Confirmation of stealth Windows Update

[stash]

Its not a different tune, that statement in the first quote was in regards to the valididty of having the third issue in this particular thread. Dont take it out of context. Right now nobody knows what is causing it. It could be a third part app. If i was a betting man, I would take the odds it isn't. MS has shown over the course of time that thay are not the best when it comes to patching their code.
...

The second part was me being a little fiesty with the all out apologist who thought this was no big deal, and quite ordinary. I posted again about the issue when the repair install problems surfaced. I guess it wasnt so ordinary of an update that QA just "missed" the fact that it hoses AU on repairs installs.

Are you being intentionally obtuse, or can you not read what you wrote? Your second quote is a direct response to the third issue in this thread. That quote is what introduced that issue into this thread in the first place. The issue which you are now backpedaling on and saying that we don't know what caused it.

Your attempt to characterize that second quote as referring to the repair install issue is laughable. Read what you wrote again:

Don?t look now, but the update experts appear to be at it again?.

How does a forcible reboot and turning on Automatic updates sound to you??

Windows Update automatically changing user settings

I'm done with this thread. It is clear your only intention is to sling FUD. A thread discussing the pros and cons of the AU system updating itself (as well as problems that can be directly attributed to that update) is a valid discussion, but you are more interested in furthering some agenda.

 

[mechBgon]

As this thread bares out, MS has not had the best track record when it comes to their patching system.

Who has the best track record for software patching on a worldwide scope, on this wide a range of hardware and software permutations, with this wide a range of users, and with target systems numbered in the hundreds of millions per month and probably billions in total? Give us some names and some metrics. You said it's not Microsoft, so you must know who it really is.

The list is LONG and plentyful of hickups, 3rd party and their own included. This thread just servers as my protest about the issue, and a place to get some information on the issues caused by it.

How many people do you personally know who've been affected, severely or at all, by these issues? I didn't notice any of them posting in this thread.

Thinking back across the approximately 400,000 machine-hours that my previous fleet racked up, Win2000 Pro and WinXP Pro on full Automatic Updates (I had no SUS/WSUS option) at two different locations, I really can't think of any examples where automatic updates were a problem. There was an Adobe Flash Player update delivered by AU which some users didn't like the effect of... but I did; it was a security update, after all.

To put it into perspective, I had more problems with hardware failures (hard drives, occasionally RAM, PSUs, and monitors), with false-positives from the antivirus (Excel.exe being mass-deleted by McAfee), with the employees doing or trying to do stupid stuff, with the server deciding to drop drives from the RAID5... there are far greater issues in the real computer world than the possibility of a buggy update biting your desktop systems because you had Automatic Updates turned on. In my opinion. Of course, I'm only speaking from experience; there were no blogs or articles involved, to make it all important and stuff.

Oh, and I forgot to mention "aging LaserJets" in my list of real-world woes :frown:

Anyhow, if you don't trust the update system, then that's certainly your prerogative to do whatever you feel is necessary, and there's no special skill needed to turn them off and keep them off. If you want to keep trying to persuade ATOS that Microsoft is shady and/or their update system sucks, then carry on with trying.

 

[Nothinman]

Who has the best track record for software patching on a worldwide scope, on this wide a range of hardware and software permutations, with this wide a range of users, and with target systems numbered in the hundreds of millions per month and probably billions in total? Give us some names and some metrics. You said it's not Microsoft, so you must know who it really is.

From a purely technically standpoint I'd have to go with Debian. Even though the total number of installed systems is going to be a lot lower the number of hardware and software permutations is going to be a huge amount higher since they support 9 more architectures than Windows and around 20,000 packages.

 

[mechBgon]

Originally posted by: Nothinman

Who has the best track record for software patching on a worldwide scope, on this wide a range of hardware and software permutations, with this wide a range of users, and with target systems numbered in the hundreds of millions per month and probably billions in total? Give us some names and some metrics. You said it's not Microsoft, so you must know who it really is.

From a purely technically standpoint I'd have to go with Debian. Even though the total number of installed systems is going to be a lot lower the number of hardware and software permutations is going to be a huge amount higher since they support 9 more architectures than Windows and around 20,000 packages.

