Slashdot Mirror
Auto-Updates - Proactive or Begging for Abuse?
narzy asks: "To me one of the most important steps to keeping a computer secure is keeping the systems software up to date. The problem I run in to is that more and more of the applications in everyday use are web enabled in some context or another, making them high targets for attack and exploitation. I am beginning to find it difficult to keep clients computers completely up to date. I find that applications that have an auto update such as my anti-virus Nod32 which updates every day on its own a real blessing. It's a feature that is an option but and option that I personally wish was in a lot more software. Windows has this feature (so does Linux if you want it to) however in the case of Windows it's not exactly all that consistent. Unfortunately it opens another can of worms that isn't so enjoyable that being companies who abuse such a system for advertising purposes, modifying the software in such a way to reduce or change its functionality either because of internal decisions or external pressures from 3rd parties, compromise and abuse of the server the company uses to distribute the updates. But is it worth the added risk to know that 95%+ of the time your software is up to date?
It's not a cure all but is it or is it not better then a reactive approach?"
A changing system never runs; A running system never changes.
Ideally, this means you would take the time to understand every update to your system, and install only those that were critical in order to maximize stability. Automatic updates are the other extreme and, if you ask me, never a good idea.
If you are responsible for numerous machines, perhaps automated updates are right for you, but you should maintain control. Learn about the update, and personally send out the updates you deem important and know to be compatible to your client's machines. Letting a bunch of individual entities with no knowledge of each other all have free reign over a machine is never a good idea, no matter how well intentioned all the parties involved may be.
As someone who has had to clean viruses off infected campus computers, I say that automated updates are 100% worth it, even if they do have problems once in a while. When Sasser ripped through, our help desk was swamped with calls from students. But not one single lab computer that had automatic updates set was affected. The benefits are obvious.
...and keep in mind that shit happens.
I would also suggest, though, that you'll never ever have a secure reliable system. Your computer can always be stolen or struck by lightning. A hard drive can fail. Etc. If you take the approach of "My computer could spotaneously combust" and deal with it that way, then you're in a far better world. Even the worst virus wouldn't cause you to lose your data.
"Derp de derp."
I am beginning to find it difficult to keep clients computers completely up to date.
Welcome to the club.
I don't think there's any way around this issue.
Vendor updates (whether paid-for subscriptions from Microsoft, Red Hat, or beneath the pond-scum from adware spyware companies) probably haven't been completely tested for your corporate environment.
You need to have a person or an organization committed to testing the latest updates in a lab environment before they are more widely deployed to check for the inevitable laws of unintended side effects.
"Provided by the management for your protection."
I sign up for automated notifications of updates, and then I review those and apply them when appropriate.
The real concern I think is some guy finding a way to hack one of these. With a 8 hr waiting period...if it then simultaneously reformated everything.
Imagine windows update hacked. I update daily-lets assume 100 million other folks worldwide do. Within 8 hrs 33 million computers are infected...and reformat themselves.
THATS my concern
"Apt-Secure" has a nice sense of "which package sources are trusted". That means, APT maintains a list of places to get packages from. Some of these sources are trusted, and their packages can be cryptographically verified to be truly from those sources.
If there's a new version of a package from an "untrusted" source, it'll ask you if you're sure you want to upgrade that package.
I think it's silly to have package go and upgrade themselves, especially where each package has it's own way to perform the upgrade, and you have to trust each vendor's security implementation (instead of a single central one). A bunch of packages running off and upgrading themselves, each with its own security model (if any) is a great way to open yourself up to a man-in-the-middle attack several times a day. The OS should handle this in a consistent, secure way that the administrator can understand.
peace,
isaac
Ifr you wait one month, the fixes to the fixes will be out.
You are being MICROattacked, from various angles, in a SOFT manner.
I'm no longer on dial-up thank goodness, but if I were, it would be a pain to want to dial-up, check email and disconnect to leave in a hurry only to be interrupted by a 3M patch that had to complete before I could really utilize my blazing 46k connection.
My machines are on notify, but not auto-download & install. I'm on broadband and I've opted for this, I sure wouldn't want them forced on if I was on dial-up.
If I'm in the middle of an Unreal Tournament 2004 match, the last thing I want is a forced update on Notepad++ or whatever.
I'm not saying OP was indicating to force them, but this would be something to consider if you are considering forcing the updates.
My Tech Posts on Twitter
The problem is one of trust. Windowsupdate seems like a clone of the old Oil Change, on a more limited basis. Oil change would charge consumers a nominal fees for a whole bunch of updates, and they would enter into arrangements with Software publishers on their behalf.
Microsoft took the same approach, minus the fees.
The only problem is that if software X does not update properly(with drivers being autoupdated, that could be something like incompatibility, mis-detected hardware, etc...), and you pay for updates you hold the company who gets you the updates responsible. But if company X and company Y release incompatible updates, and the company selling you the updates gets caught in the middle, that's not good, both for consumer trust and fiduciary responsability.
As a user I might accept paying for getting "tested" upgrades, but I know most people who don't use computers as work tools wouldn't understand the logic. Now with firewalls/antivirus/other security tools, getting updates to the consumer in a timely fashion is essential, so much that many such software would be well advised not to sell the software, but to sell the updates, as a service, provided consumers, who are normally allergic to such things, can be convinced to overcome their allergy.
