Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Don't Tell People To Turn Off Windows Update, Just Don't' (troyhunt.com)

Posted by msmash on from the other-side-of-coin dept.

Security researchers Troy Hunt, writing on his blog: Often, the updates these products deliver patch some pretty nasty security flaws. If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as "MS17-010" pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched. It's because of this essential protection provided by automatic updates that those advocating for disabling the process are being labelled the IT equivalents of anti-vaxxers and whilst I don't fully agree with real world analogies like this, you can certainly see where they're coming from. As with vaccinations, patches protect the host from nasty things that the vast majority of people simply don't understand. This is how consumer software these days should be: self-updating with zero input required from the user. As soon as they're required to do something, it'll be neglected which is why Windows Update is so critical.

34 of 507 comments (clear)

  1. Excluding the unfortunate exceptions by JimToo · · Score: 5, Insightful

    Unless you have a production environment with a software product that breaks with Windows update turned on. In which case you have to take additional security and maintenance measures and have a team that is tasked with (and funded properly) to do testing and updates on a regular basis.

    1. Re:Excluding the unfortunate exceptions by xxxJonBoyxxx · · Score: 5, Insightful

      Or the Windows 10 update doesn't work and keeps downloading/restarting/bluescreening your computer. (Looking at you, "Anniversary" edition.)

    2. Re:Excluding the unfortunate exceptions by mhollis · · Score: 5, Insightful

      Mod this up, folks!

      I know at least five different business environments which have been, essentially, shut down by a Windows update. One of them was signing a new service contract as I was talking to him—he had been down all day, unable to see his customer files, his books, the jobs his company was supposed to be doing, unable to route his employees to where they were supposed to go. They went back to a paper only system they have not used since 2002 and they were guessing at that. They were taking credit cards over their website, but could not record the result in their books and had to just save all of the emails and spend an additional day or so just doing data entry into their bookkeeping system.

      Of course, these are anecdotes (which is what the anti-vax community uses instead of Science). The problem is not the update, it is what Microsoft does to the computer upon emerging from the update. Elsewhere, people have written of resetting all of the browser preferences, BSODs and other issues. Microsoft needs to restore the previous state of the computer or server (as much as is practical) after the patch. They need to go in like a surgeon with the same motto: "First, do no harm." And if they figure out how to do that, their updates will be seen as innocuous as Apple's

      --
      Gods don't kill people, people with gods kill people.
    3. Re:Excluding the unfortunate exceptions by mysidia · · Score: 2, Insightful

      Makes sense, but not an excuse for turning off Updates.

      How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

      Leave Windows Update Enabled, schedule all new updates to install on X Day; However, If Windows updates rolls out the patch its own, then YOUR TEAM failed to conduct its job appropriately, which was to perform a controlled rollout in a timely manner (BEFORE The update is a week old, And the failsafe triggers to protect your organization's security).

    4. Re:Excluding the unfortunate exceptions by xxxJonBoyxxx · · Score: 5, Insightful

      >> How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

      So...Windows shouldn't be used by small or medium-sized business without IT workstation teams then?

      Microsoft, can you confirm?

    5. Re:Excluding the unfortunate exceptions by Anonymous Coward · · Score: 2, Insightful

      It also doesn't help that when I try to find details about updates there's no information in the Windows Update panel. "Install this update to resolve issues with Windows." Thanks you fuckers... what issues? "Click here for more information." I click and get taken to a page that says "Install this update to resolve issues with Windows." Oh for fucks sake...

    6. Re:Excluding the unfortunate exceptions by CFTM · · Score: 3, Insightful

      So, if you read the article, you'd know that he's actually talking about home users and states before hand that enterprise environments have their own processes and procedures for dealing with these things (and if they got hacked, they screwed up because it's been three months).

      The problem is that technical users, like those found on Slashdot, tell home users that they should turn this stuff off because it causes all these problems, when it really doesn't when you're running a system with known hardware and under typical operating conditions.

      By typical, I mean you use Chrome and maybe a few other applications. You're not a developer, you're not a big time game player.

      This is 95% of MS home users. These people should all have Windows Update on at all times and what's more, they could care less about the crap that Microsoft packages in along the way. We may consider it invasive but most people just shrug their shoulders and move on.

  2. Microsoft's fault by sconeu · · Score: 5, Insightful

    If they hadn't done shit such as the forced Win10 update, or forced GWA, or done a lot of other crap that broke peoples systems (in the name of marketing), then maybe people wouldn't have said, "Turn it off".