What metrics can you provide as far as patch quality / non-bugginess, versus Microsoft? How about time to patch delivery, versus other vendors? Actually, I have some partial metrics on the latter topic, thanks to Symantec's Internet Security Threat reports: http://pics.bbzzdd.com/users/m...atch_delivery_2007.GIF for the most recent one (smaller bars = better).

 

[Nothinman]

Too bad Debian's not in the graph that you have and even if it did it would ignore the sheer amount of additional software that's supported by Debian compared to anyone on that list.

 

[mechBgon]

Originally posted by: Nothinman
Too bad Debian's not in the graph that you have and even if it did it would ignore the sheer amount of additional software that's supported by Debian compared to anyone on that list.

Sorry, it's the best I could do I think you see my point, which is to ask the OP to shore up his generalizations with some sort of evidence. In my case, a decent amount of firsthand experience (maintaining a fleet of Windows PCs for several years) didn't leave me with much to complain about with regards to Automatic Updates, so that is my own metric.

 

[Nothinman]

In my case, a decent amount of firsthand experience (maintaining a fleet of Windows PCs for several years) didn't leave me with much to complain about with regards to Automatic Updates, so that is my own metric.

And my first hand experience leads me to believe that if AU requires 'stealth' updates for any reason at all then AU is broken.

 

[nerp]

I like the stealth updates.

I mean, UAC prompts are so obscenely difficult to click -- thank god we don't have to click "OK" for updates for our updater, right?

 

[Smilin]

Originally posted by: Nothinman

In my case, a decent amount of firsthand experience (maintaining a fleet of Windows PCs for several years) didn't leave me with much to complain about with regards to Automatic Updates, so that is my own metric.

And my first hand experience leads me to believe that if AU requires 'stealth' updates for any reason at all then AU is broken.

Good thing you don't use antivirus! Those crazy guys upgrade their scanning engines from time to time rendering previous virus defs incompatible!!! Nutty!!

 

[JohnOfSheffield]

Originally posted by: Smilin

Originally posted by: Nothinman

In my case, a decent amount of firsthand experience (maintaining a fleet of Windows PCs for several years) didn't leave me with much to complain about with regards to Automatic Updates, so that is my own metric.

And my first hand experience leads me to believe that if AU requires 'stealth' updates for any reason at all then AU is broken.

Good thing you don't use antivirus! Those crazy guys upgrade their scanning engines from time to time rendering previous virus defs incompatible!!! Nutty!!

No, not if you set NOD32, KAV or any other program what so ever or OS or whatever to notifiy you before update, then they do not update SHIT without user interaction.

And AFAIK he runs mostly Debian, where updates are updates and you can be notified but no fucking update will install without your permission and that is the way it SHOULD be.

As i see it, it's a wide open hole just waiting.

 

[zpe]

Forced reboots remind me of users not being able to postpone reboots in vista.

http://blogs.zdnet.com/Berlind/?p=698

Eventually, they figured out the reason was that people were logged in as Standard Users.

http://blogs.zdnet.com/Berlind/?p=733

I'm surprised this didn't get as much attention as it should have. Forced reboots is completely unacceptable, especially since being logged in as a Standard User is a safe security practice.

Anyway, there's no reason why Windows should force a reboot without at least letting you postpone it, even if you don't have admin credentials. Forced reboot shouldn't be done with applications running.

 

[mechBgon]

Originally posted by: zpe
Forced reboots remind me of users not being able to postpone reboots in vista.

http://blogs.zdnet.com/Berlind/?p=698

Eventually, they figured out the reason was that people were logged in as Standard Users.

http://blogs.zdnet.com/Berlind/?p=733

I'm surprised this didn't get as much attention as it should have. Forced reboots is completely unacceptable, especially since being logged in as a Standard User is a safe security practice.

