Patch Windows safely with Knoppix

by Kyle Rankin

Related link: http://isc.sans.org/survivalhistory.php



Ahh security patches. With more and more desktop computers connected to the Internet 24 hours a day, even the home user has grown accustomed to running the various update programs for Windows to make sure that his software is patched (or at least he should!). Even with Microsoft's increased focus on security, it seems that new critical vulnerabilities, the kind that let remote users gain Administrative privileges on your machine, come out every few weeks.

For a corporate desktop, you generally have an IT department and hopefully firewalls to limit a worm's ability to scan for machines to infect. With a firewall, when the latest security vulnerability is announced you can safely download and install the patch from behind the firewall (or your IT department can do it for you). As new machines are installed (or imaged), the systems administrator can follow through with the latest updates, again behind the safety of the firewall.

For the home desktop, it isn't necessarily that easy. Some home users have software firewalls now, but many don't. And even if you had a firewall, it may not be configured and running when you first connect that new machine to the Internet. The home user is left with the risky proposition of exposing the machine to attack during the potentially long download of patches. As the SANS study shows, it can take as little as 20 minutes for an attack to be attempted on a new machine on the Internet, so you are left running across the battlefield to get your bulletproof vest, hoping nothing hits you on the way.

I've already talked about how to scan for viruses with Knoppix, and many of the advantages to using Knoppix for virus scanning hold equally true for grabbing Windows patches. Since Knoppix isn't vulnerable to Windows worms, you can keep the computer connected to the network and download the patches you need when Knoppix is running.

Microsoft offers standalone patches (including service packs) for Windows on their TechNet site in the form of individual .exe files so system administrators can download the patch once, and then apply it on all the machines on a network that need it.

So, say you have a new Windows XP machine on the network, and it has a number of vulnerabilities that need to be patched with Service Pack 2. Boot into Knoppix with the network cable attached. Then go to TechNet. Since Service Pack 2 is a hot item right now, you can find it linked to directly off of the main TechNet page, but if it weren't, you could simply use their search to find it (for other standalone patches you can search by the Knowledge Base or Security Bulletin ID as well). In this case the download page is here.

Now it is important that if you are presented the option to download a large "network version" or a smaller version of a patch, to download the larger version, as this will ensure that you don't have to be connected to the Internet when you apply the patch.

Under Knoppix, mount your Windows partition with read/write permissions (right click the partition's icon on your desktop and click Actions->Change Read/Write Mode) and then download the patch and save it into your Windows partition. If you have NTFS, you will have to go through the Captive NTFS wizard (K menu->KNOPPIX->Utilities->Captive NTFS) to write to the partition.

Once the download has finished, reboot into Windows with the network cable unplugged. Then you can install the patch without exposing your system. Once the patch is finished, you can then plug the network cable back in and get back to business.

Since Knoppix can mount even brand new Windows images, you could potentially boot Knoppix before your new machine has booted Windows at all, download the patches you need directly to the machine, and then install them with the system disconnected from the network--the result being that the system gets fully patched without Windows being exposed to the Internet once.

What's your favorite method for safely rolling out patches in Windows?


14 Comments

caseydk
2004-08-17 14:51:06
Nice.

Very impressive. It's such an obvious thing that I'm surprised no one mentioned it before (that I saw)...


Good call.

DeanG
2004-08-17 19:37:47
Unsafe patching?
Forgive my oversight (I'll blame it on all the bad press SP2 has received with regards to incompatibilities), but what is the safety risk to downloading and running the SP2 patch WITHOUT Knoppix? (Or more precisely, outside of Windows)


Primarily baffled at the broad title.


jwenting
2004-08-18 00:22:29
forgot to mention
There's many people who found their Windows machines would no longer boot after using Knoppix to "patch" them.
Guess Knoppix destroys the bootloader or something and replaces it with its own (or at least some distributions do).


Of course the Linux zealots (imagine green flag waving hordes with turbans and curved swords bearing down on Redmond riding oversized grinning penguins) will call anything that prevents a Windows machine from booting a good thing...

jwenting
2004-08-18 00:23:05
Unsafe patching?
there is no risk. This is typical anti-Microsoft FUD.
simon_hibbs
2004-08-18 00:53:31
forgot to mention
This is pure, ignorant FUD. Care to provide any references whatever to support this statement?