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    1. Re: Microsoft's fault by macsforme · · Score: 5, Insightful

      Agreed. A level of trust is required when you allow vendors to push automated updates to your system, and unfortunately there have been breaches of this trust when vendors saw this as an opportunity for more than enhancing user security.

    2. Re:Microsoft's fault by Anonymous Coward · · Score: 5, Insightful

      Plus, if Anti-Vaxxers could actually point to widespread deaths, they might have a point.

      People who advocate turning off Windows Update Can point to widespread windows deaths due to errant updates.

  3. But... but... by Anonymous Coward · · Score: 2, Insightful

    The telemetry spying though,,,

  4. Telemetry and Windows 10 by Anonymous Coward · · Score: 5, Insightful

    Windows Update also wanted to install telemetry on my Windows 7 system until I removed the patch. Then for 12 months Windows Update wanted to 'upgrade' me to Windows 10, the software employed all sorts of tricks to make me say yes and in the end I just disabled updates as it was less hassle.

    My Windows 7 system was not affected by the events over the weekend as all it does is run some test equipment. It still has Windows Update disabled and it's going to stay that way.

  5. Windows Users... by hackel · · Score: 0, Insightful

    Why would anyone *disable* automatic updates on Windows? With it being widely known as such an insecure OS, that just seems insane. I've never heard anyone give such advice, but if they did, they surely deserve a smack on the head.

  6. Maybe if Windows Update behaved decently... by ToTheStars · · Score: 5, Insightful

    The reason folks turn off Windows Update is that it behaves kind of like malware itself! I'm technologically savvy enough to set my registry and so on to disable the awful "Get Windows Ten" updates, but when so many users got shafted by Windows "self-updating with zero input required from the user" to a completely new operating system (a new operating system that actively thwarts end-user control over updates!), is it any wonder that so many of them switched it off?

    The comparison to anti-vaxxers is interesting, and apt in more ways than Troy may have known. Much like Microsoft hijacked their Windows Update program to push Windows 10, the CIA used a Pakistani polio vaccination campaign to gather intelligence about Osama bin Laden (see here: https://en.wikipedia.org/wiki/...). This has resulted in the killing of other relief workers and general suspicion of medical aid programs in that region, and so polio persists.

    1. Re:Maybe if Windows Update behaved decently... by Anonymous Coward · · Score: 3, Insightful

      Thank you. The polio vaccination ruse by the CIA and the telemetry comparison is exactly what I thought of as well.

      On a separate note, WU used to specifically tell you what the update fixed, right in WU. Then they started making you click a link to go to the MS web site. After a while the web page stopped saying anything useful. Now you have to research each one manually, which is unacceptable. There is no reason MS would go to those lengths to obfuscate what a patch does, unless it's so they can foist more crapware on you. I can't think of a good vaccination analogy for that, but it pisses me off.

  7. Re:Generally Sound Advice by dc29A · · Score: 5, Insightful

    I would do that if (1) MS didn't cram W10 down my throat; (2) every major update doesn't reset browser preferences; (3) stop updating and breaking hardware drivers; and (4) I could disable telemetry. My Macbook and Ubuntu machines are auto-update enabled. Not my Windows gaming box. No thanks.

  8. What about the updates that hurt users? by evolutionary · · Score: 4, Insightful

    The problem is that around 30% of MS Updates actually hurt the user, either by introducing "features" that (like Apple) inadvertently or deliberately adding things that are of no benefit to anyone but MS and in many case hurt he users. Windows 10 Basically is capable of hijiacking itself (as per it's design) so it's hard to know what is good and what is not especially MS gives VERY vague descriptions of it's updates as per the new windows 10+ policy to tell users, it's our update, just take it (up the rear end). The sooner we start admiting that we don't in fact NEED MS Windows at this point, the better. Linux anyone?

    --
    "Imagination is more important than knowledge" - Einstein
  9. Turn off Windows Update by Dunbal · · Score: 1, Insightful

    But don't be a retard. Keep reading this site and others. I manually installed MS17-010 a month ago even though Windows Update has been off for years. People get what they deserve. You need to actively pursue your own security, not ignore it or worse, pretend that Microsoft is going to do it for you. Windows Update is more trouble than it's worth. Especially since Windows 10.

    --
    Seven puppies were harmed during the making of this post.
  10. Re:Poor advice. by Anonymous Coward · · Score: 5, Insightful

    nobody cares what you do on your PC

    Then why did they implement telemetry in Windows?