I don't agree. For the record, I run Vista as a Standard user, on a standalone system (not in a domain) and it has never forced a reboot on me in the ~9 months I've been using it. If I go to log off from one of my Standard accounts, and the icon has a Shut down and install updates :camera: shield symbol on it, there's the cue that there are updates lined up, and I can choose to install them and shut down if I want to. If I don't, I can keep on using the system instead. Granted, they're scheduled to auto-run at 3AM, and I'm usually not up that late unless I went on an extra-specially-long malware-hunting spree :evil:

Anyhow, since you bring this up, have you personally seen any unwanted forced reboots? If so, are you on a domain where this might be domain policy being enforced (install updates immediately upon download, then force a reboot)? Do you know if the blogger in question was on a domain?

If the computer's local or domain Administrator does choose to set Vista to reboot after updating, and/or to install updates RIGHT NOW instead of waiting until the dead of night, then that is the Administrator's call to make, and you can blame him/her if you don't like the policy he/she has implemented. That behavior is under the control of the computer's (or domain's) Administrator on every version of Vista, in one form or another. For home versions, refer to this pic:

Choose for yourself :camera:

If you are the Admin on a home version of Vista, and you don't want it auto-patching and rebooting, not even at 3AM, then set it to download patches but let you choose whether to install them, rather than installing them autonomously at a set time (and rebooting). Then watch for your lil' alert.

For business versions of Vista, the local or domain group policy is another way to alter the behavior to suit your preferences.

Anyway, there's no reason why Windows should force a reboot without at least letting you postpone it, even if you don't have admin credentials. Forced reboot shouldn't be done with applications running.

Yes there is. Automation is one reason, and security is another. Leaving a desktop computer running overnight so it can update itself, run virus scans, defrag, or do other tasks such as backup jobs is not unusual. If the computer installs security updates, you generally want the system rebooted so they take effect, because that is the point. And take it from someone who's been there... you DON'T want to have to manually spoon-feed large numbers of computers.

And my first hand experience leads me to believe that if AU requires 'stealth' updates for any reason at all then AU is broken.

Thinking about the average clueless homeowner with a Windows PC, I think the updating system really does need to be just as "fire-&-forget" as it possibly can be. Heck, my brother-in-law is a senior software engineer for Itronix, and I went over to his place and promptly found 1.73 plethoras of security vulns on his household computers, which he thought he had all battened down. And my mom couldn't update anything if her life depended on it; when we tried to teach her how to use a mouse, she was trying to trace an outline on the desk around it with a pencil... "ok, if I want to check email, I put the mouse inside this oval I drew RIGHT HERE, and then click the button two times... " (no, I'm completely serious ).

 

[zpe]

Ok, I admit, there are some instances that auto reboot would be OK, but if you're logged in and doing work, there is no reason. Windows should check to make sure no apps are running at the very least. People do use the computer at 3 AM in the morning. Windows is used by millions of computers, and even .1% of users are working up late, then it's going to affect a lot of people.

Granted, they're scheduled to auto-run at 3AM

That's the key, he changed the default time. Yet, the option CLEARLY shows that the updates are only to be INSTALLED. NOWHERE, does it mention that reboots would also be automatic. You're own screenshot proves this, hence the need for caps just in case you want to check out your own pic.

If the computer's local or domain Administrator does choose to set Vista to reboot after updating, and/or to install updates RIGHT NOW instead of waiting until the dead of night, then that is the Administrator's call to make, and you can blame him/her if you don't like the policy he/she has implemented.

The problem is that 3 AM is the default setting, and some Windows admins really shouldn't be admins.

Here's something funny. You claim that updating Windows can be very difficult for some clueless users. Here's what you said.

Thinking about the average clueless homeowner with a Windows PC, I think the updating system really does need to be just as "fire-&-forget" as it possibly can be. Heck, my brother-in-law is a senior software engineer for Itronix, and I went over to his place and promptly found 1.73 plethoras of security vulns on his household computers, which he thought he had all battened down. And my mom couldn't update anything if her life depended on it; when we tried to teach her how to use a mouse, she was trying to trace an outline on the desk around it with a pencil... "ok, if I want to check email, I put the mouse inside this oval I drew RIGHT HERE, and then click the button two times... " (no, I'm completely serious ).

Let's back up to what you said earlier.