Perhaps that's why there's no single update service, at least, in the consumer world. Updates have varying impact, depending on what's updated, computers have varied uses, and the value of keeping them updated varies with use, and because that value varies, few update services can address the perceived value properly, and yet address the kinds of hardware/software combinations that exist in the real world.
That would explain why 2003 Server's update come from the hardware manufacturers come to think of it.
That also explains why so many update systems now come up for companies (Microsoft's SUS, Redhat Network Satellite, Mandrake's etc...) to allow them to keep updates for their software inventories and maximise their availability and minimise their bandwidth bills as well.
I've had several more cases of "security" patches breaking my systems through changes to things not related to the security issue than I have of being hacked/infected/spywared.
So I couldn't in good faith recommend auto-update on any system where the supplier has a history of this.
Maybe when the software industry is mature enough to release security patches that *only* contain a security patch I'd think about it. I expect I'll be a long time waiting.
Ok, so some free *nix distros do, and that's nice, but these generally aren't the ones getting infected all over the place.
Plus, as someone else mentioned, having an auto-updater interrupt the one game of UT2004 you've managed to fit in this week is just not on.
I don't understand how certain software suppliers are finding this so hard. Release a patch that fixes the security issue. Only the security issue. Make it small. Make auto-updaters check for updates when the screensaver kicks in. Duh.
- MugginsM
Autoupdating as it is used by most apps is just annoying.
Certain things need to be updated frequently, such operating systems and antivirus programs. Programs like quicktime and real don't need to be updated more that a few times a year, at yet they try to have tray icons running all the time.. Generally these autoupdating utilities are used to steal file associations everytime you try to change them back to media player or winamp.
It's one thing for an app to look for updates (after asking you) once you open it, but it is a complete waste of resources for every app to have a tray icon using a few megs of ram to periodically download updates.
...about essentially putting "apt-get update; apt-get install" in the crontab.
I'd make sure the session is interactive in a SSH/screen session, and monitor how long the process has been running. If it's still running after half an hour, it'll fire an email at me saying the update process needs my attention.
If all exits normally, it'll email me the stdout and stderr of the session, so I know what was updated.
tasks(723) drafts(105) languages(484) examples(29106)
Autoupdates are nice if they work. But they are damned annoying when they don't. My lone WinXP box (used to talk to the HP Scanner and the Epson "I only work with my windows drivers" Color printer) is a good example. The HP Scanner software decided it needed to update itself. It's an annoying feature but I mistakenly said "ok". So after applying its updates the HP AutoUpdater now crashes whenever the screensaver kicks in. Nice AutoUpdateOfDeath...
Obviously I now have to take the time to go search the web for the solution and hope that it works without corrupting too much else.
I wonder how much time people waste "fixing" the updates that they download due to the incessant nagging of the applications?
Invalid Checksum. Retrying.
And if you're lucky the hackers will have patched the bug for you by then so that other hackers don't get access to their new zombie host and mess around. Hackers, auto-updating UNIX systems for admins since 1969.
And companies try to hard to sound like they have no real issues, sometimes making important updates not sound as important as they really are.
Very nicely put.
This is a terrible problem in the computer industry. Because most commercial software is sold as a "closed box" and software is complex and difficult for end users to analyze, software companies can get away with a phenomenal amount of misrepresentation and truth-bending.
This is a major thing that I like about open-source software. The folks in it tend to be reasonably honest. If everyone in the world can see the patch that was just checked in, there's no way you can get away with "Improves functioning of Web pages" for "eliminates remote exploit seizing control of your computer". Furthermore, because there are no marketers involved to work on misrepresenting the software to the user (and thus selling more copies), it's okay to be publically critical about your own software. Bugs aren't "issues", they're *bugs* (God, I hate software companies that insist on calling their bugs "issues"). It's not an "issue", it's a bug. You screwed up; be honest and be trusted in the future. In the open source world, sometimes feature requests are considered "bugs" -- hey, it doesn't do desireable behavior, so the authors overlooked something.
If Microsoft had made Bugzilla, it would be dubbed "Microsoft Advanced Issue Tracker".
May we never see th
..but, as a Windows Technician of almost 4 years now I believe that people should be aware of 99% of what happens to their computer.
:^)
Treat it like a car.
Wouldn't you be upset when you find out that your engine was "automatically updated" one day and that's why you were limited to 5 mph making you cancel meetings, miss deadlines, etc..
Treat your computer like it's your car, unless you're an FFR* masochist.
Trust me, you'll save time AND money in the end.
*FFR -- Fdisk/Format/Reinstall, somewhat ancient but it still applies.
Give the amount of spyware and other such softwares available, it would be wise if microsoft develops a new technology(API) for Auto-Updation feature of Third-party applications.
Other approach for the Software manufacturers is to make use of independent testing houses.(for functionality and Security/privacy issues)
There will be good acceptance rate for such certified softwares in the market.
This scares the h*** out of me. The reason being, if I was a hacker (which I'm not), this is the service I would try to hijack. This combined with someone finding an exploit to this service, well enough said.