Slashdot Mirror

← Back to Stories (view on slashdot.org)

Auto-Updates - Proactive or Begging for Abuse?

Posted by Cliff on from the a-sword-with-many-edges dept.

narzy asks: "To me one of the most important steps to keeping a computer secure is keeping the systems software up to date. The problem I run in to is that more and more of the applications in everyday use are web enabled in some context or another, making them high targets for attack and exploitation. I am beginning to find it difficult to keep clients computers completely up to date. I find that applications that have an auto update such as my anti-virus Nod32 which updates every day on its own a real blessing. It's a feature that is an option but and option that I personally wish was in a lot more software. Windows has this feature (so does Linux if you want it to) however in the case of Windows it's not exactly all that consistent. Unfortunately it opens another can of worms that isn't so enjoyable that being companies who abuse such a system for advertising purposes, modifying the software in such a way to reduce or change its functionality either because of internal decisions or external pressures from 3rd parties, compromise and abuse of the server the company uses to distribute the updates. But is it worth the added risk to know that 95%+ of the time your software is up to date? It's not a cure all but is it or is it not better then a reactive approach?"

7 of 35 comments (clear)

  1. It's all about how lazy you are... by ivan256 · · Score: 3, Interesting

    A changing system never runs; A running system never changes.

    Ideally, this means you would take the time to understand every update to your system, and install only those that were critical in order to maximize stability. Automatic updates are the other extreme and, if you ask me, never a good idea.

    If you are responsible for numerous machines, perhaps automated updates are right for you, but you should maintain control. Learn about the update, and personally send out the updates you deem important and know to be compatible to your client's machines. Letting a bunch of individual entities with no knowledge of each other all have free reign over a machine is never a good idea, no matter how well intentioned all the parties involved may be.

    1. Re:It's all about how lazy you are... by BigBir3d · · Score: 3, Interesting

      Flip side of that coin is how long do you have to wait before you can properly vet an update to make sure it works 100% for all hardware and software variants? How far behind do you fall? How insecure do you become? This is of course assuming your client machines are full fledged desktops running the OS of choice - Windows XP.

      For general software updates I tend to agree with you. If it ain't broke...

    2. Re:It's all about how lazy you are... by flonker · · Score: 3, Insightful

      local root exploit + remote non-root exploit = remote root exploit

      Not always, but often enough to count.

  2. I just use Autoupdate.. by NanoGator · · Score: 4, Insightful

    ...and keep in mind that shit happens.

    I would also suggest, though, that you'll never ever have a secure reliable system. Your computer can always be stolen or struck by lightning. A hard drive can fail. Etc. If you take the approach of "My computer could spotaneously combust" and deal with it that way, then you're in a far better world. Even the worst virus wouldn't cause you to lose your data.

    --
    "Derp de derp."
  3. The real concern by greywar · · Score: 3, Insightful

    The real concern I think is some guy finding a way to hack one of these. With a 8 hr waiting period...if it then simultaneously reformated everything.

    Imagine windows update hacked. I update daily-lets assume 100 million other folks worldwide do. Within 8 hrs 33 million computers are infected...and reformat themselves.

    THATS my concern

    1. Re:The real concern by Kaali · · Score: 4, Interesting

      Doesn't Windowsupdate have any security checks on the validity of updates?

      I use Gentoo Linux and it has quite nice security checks for checking that everything i'm installing through its package manager is what it is supposed to be. First i use random rsync server to fetch "package-definitions" called ebuilds and with them MD5 hashes of the software files. What makes it secure is that we have random rsync servers and random mirrors for the files themselves. So in theory cracker has to crack at least two servers(main rsync server and main file server where everything gets mirrored from) to infect a Gentoo Linux system. I'm don't really know all the details of Gentoo Linux package-manager and its security checks, but this is how it acts approximately, at least the last time i checked. Hmm.. ofcourse there is a possibility that the original software server is already cracked when Gentoo Ebuild-developers make their ebuilds&hashes.

      Well, nothing is completely secure.

  4. apt-secure, don't let packages upgrade themselves by ijones · · Score: 5, Insightful

    "Apt-Secure" has a nice sense of "which package sources are trusted". That means, APT maintains a list of places to get packages from. Some of these sources are trusted, and their packages can be cryptographically verified to be truly from those sources.

    If there's a new version of a package from an "untrusted" source, it'll ask you if you're sure you want to upgrade that package.

    I think it's silly to have package go and upgrade themselves, especially where each package has it's own way to perform the upgrade, and you have to trust each vendor's security implementation (instead of a single central one). A bunch of packages running off and upgrading themselves, each with its own security model (if any) is a great way to open yourself up to a man-in-the-middle attack several times a day. The OS should handle this in a consistent, secure way that the administrator can understand.

    peace,

    isaac