If you are the Admin on a home version of Vista, and you don't want it auto-patching and rebooting, not even at 3AM, then set it to download patches but let you choose whether to install them, rather than installing them autonomously at a set time (and rebooting). Then watch for your lil' alert.

I know you were replying to Nothinman, but there are users who would like to avoid forced reboots while doing work and have automatic reboots when necessary. Are you expecting these same clueless users to go to a control panel and change the defaults? Or know what gpedit.msc is?

Really, the fix is simple. Don't reboot when applications are running. Or Microsoft could simply not force reboots as a default.

 

[Smilin]

Originally posted by: JohnOfSheffield

Originally posted by: Smilin

Originally posted by: Nothinman

In my case, a decent amount of firsthand experience (maintaining a fleet of Windows PCs for several years) didn't leave me with much to complain about with regards to Automatic Updates, so that is my own metric.

And my first hand experience leads me to believe that if AU requires 'stealth' updates for any reason at all then AU is broken.

Good thing you don't use antivirus! Those crazy guys upgrade their scanning engines from time to time rendering previous virus defs incompatible!!! Nutty!!

No, not if you set NOD32, KAV or any other program what so ever or OS or whatever to notifiy you before update, then they do not update SHIT without user interaction.

And AFAIK he runs mostly Debian, where updates are updates and you can be notified but no fucking update will install without your permission and that is the way it SHOULD be.

As i see it, it's a wide open hole just waiting.

fucking updates? wide open hole?

mmm.....kay. Which brain are you arguing with again?

 

[mechBgon]

Originally posted by: zpe
The problem is that 3 AM is the default setting, and some Windows admins really shouldn't be admins.

I concur! :laugh: Unfortunately, they have us badly outnumbered :shocked:

Here's something funny. You claim that updating Windows can be very difficult for some clueless users. Here's what you said.

Thinking about the average clueless homeowner with a Windows PC, I think the updating system really does need to be just as "fire-&-forget" as it possibly can be. Heck, my brother-in-law is a senior software engineer for Itronix, and I went over to his place and promptly found 1.73 plethoras of security vulns on his household computers, which he thought he had all battened down. And my mom couldn't update anything if her life depended on it; when we tried to teach her how to use a mouse, she was trying to trace an outline on the desk around it with a pencil... "ok, if I want to check email, I put the mouse inside this oval I drew RIGHT HERE, and then click the button two times... " (no, I'm completely serious ).

Let's back up to what you said earlier.

If you are the Admin on a home version of Vista, and you don't want it auto-patching and rebooting, not even at 3AM, then set it to download patches but let you choose whether to install them, rather than installing them autonomously at a set time (and rebooting). Then watch for your lil' alert.

I know you were replying to Nothinman, but there are users who would like to avoid forced reboots while doing work and have automatic reboots when necessary. Are you expecting these same clueless users to go to a control panel and change the defaults? Or know what gpedit.msc is?

Really, the fix is simple. Don't reboot when applications are running. Or Microsoft could simply not force reboots as a default.

I see what you're saying. I don't think the I.T. community would appreciate that "fix," though.

wide open hole?

Yeah, I was wondering the same thing about the Wide-Open Hole?.


Tangentially, I see from Microsoft's Anti-Malware blog that the September Malicious Software Removal Tool, which is one of those evil, stealthy Automatic Updates that steals your viruses EVERY MONTH , removed malware from about 2.5 million computers in its first week, reportedly knocking out about 1/5th of StormWorm's DDoS capacity in the process. I can't wait to see the stats from this month's MSRT, especially with their improved heuristics on certain stuff :thumbsup:

 

[AlucardX]

I use vista and have auto updates turned off. It's never updated for me. I recently ran Windows Update since I forgot all about it.. and the last time it said it scanned was mid-august, which is correct.

 

[Nothinman]

Thinking about the average clueless homeowner with a Windows PC, I think the updating system really does need to be just as "fire-&-forget" as it possibly can be. Heck, my brother-in-law is a senior software engineer for Itronix, and I went over to his place and promptly found 1.73 plethoras of security vulns on his household computers, which he thought he had all battened down. And my mom couldn't update anything if her life depended on it; when we tried to teach her how to use a mouse, she was trying to trace an outline on the desk around it with a pencil... "ok, if I want to check email, I put the mouse inside this oval I drew RIGHT HERE, and then click the button two times... " (no, I'm completely serious ).

