A Patch-Friendly Boot Mode?
September 10th, 2006In my Security Absurdity article, I mentioned the window of exposure which occurs when new, unpatched computers connect to the internet for the first time before they have a chance to download required patches.
In 2003 I mentioned the idea of a Patch-Friendly Boot Mode in the Patch Management mailing list as a possible solution to address this window of exposure.
I wrote, “One possible solution is a Patch-Friendly Boot Mode. Similar to booting into Safe-Mode, there could be an option to boot into a Patch-Friendly Boot Mode. During this mode, the computer would boot into a minimalist mode - or even DOS mode with all non-essential services disabled. The hard drive could boot in read-only mode, except for a single writable directory [to store the patches].
During this boot mode, the computer would connect to windowsupdate or a local patch management server (to minimize the time required to be connected to the internet) and then retrieve all the necessary patches. The patches could then be installed upon next reboot when the hard drive is back into read-write mode and prior to establishing a connection to the internet.”
Has such a solution ever been proposed? What are the potential downsides of this solution? What other solutions/workarounds are there to address the patch window of exposure?
September 13th, 2006 at 2:46 pm
They have listened. That is why XP SP2 firewall is on by default.
September 15th, 2006 at 3:04 am
How about downloading autopatcher and burning it to cd/usb stick on other computer?
November 29th, 2006 at 10:20 am
I’d suggest patenting this idea ASAP.
November 29th, 2006 at 4:36 pm
Is it so hard to put something, not made of windows, between the machine and the internet? (netgear/d-link/linksys router/firewall) By not exposing windows to the outside world directly, the only vector of infection is unknowing clicks by users, and infected machines behind the firewall.