  11. Re:There should be a separate "Security Updates On by green1 · · Score: 5, Insightful

    There is, it's the "critical updates only" checkbox.
    The problem isn't the lack of said checkbox, it's the fact that Microsoft doesn't respect that checkbox and considers all sorts of marketing fluff and malware to be "critical"

  12. Microsoft could be a big help here by JohnFen · · Score: 5, Insightful

    If Microsoft would just go back to the days when security patches were done separately from other sorts of updates, that would be a huge help. I know a lot of people who disable updates to avoid feature changes, but would accept automatic security updates.

    Microsoft's position of not making a distinction between the two is a large disincentive to allowing automatic updates for a lot of people.

  13. Re:Generally Sound Advice by Anonymous Coward · · Score: 5, Insightful

    The blame for people not updating/patching computers lies squarely on Microsoft.

    Automatic updates, with no user action required, is a really great thing, but ONLY when the updates are strictly for important security patches, and NOT all sorts of other crap that randomly changes or breaks things.

    And then there's the whole "we're going to shove Windows 10 up your ass whether you want it or not" fiasco.

    Microsoft has fucked so many people, so many times, that users have become averse to automatic updates.

  14. Patches are just like vaccines... by Noishkel · · Score: 4, Insightful

    Except if vaccines failed as much as a Microsoft patch did there would be no doctors... because people would be shooting them in the street.

    Yeah, yeah... I can already hear the autistic fast typing from some keyboard warrior looking to 'correct' me on this one. But sorry... Microsoft no longer has any credibility to tell people what to do with their machines. The entire roll out of Windows 10 has been nothing but train wreck after train wreck. And you know what? Even if we get the occasional virus it's still better than having to deal with the rest of the continuing train wreck that is Microsoft. People are just going to have go back to the old day when people had to actually learn how to protect themselves. Instead of waiting on the industry to sell you a next generation of device that 'might' be eventually patched.

  15. 100% Microsoft's fault for forcing Windows 10 by Thud457 · · Score: 5, Insightful

    Don't use the channel for security updates to force advertising on your customers, just don't.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  16. also... by Comboman · · Score: 5, Insightful

    also, doctors don't break into your house in the middle of the night to give you a vaccine (and snoop around your house while they're there).

    --
    Support Right To Repair Legislation.
  17. Windows users have two options by JoeyRox · · Score: 4, Insightful

    Option A) Turn automatic updates ON and risk Microsoft making your machine unusable due to a faulty update
    Option B) Turn automatic updates OFF and risk Microsoft making your machine unusable due to the absence of a security update

  18. Re:Generally Sound Advice by phayes · · Score: 5, Insightful

    So how often should people re-evaluate when a company like Microsoft breaks their trust by forcing upgrades and other such nonsense? 6 months are sufficient according to you apparently.

    News flash: When a company breaks it's users trust, the time it takes can be measured in years and is often never. Yeah it'd be great for security if people were applying upgrades ASAP but MS's new policy of only making rollup updates forcing the inclusion of all previous updates can only backfire making people even less apt to apply them. Hey, they've already broken our trust once, they're likely to do it again.

    The problem is in large part MS's own creation.

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  19. Re:Generally Sound Advice by Anonymous Coward · · Score: 3, Insightful

    Exactly. If Microsoft behaved decently and simply provided security patches that fix vulnerabilities ONLY, there would be no issue. However Microsoft does shit like changing user settings (making IE/Edge your default browser), breaking hardware drivers, installing spyware etc.

    In my particular case I run a pirated Windows 7 gaming machine, with the "Genuine Microsoft" Windows activation disabled via a pirate-written patch. Both were downloaded via a Piratebay torrent. It turns out every time I update this machine, the Windows activation gets re-installed and I get this "Your computer is not running Genuine Microsoft, certain features have been disabled, you have 30 days to register Windows blah blah" message. And I have to dig out the pirate patch again and re-do the activation all over again.

    So I stopped updating, and changed the Windows Update setting to "Never". This was back in 2014. My Windows has not been updated since then.

    So did I get hit by shitload of viruses and malware and Wannacry? Nope. Not been infected with anything, not one single issue that I'm aware of. I'm typing this on the same pirated Win7 machine, connected to the internet full-time 24/7, and it's running like a champ.