I don't disagree that there should be a "update everything automagically in the background with no prompting" option. But there is no technical reason why there also shouldn't be a "prompt me before installing anything" option that covers everything MS updates, including AU.

 

[DasFox]

Originally posted by: stash

Originally posted by: DasFox
As long as XP has been out I've never done any updates other then installing service packs, and I've never had problems.

Most of the Windows updates are a waste.

That's some twisted logic you've got there. Hopefully nobody will follow your lead.

No it's not, not everyone is using Windows in a Corporate environment, or for business.

The Home user does not need to do any updates EVER!

Actually the only ONE update someone needs is Windows Installer 3.1, that is all.

Beyond Windows Installer 3.1 all you need are Service pack updates nothing more, and then if you are worried about security, you get a decent firewall, software, or hardware.

All the updates in the world aren't going to keep you safe if you don't have a good firewall in place.

Updates for HOME users are ONLY needed if some piece of software won't work anymore, and they need the update/latest version.

Example a media player update comes out, and without the new update you can't play online streaming media anymore, updates like this are going to be needed for someone that streams media.

Please don't tell me it's some twisted logic, I'm a PC geek, and I've used XP since the day it has come out, and I've never ever updated anything on this box other then service packs.

All I run is SP2, nothing else and there has never, ever been one problem on this box!

PEACE

 

[Nothinman]

Wow, DasFox, you are really confused.

 

[DasFox]

Originally posted by: Nothinman
Wow, DasFox, you are really confused.

No I'm not, since Windows has been out I've only used service packs and nothing else.

90% of Windows updates for users are not needed. Let me stress this again, the key here is a user who does not have mission critical information on their system, and if they do, and it's that critical, those boxes shouldn't even be online in the first place.

Corporate, or business systems are another situation, but again they can limit the systems that are online, and what information is on these boxes that are online to limit any threats. Updates are not the real issue for security, it's how you manage your system that is the real issue to security.

You guys act like the real source of security is in the updates. Security starts with how you manage your systems, are they online, or only on an internal network? If they are then online what access is there to them, with what information, etc.?

Smart users, or Admins can pick and choose their updates to suit their needs if there are any. The biggest concerns for updates are when software won't work, and needs an update to fix a problem. If you are relying on updates for better system security, then you need to rethink about what security is in the first place, because it doesn't always begin with updates.

Another concern over updates is if you've been around Windows long enough then you'll also know MS has had a long history of updates breaking things and updates needing updates... Updating software doesn't always mean you are going to get the benefits you should. There are many times when updates create problems and also introduce another set of bugs that need dealing with. Updates in a business environment always have to consider this. Are the updates going to really help, or is there the possibility of introducing more problems, etc., when doing the updates?

Since MS first introduced Windows I've been using it without ever the need for any updates, other then something that was critically needed because software would not work without it, other then that there has never been a need for a user to update anything.

Like they say if it isn't broke you don't need to fix it, and that holds true for the software world unless software will no longer work, or it's going to pose a grave security risk, then there is no need to update, and even if it's going to pose a security risk, the FIRST line of defense in security is a firewall, not software updates.

If your system is going to become compromised because you didn't do some Windows updates, then there is something terribly wrong with your system security, and all the updates in the world aren't going to help if you don't even understand where security starts in the first place.

If you think keeping your software secure over a firewall is a safer approach to computing, then you need to rethink again.

Let me stress this in another way. The user only needs service pack updates, unless something won't work. And again, don't think that security updates to your software are going to make your box more secure if you don't even know how to use a proper firewall.

Proper security starts at the firewall first, it is the FIRST line of defense not the updates. If you don't think so, then tell that to the Admin of a company. Tell them to only update their software for security updates, and that they don't need a firewall anymore, they are now safe and secure.

