Slashdot Mirror
'Don't Tell People To Turn Off Windows Update, Just Don't' (troyhunt.com)
Security researchers Troy Hunt, writing on his blog: Often, the updates these products deliver patch some pretty nasty security flaws. If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as "MS17-010" pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched. It's because of this essential protection provided by automatic updates that those advocating for disabling the process are being labelled the IT equivalents of anti-vaxxers and whilst I don't fully agree with real world analogies like this, you can certainly see where they're coming from. As with vaccinations, patches protect the host from nasty things that the vast majority of people simply don't understand. This is how consumer software these days should be: self-updating with zero input required from the user. As soon as they're required to do something, it'll be neglected which is why Windows Update is so critical.
Those fuckers at MSFT ruined security updates by force-feeding the user spyware, or even forcing an "upgrade" to Windows 10.
Now nobody trusts Microsoft, and would rather take their chances without the "essential updates".
It's a very complex ecosystem. Generally, the benefits of the many outweigh the "sacrifice" of the few.
For every machine negatively affected by a forced update, there's a million which benefited from it. Unfortunately, that million machines don't yell "fault!" like that one which messed up does.
Yes, Microsoft were too aggressive with pushing people towards updating to Windows 10, and they should have toned it down. But ultimately, it was not the "upgrade push" which pissed people off, but the whole telemetry debacle. People were turning updates off and messing with hidden Windows setting because of telemetry, not security updates. Problem is, Microsoft pushed back and started mixing security updates with telemetry, then people pushed back and turned updates off altogether, etc. It was, and still is, a general cat fight.
I was never worried about a few machines coughing up during an automating update. Serious businesses should have internal update QA and separate WSUS servers. genpop users usually don't have really expensive stuff on their machines, and if they do, they should at least afford paying someone knowledgeable to help them with their setup in such a way they won't lose but a couple hours if an update fails. What I (and pretty much everyone with a bit of IT knowledge) was worried about was the telemetry additions, which really should have been opt-in since day 1.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
at troyhunt.com
Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals
It's obviously in his interest to make everyone Microsoft's puppets.
Anons need not reply. Questions end with a question mark.
The number of problems caused by installing Windows updates for our IT department: THOUSANDS
The number of problems caused by holes left in the Windows OS that an update or patch supposedly has fixed: 20
Easy decision.
I don't think I've ever worked at a company that had "automatic updates" turned on. The reason being, company ecosystems tend to be predominantly all the same hardware, same Windows version and same patch level, and a bug in an update that affects that particular collection of hardware and software can take an astounding number of seats offline. (In much the same way a biological virus can take out an entire species if they're not sufficiently genetically diverse.) So yeah, no. Companies that want to stay in business don't do that. Of course, they *do* have a team that tests updates in a lab and sends out validated updates to the rest of the company, often a subset of what Microsoft spews out.
I do something similar at home. We have three Winders boxes, and none of them have auto update turned on. Every week or so, I look at what updates are available, and apply at minimum the security updates to the least used of those three boxes. If it survives a reboot and some reasonable amount of smoke testing, I install on the game machine, and if that works out ok, after a day or two I'll install it on my own workstation. I have to take care because my machine is (a) my only conduit to my "day job", and (b) my main workstation for my side-business. I can't afford to be down because Microsoft botched a patch any more than any large company can.
So yeah, security updates are important. Vital, even. But that doesn't mean you just install every update the moment it becomes available. An important part of "security" is "availability". And that's just as important as "confidentiality" and "integrity".
Another contributor had it right -- there should be a way to auto install security updates only. So if Microsoft botched a driver update and it renders unbootable a certain brand of PC running a certain brand of video card, it's less likely to take large numbers of users offline.
I know there are essential and optional updates (or whatever words they use) but most updates are considered by Microsoft to be essential.
And this doesn't even address compatibility of updates with installed applications. You know, the software you use to actually do work.
All that said, it does seem like Microsoft is doing a better job vetting their patches before release than they did the earlier part of this century. But being burned a few times breeds caution.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
For me, it takes around three manual restarts, because I have a dual-boot system and the default option is to boot into Linux. Even if Windows does download the update, it then sits around for so long with no indication of what it is doing that the screen blanks out. Then it just sits there pondering and reboots into Linux. Then I reboot back into Windows, which tells me that updates have to be installed. Then it sits around a bit more with a blank screen, then it reboots.
So an automatic update isn't going to be automatic, and it comes as a rather unpleasant surpise to boot into Windows, only to find that the updates weren't installed or need to be downloaded and installed before I can get any work done. If this update system were designed correctly, it should simply clone the existing Windows config, apply the updates, and only say a new version is available when everything is working correctly.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Yep. I had a laptop that came with Windows 8 on it.
I booted it once into Windows to change UEFI settings and then put Lubuntu on it.
Well, a friend had a Windows question for me when I was away at a conference. No problem! I booted my laptop into Win8, looked up how to do the thing, and told her. I went to bed.
I woke up to find that my system had:
1) autoupdated to Windows 10
2) fucked the bootloader so I couldn't boot into Linux any more.
This is on top of the fact that Windows updates take about a year to complete and reenable a bunch of crap that I keep disabling ("Windows Media x").
The blame for people not updating/patching computers lies squarely on Microsoft.
Automatic updates, with no user action required, is a really great thing, but ONLY when the updates are strictly for important security patches, and NOT all sorts of other crap that randomly changes or breaks things.
And then there's the whole "we're going to shove Windows 10 up your ass whether you want it or not" fiasco.
Microsoft has fucked so many people, so many times, that users have become averse to automatic updates.
