get your business software installed.
You sure don't take the time to examine everything that's popped up in front
of you. Once the warnings are disabled and the firewall warnings ignored, seemingly
everything went OK. You've just been taught a lesson you won't soon forget --
namely, forget warnings, they don't usually foretell problems anyway.
To solve this mess, PC vendors need to figure out how to get new machines set
up at the consumer's home without this flourish. Shroud the process in
an application that directs all of the tools they provide to update themselves
without prompting. Alternatively, schedule the updating processes of the various
tools so one completes and then moves on to the next, in an order the vendor
knows will work. Rebooting while some tool is still downloading can't
Finally, start with a page that explains what is required to get the job done
properly. It cannot include instructions on how to disable a firewall, but instead
must describe every port that will be needed, for what and for how long.
I won't go into my frustration over the lack of domain support in Windows
Media Center -- that's been discussed many times elsewhere. Suffice it
to say that everyone reading this article will eventually run into this obstacle
if you purchase OEM systems. Media Center can join a domain if it's installed
as an upgrade to XP Pro that has already been in a domain...the only problem
is that few vendors give you actual installable Media Center media, so it's
impossible to install XP Pro on such a system and upgrade it to the Media Center
license you've been given by the vendor. On top of that, you'd likely
be unsupported in the end anyway. Microsoft seriously needs to reconsider this
decision given how attractive Windows Media Center is to OEMs.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.