Did you know you can have the crappiest bug ridden software with holes out the butt in it, and run the safest box in the world, if you know how to run a good/proper firewall, because it doesn't matter how insecure your software is, as long as your firewall is good. Then you can have a crappy firewall, with a terrible security policy/rules and great updated secure software, and guess what someone will get into that system, and eventually crack that software, why because there is no such thing as perfect software, anything is crackable.

Now does this mean this is how you should run a box with crappy bug ridden software full of holes? Of course not, but don't think that the service packs for users are that big of problems because they are not.

Again, the only people that need to concern themselves with updates is if there is anything mission critical on the system that needs the utmost protection, and GUESS WHAT? If it's that critical then those boxes shouldn't even be on the NET in the first place. They should be off line ONLY on an internal network with no access to the NET for greater security.

Let's wake up here, real critical systems shouldn't even be online if they are that important in the first place, and most of MS's updates are dealing with online security threats. Did you ever think about that?

Summary:

1. If it's not going to work, update it.

2. If security was that big of a problem, then maybe that box should not be online, but only on an internal network.

3. No computer should ever have anything on it so important that it needs Windows updates to protect it. That data should be on other forms of media, storage devices, etc... off the NET.

4. Real security is in proper management, how you run your systems, not updates!

 

[mechBgon]

Originally posted by: DasFox

Originally posted by: Nothinman
Wow, DasFox, you are really confused.

No I'm not, since Windows has been out I've only used service packs and nothing else.

90% of Windows updates for users are not needed. Let me stress this again, the key here is a user who does not have mission critical information on their system, and if they do, and it's that critical, those boxes shouldn't even be online in the first place.

Corporate, or business systems are another situation, but again they can limit the systems that are online, and what information is on these boxes that are online to limit any threats. Updates are not the real issue for security, it's how you manage your system that is the real issue to security.

You guys act like the real source of security is in the updates. Security starts with how you manage your systems, are they online, or only on an internal network? If they are then online what access is there to them, with what information, etc.?

Smart users, or Admins can pick and choose their updates to suit their needs if there are any. The biggest concerns for updates are when software won't work, and needs an update to fix a problem. If you are relying on updates for better system security, then you need to rethink about what security is in the first place, because it doesn't always begin with updates.

Another concern over updates is if you've been around Windows long enough then you'll also know MS has had a long history of updates breaking things and updates needing updates... Updating software doesn't always mean you are going to get the benefits you should. There are many times when updates create problems and also introduce another set of bugs that need dealing with. Updates in a business environment always have to consider this. Are the updates going to really help, or is there the possibility of introducing more problems, etc., when doing the updates?

Since MS first introduced Windows I've been using it without ever the need for any updates, other then something that was critically needed because software would not work without it, other then that there has never been a need for a user to update anything.

Like they say if it isn't broke you don't need to fix it, and that holds true for the software world unless software will no longer work, or it's going to pose a grave security risk, then there is no need to update, and even if it's going to pose a security risk, the FIRST line of defense in security is a firewall, not software updates.

If your system is going to become compromised because you didn't do some Windows updates, then there is something terribly wrong with your system security, and all the updates in the world aren't going to help if you don't even understand where security starts in the first place.

If you think keeping your software secure over a firewall is a safer approach to computing, then you need to rethink again.

Let me stress this in another way. The user only needs service pack updates, unless something won't work. And again, don't think that security updates to your software are going to make your box more secure if you don't even know how to use a proper firewall.

Proper security starts at the firewall first, it is the FIRST line of defense not the updates. If you don't think so, then tell that to the Admin of a company. Tell them to only update their software for security updates, and that they don't need a firewall anymore, they are now safe and secure.

Did you know you can have the crappiest bug ridden software with holes out the butt in it, and run the safest box in the world, if you know how to run a good/proper firewall, because it doesn't matter how insecure your software is, as long as your firewall is good. Then you can have a crappy firewall, with a terrible security policy/rules and great updated secure software, and guess what someone will get into that system, and eventually crack that software, why because there is no such thing as perfect software, anything is crackable.

Now does this mean this is how you should run a box with crappy bug ridden software full of holes? Of course not, but don't think that the service packs for users are that big of problems because they are not.