Exactly correct. MS lost many people's trust with updating around the Win10 forced-upgrade fiasco. I've deleted wusa.exe from my win7 box and I've done the same for any number of family and friends on various win7/8.1 boxes. I just make sure backups are in place and re-image if infected.
If these devices get pwned and cause damage blame MS for destroying trust in their update platform.
Because Windows Update reboots your computer without your permission or control over the process. We're essentially back to Windows 95 in terms of operating system stability because Microsoft cannot figure out how to update an operating system without resetting the computer in the process.
If Windows 10 (1) avoided reboots unless absolutely 100% necessary, and (2) prompted you to reboot (perhaps nagging you until you do) rather than running a timer you often don't even see before it expires do it, then, well, people would be a little happier about the tool.
Updating is good. Microsoft's implementation is shit. If you want people to install security updates, don't do implement it in a way that's indistinguishable from a kernel level bug that crashes your computer every few days.
You are not alone. This is not normal. None of this is normal.
We personally have TWO laptops that got repeatedly broken by non-disableable driver updates (already told Windows to never update drivers, hid the offending update, etc) and it still managed to get through, multiple times, and do the blue-screen tango repeatedly until I gave up trying to fix, it went into safe mode and disabled the Windows Update service. I had to keep it that way for a couple months until I was able to load a "newer" driver from the video chip manufacturer that fixed it and/or MS stopped pushing the broken one. Then I was able to turn updates back on again.
All was fine, I THOUGHT, until several months later when the Anniversary updated got pushed to these systems. I bugged both my laptop manufacturer and Microsoft, repeatedly. Microsoft swore up and down that it would "only try to load the update once" and then stop trying if it failed. They also said the Anniversry update wasn't "certified" for this laptop model so I should just not install it, which would be fine except that _they forecully push it out, including to this laptop mode_! When I told them it had already attempted to update, failed and hung, at least twice they said it tries twice and then won't try again. Still incorrect. I tried basically everything including downloading the update to a USB and installing it manually, updating the drivers, downgrading the drivers, removing what I think was the suspect driver causing the hang during the update install, hiding the update with show/hide update tool, etc. Hiding disabled it for a while, but the dang thing is relentless, after a while it still comes back. The only 100% reliable way to make sure it will never try again, and hang the system (usually leaving it in a hung state with the fan blaring and screen showing 32% or something, all night long) is to completely disable the Windows Update service, or buy a new computer, or downgrade to an earlier version of Windows, or say to hell with and load Linux. The latter isn't an option because the laptops are used by family members who require Windows for specific applications.
1) There is one particular update that addressed and fixed the WU CPU issue (I don't remember the KB number right now, but it is easy to find)
2) Just slipstream a Windows WIM file. Take the ISO, download the cumulative updates, inject them into the WIM, and then install Windows from there. It'll be a smaller install over all (less SxS crud), and current as of which ever updates you slipstream into it. Additionally, you can add drivers this way too such as NVMe, USB3, and 10gbe if you use stuff like that.
People get WannaCry by clicking on the wrong email not by SMB exploits. I get that repurposed NSA exploit angle makes for interesting and irresistible news stories but substantively it's way overhyped and using it to support blanket assertions is a nonstarter in my view.
There is compelling quantifiable evidence to support the position vaccines help more than they hurt. The case for updates is closer to the question of whether throwing billions into the intelligence industrial complex makes real people quantifiably safer from being terrorized given opportunity cost of not investing these funds to address significantly more statistically substantial problems such as pulling down US murder rate.
What we know for sure is social engineering accounts for 90% of general p0wnage worldwide. Even if all unintentional software bugs were patched with 100% coverage overnight absolutely nothing would change.
In 2017 given Microsoft's proven track record of both incompetence and sleaze when it comes to updates it's an open question as far as I'm concerned whether updates are still worth applying at all. Majority of end users are behind stealth mode firewalls and the only whackable thing they have sticking out is a web browser. If you keep firefox or chromium or whatever up to date and lock down some associated configuration are you really appreciably safer vs probability of computer failing to boot or introduction of some new Microsoft "telemetry" malware or Microsoft false choice prompt dismissal scam? I honestly don't know the answer. I do know it very much depends on context not only in terms of the users needs and environment but the value judgments of the end user.
If Microsoft would stop constantly peddling malware, firing QA staff, fix updates to not use insane amounts of resources while taking forever and requiring a reboot to sneeze... If only updates were properly labeled and people trusted Microsoft not to screw with them... my guess less will find value in disabling updates.
I personally believe coordinated automated updates of billions of systems globally in a matter of days is an extraordinarily perilous activity in and of itself no matter how careful you are. Sooner or later this is bound to end in a major disaster. While updates do fix problems quicker they also significantly lower the cost and tolerance for releasing defective software. It sends a signal to the market releasing defective software is a cost free activity.
Revisionist history. Before we even knew the extent of windows spying we had the windows update advisor (GWX) show up in the system tray on everyones windows 7 machine in it seems june 2015 ( https://tech.slashdot.org/stor... ) and a year later, forced it on everyone ( https://tech.slashdot.org/stor... ). That is the day that microsoft lost my confidence that they had worked since windows 95 to build.
You can go read that slashdot article to see the day when everyone lost trust in microsoft, and people started recommending that people deactivate windows updates Very few people mention telemetry. What they do mention is that MS pushed a "security update" that was anything but.
I turned windows updates off that day, but being an industry person, i found a work around that allowed me to keep them on. There was a program quickly developed called GWX blocker or something like that which allowed the gwx framework to be stopped.
So yes, its bad to not run windows updates, but its also 100% microsofts own god damn fault.
As a potential lottery winner, I totally support tax cuts for the wealthy