    This is possible because 1) I don't click on email links or open attachments. In fact I don't even bother reading any emails unless I know exactly who is sending it. Rest get mass-moved into Junk folder. And 2) I run Ublock Origin adblocker, so I don't even get to see most of the malicious web adverts. And if I do see a web advert, I'm smart enough to not click on them. And yes, I never click on or buy any shit advertised on interwebs sites and I'm not missing anything as far as I know. Anything I need, I just go straight to Amazon or ebay and buy it that way, not through any ads. And 3) my firewall blocks random people trying to port scan or connect to my machine.

  20. Re:Generally Sound Advice by Anonymous Coward · · Score: 2, Insightful

    This. I was fine to leave auto-update on for security fixes but then microsoft started cramming their telemetry and other crap into them - making them bundled so you couldn't get your security fix without letting microsoft scoop up every piece of info on your computer that it wanted.

  21. Repeat After Me by John+Allsup · · Score: 4, Insightful

    If you value security, don't run the mission-critical parts of your infrastructure on a general purpose operating system like Windows, but rather run it on a minimalist, locked-down OS that has _only_ the facilities needed to do its job. The update carousel is a nightmare. If you want to ensure your Windows box doesn't sporadically reboot during a long unattended operation in order to update, what do you do? If you want to lock Windows down so it can only do the job to hand, and nothing else, you're screwed. If you run mission-critical stuff on a full-featured general purpose OS (and the same can be said for off-the-shelf Linux distros like Ubuntu and Fedora), you are kinda asking for it.

    That this idea is older than me, but is ignored, is laughable.

    --
    John_Chalisque
  22. Re:Generally Sound Advice by Tailhook · · Score: 4, Insightful

    This is hard to argue with. I personally prepared for this by preventing the Win 10 upgrade (even using third party software to stop the constant, malware like badgering complete with deliberately misleading prompts) until I was good and ready to deal with it, then I did a full clean install and manually migrated stuff over because I knew there was no way my complex, roughly used installation could possibly upgrade well automatically. One simply cannot, however, expect a planet full of Windows users to take this conservative approach; even if they were inclined to, which they aren't; most of them simply aren't competent to deal with this stuff and would do more damage than what the upgrade inflicted.

    So they all got put through the upgrade ringer creating bad outcomes for millions and leading to widespread "anti-vaxxer" behavior. Since then the "anti-vaxxers" have had their behavior affirmed by disruptive updates doing unwelcome stuff. The glacial slowness of the Windows 10 update process alone is a huge failure in my mind; this has badly regressed from earlier releases; I have a laptop I boot maybe once a month and I've come to expect the Windows 10 updates to take a hour or more. Ridiculous.

    After putting the whole world through all this shit one simply can't point a finger at millions of beleaguered users and blame them for their negligence. I'm sure they'd be happy to have they're system automatically updated, as long as it wasn't the computing equivalent of getting a SOA style beat down every few months.

    --
    Maw! Fire up the karma burner!
  23. Re:Microsoft only have themselves to blame by Hartree · · Score: 3, Insightful

    "The bundling of updates into a single entity so that we don't have control over what gets installed on our systems"

    This! Abso-fracking-lutely this!

    Give me the info on what the update is, and I can decide whether it's worth the risk to install immediately or if I need to run it on a non-important machine first to vet it. Yes, theoretically I can drill down on MSDN and the knowledge base but with some much redirection and info hiding in the documentation, in truth it takes too much time. Exactly as Microsoft intended it.

  24. Re:Poor advice. by BronsCon · · Score: 2, Insightful

    Because they do care about what crashes on your computer and why, so they can fix those issues. That's more to do with what other people (software developers) do on your computer than what you do on it.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  25. Re:Generally Sound Advice by Darinbob · · Score: 3, Insightful

    The problem with the sound advice is that Microsoft is actively undermining the update process by treating customers so badly. They don't test their updates well, they make them forced in later versions, they tie the updates to earlier updates, and worst of all their malware inspired forcing of Windows 10 on people has justifiably trained customers to distrust Microsoft.

    It's time consuming to check out each and every update to make sure it's safe. But I have to do that because I cannot trust microsoft not to play games with my systems.

    Applications too, I don't update iTunes because every time I do it screws up, changing the UI in drastic ways, and takes me a very long time to get it working properly again. But that's ok, I do not use the store in iTunes, it does not execute any strange attachments, and as a malware vector it's pretty low compared to the OS itself. If it played nice then I'd update it more regularly.