Again, the only people that need to concern themselves with updates is if there is anything mission critical on the system that needs the utmost protection, and GUESS WHAT? If it's that critical then those boxes shouldn't even be on the NET in the first place. They should be off line ONLY on an internal network with no access to the NET for greater security.

Let's wake up here, real critical systems shouldn't even be online if they are that important in the first place, and most of MS's updates are dealing with online security threats. Did you ever think about that?

Summary:

1. If it's not going to work, update it.

2. If security was that big of a problem, then maybe that box should not be online, but only on an internal network.

3. No computer should ever have anything on it so important that it needs Windows updates to protect it. That data should be on other forms of media, storage devices, etc... off the NET.

4. Real security is in proper management, how you run your systems, not updates!

Fascinating. By this logic, you would play World of Warcraft offline, since the bad guys (1) target WoW players to steal their logins and auction away their stuff, and (2) use Windows security vulnerabilities (which you don't want to patch) to install keystroke loggers specifically aimed at stealing your WoW login. I assume you don't want to lose your Level-whatever character and your other resources, and would consider them "mission-critical" due to the time and effort put into developing them.

Ditto for having malware delete all your MP3s and movies after exploiting a Windows vulnerabiltiy that you could've patched, or encrypting your homework files and demanding ransom... I could just keep on going. Steam logins, game CD keys, eBay or PayPal credentials, there's a lot of stuff people consider important, the bad guys want to get it, and no, we're not going to hide offline, and we're not all going to abandon Windows.

I just finished parceling out today's harvest of about 80 fresh malware samples from the wild. This little avalanche of disaster was touched off by exploits. Patch your Windows et al and patch or remove your other software too (Secunia online checkup). Use low-rights user accounts when possible. The bad guys mean business and your firewall is no guarantee of safety.


I might add that the average detection rate of these malware samples at VirusTotal, spanning 32 security software packages, is below 50%, and none of them nailed everything. Not even close. One sample :camera: could not even be detected on the infected system with antivirus products which actually have signatures for the sample in question (and also was missed by four rootkit detectors). Prevention is the name of the game, and this would've been prevented if the test computer had been patched properly (using a low-rights account would've stopped it too, in this instance). For want of a nail... yeah.

 

[Nothinman]

90% of Windows updates for users are not needed. Let me stress this again, the key here is a user who does not have mission critical information on their system, and if they do, and it's that critical, those boxes shouldn't even be online in the first place.

That's retarded. For most users their machines are the most important ones because they've got their data on there, to them their wedding photos are "mission critical information". And more and more mission critical machines have to be on the Internet because just about everything requires connectivity these days.

You guys act like the real source of security is in the updates. Security starts with how you manage your systems, are they online, or only on an internal network? If they are then online what access is there to them, with what information, etc.?

It starts with how you use the system not how you manage it. No amount of software will save someone who puts their CC# into every website that asks for it. Software can be used to give you hints about whether something is malicious or not and can stop the blatantly obvious problems but that's it, you still have to have some common sense.

If you are relying on updates for better system security, then you need to rethink about what security is in the first place, because it doesn't always begin with updates.

And if you're ignoring updates because you think you're smarter than the rest of the Internet then you need to rethink your computing habits because you can't be aware of every single instruction that your box executes and exploits are found every day.

Another concern over updates is if you've been around Windows long enough then you'll also know MS has had a long history of updates breaking things and updates needing updates... Updating software doesn't always mean you are going to get the benefits you should. There are many times when updates create problems and also introduce another set of bugs that need dealing with. Updates in a business environment always have to consider this. Are the updates going to really help, or is there the possibility of introducing more problems, etc., when doing the updates?

Sure that's part of the risk but on the other hand you run the risk of being exploited by something that was fixed months ago. There are still machines out there propagating CodeRed, are you really suggesting that someone should install Win2K+IIS without any patches because it works?

Like they say if it isn't broke you don't need to fix it, and that holds true for the software world unless software will no longer work, or it's going to pose a grave security risk, then there is no need to update, and even if it's going to pose a security risk, the FIRST line of defense in security is a firewall, not software updates.

It is broken, you just haven't run into the problem yet.

If you think keeping your software secure over a firewall is a safer approach to computing, then you need to rethink again.