Unlike other Linux distributions, Knoppix boots directly from CD, so it doesn't need to do anything whatever to the boot loader on the PC's hard disk. During this patching process, the only time Knoppix would write to your hard disk is when it copies the patch files into your windows disk drive. You actualy apply the patch while booted into Windows.


Simon Hibbs

simon_hibbs
2004-08-18 01:02:13
Unsafe patching?
This article isn't specificaly about SP2, it's about any machine with a newly installed copy of Windows that doesn't have any recent patches applied. There are two methods you can use to patch it.


One method is to connect it to the internet and download the patches and then apply them, but this means your unpateched, vulnerable ssytem is connected to the internet before it is protected by the patches. Attacks from the internet, mostly automated ones, can occure within minutes of making a connection, so this is very unsafe.


The other method is to connect to the internet using a safe, protected system and download the patches using that, then transfer the patches to the new machine, applying them before connecting it to the internet. This might mean either using a different PC running Windows that is already patched, and burning the patches to CD or something. This article proposes an alternative method using the PC that needs to be patched. By booting it into a safe operating system on CD (Knoppix) you don't need to use a seperate computer, or transfer the patch files because you are actualy downloading them on the same PC that needs them.


I hope that clears up any confusion.



Simon Hibbs

Chui
2004-08-18 03:17:21
Chicken and Egg issue
Well, if I only have an unpatched Windows machine, how do I download a copy of Knoppix?
dbrick
2004-08-18 06:23:32
Unsafe patching?
Of course there is a risk. Users are finding all the time that a newly installed instance of Windows is vulnerable while it is connected to the Internet and in the process of downloading security patches.


They also find that a machine that has been infected with something is not a good platform from which to fix itself. Knoppix provides a nice, safe, non-keylogging, non-worm propagating system from which to start the clean-up process. Once the needed patches are moved onto the system disk, and the computer booted to Windows with the network disconnected, it won't matter if an infected Windows is attempting to send your keystrokes to some cracker or if the worm you are about to remove is trying to infect other machines, because they won't be reachable.


Now, an existing install of Windows XP that is up-to-date in every way minus SP2, has little risk of getting infected with a worm or virus while it is in the process of downloading SP2.

greenfly
2004-08-18 08:46:54
forgot to mention
This is just silly. Read through the post and you'll see that you are simply using Knoppix to download the patches onto your Windows machine so Windows itself can apply the patches while being disconnected from the network.


Knoppix isn't "patching" anything. This distribution boots and runs directly from CD, and is just providing a safe platform to download the patches. It's nothing to get upset about.

andrewgwhite
2004-08-19 12:29:53
Using Knoppix
Great article! We've been using USB keys to do this, but this way we can just get the most up-to-date patch right from the source.


I was wondering if I could convince/beg/plead with you to show us how to use a live cd to "ghost" a partition? I like to regularly restore my system, but its quite a pain for someone without norton. And no IT budget.

greenfly
2004-08-19 13:09:41
Using Knoppix
Thanks. Actually Knoppix Hacks has a number of different hacks for system backup and restore, including using tools like dd and partimage to image systems.


If I get a chance, I might do a general walkthrough of how to do that later on, but if you have a copy of Linux Server Hacks, there is a great imaging hack there using dd that you could use with a live CD. You'd only really need to change a few aspects of it such as running with sudo (or from a root terminal) in Knoppix.

bmckee
2004-08-25 06:37:57
Using Knoppix
Try mondo rescue
http://www.microwerks.net/~hugo/
Works great!
johnhebert
2004-08-25 08:25:31
Chicken and Egg issue
You either take your chances, or buy a copy of Knoppix (http://www.knopper.net/knoppix/index-old-en.html#order). You could also ask a friend to download and burn a copy. Or ask a local Linux Users Group for a copy.


An alternative to downloading the Knoppix .iso file (~700MB) is to download and use Feather Linux (http://featherlinux.berlios.de) in the same manner as described in the article. Feather Linux gives you the same capabilities to download files from the Internet but the downloaded .iso file is much smaller; less than 70MB.

SuperSteve
2004-09-16 13:35:50
Unsafe patching?
Of course there is a risk. There is a huge risk. Take a PC, install Windows XP without any integrated service packs or patches. Get online to get the patches (Dialup or broadband). By the time you are prompted to reboot you will definitely have Welchia or some other virus variant.


Now tell me, honestly, how many home users (especially those on dialup) who have the time/patience to download 250MB of security updates on top of any drivers that they need?


I work with Windows all day at work so I know first hand how quickly it can become infected if not patched properly.