No, you need to rethink this whole thing again. A firewall is a decent first line of defense but it's not a panacea and can't decide if a packet is going to cause a problem or not. Assuming a local software firewall, if you tell the firewall to let firefox.exe access the Internet so that you can browse that's all it knows. So every request from FF to the Internet will be allowed from that point on so when you hit a website that has an exploit on it the firewall will happily let you download it because you told it to let FF do it's thing. If you're talking about a separate box doing the firewalling there's even less granularity because it can't tell what process is trying to get out so you have to say "Let this IP make HTTP requests." so any application can now get to any web server on the Internet.

Proper security starts at the firewall first, it is the FIRST line of defense not the updates. If you don't think so, then tell that to the Admin of a company. Tell them to only update their software for security updates, and that they don't need a firewall anymore, they are now safe and secure.

Thank you Captain Hyperbole. But no one in their right mind would do that because the two aren't mutually exclusive and I don't know of a single company that would in their right mind skip every single update released. Sure they might wait a week or whatever while they test it but eventually they will apply it and move on.

Did you know you can have the crappiest bug ridden software with holes out the butt in it, and run the safest box in the world, if you know how to run a good/proper firewall, because it doesn't matter how insecure your software is, as long as your firewall is good. Then you can have a crappy firewall, with a terrible security policy/rules and great updated secure software, and guess what someone will get into that system, and eventually crack that software, why because there is no such thing as perfect software, anything is crackable.

Did you know that a firewall can't decide whether a packet is malicious or not? Even if you had a firewall with an excellent integrated IDS it would still lag behind because new signatures are created all of the time so instead of updating your software you have to keep updating your IDS which also has a huge potential for false positives.

Let's wake up here, real critical systems shouldn't even be online if they are that important in the first place, and most of MS's updates are dealing with online security threats. Did you ever think about that?

Wake up and turn off the Internet? Have you looked at how many real, critical systems are on the Internet because they run a company's ecommerce (is that still a buzzword?) site? Good luck convincing them that in order to be secure they have to give up that portion of their business.

4. Real security is in proper management, how you run your systems, not updates!

Real security is a layered process and one of those layers is updating your system, anyone who argues otherwise shouldn't be allowed to touch anything connected to the Internet.

 

[stash]

Wow.

I would add to the comments here, but I'm really just too stunned to begin to formulate a response.

Just stay the hell away from my computers. And I hope you don't work on other people's computer for a living.

 

[DasFox]

Stash if you haven't got anything nice, or positive to say, just STAY the HELL away from my posts.

All you do every time I see you in just about every post is make crap comments about something, or someone.

 

[DasFox]

I didn't really come out and say it, but I thought someone would of seen the point here, it all comes down to EXPERIENCE.

It also depends on what you are doing, and if the updates will help with anything you are doing.

Am I smarter, I never said I was, but am I experienced, HELL yes, over 20 years worth, have I needed an UPDATE for anything I do with computers? ----> NO

Does this mean I'm stupid? NO, does it mean I need them? NO.

I use what I need, I use it if it's important or critical to anything I'm doing, and I've never had any needs.

See let me put it this way, have you ever done this before, or researched this for 20 years? I have, and I have 20 years of experience to tell you many people's computers will be just fine without any updates.

Now did I just say every computer on the face of the planet will be ok, NO I said, "MANY", so let's not start blowing things out of proportion here, OK?

You ONLY need what is important to what you are doing, and even if it poses a problem, there are also ways around updates, by staying away from that software in the first place that has this exploit.

IE has an exploit, use Firefox then, holes in a server, use another server, learn to use software that doesn't have as many issues as some, can this be done? Dam right it can, you think MS is the only one making software for the system, and there isn't good safe software to use?

Let's get things clear here, we are ONLY talking about updates to the OS, nothing else. If you don't think XP with SP2 can't be run safely for anyone out there, then you don't understand the alternatives to making it safe over updates, and how this can be accomplished, and most users don't understand this, why, because they all just follow the crowd and run updates like everyone else, because they think this is the way, and the only way.

Guess again guys....

PEACE