Slashdot Mirror
'Don't Tell People To Turn Off Windows Update, Just Don't' (troyhunt.com)
Security researchers Troy Hunt, writing on his blog: Often, the updates these products deliver patch some pretty nasty security flaws. If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as "MS17-010" pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched. It's because of this essential protection provided by automatic updates that those advocating for disabling the process are being labelled the IT equivalents of anti-vaxxers and whilst I don't fully agree with real world analogies like this, you can certainly see where they're coming from. As with vaccinations, patches protect the host from nasty things that the vast majority of people simply don't understand. This is how consumer software these days should be: self-updating with zero input required from the user. As soon as they're required to do something, it'll be neglected which is why Windows Update is so critical.
Unless you have a production environment with a software product that breaks with Windows update turned on. In which case you have to take additional security and maintenance measures and have a team that is tasked with (and funded properly) to do testing and updates on a regular basis.
If they hadn't done shit such as the forced Win10 update, or forced GWA, or done a lot of other crap that broke peoples systems (in the name of marketing), then maybe people wouldn't have said, "Turn it off".
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Windows Update also wanted to install telemetry on my Windows 7 system until I removed the patch. Then for 12 months Windows Update wanted to 'upgrade' me to Windows 10, the software employed all sorts of tricks to make me say yes and in the end I just disabled updates as it was less hassle.
My Windows 7 system was not affected by the events over the weekend as all it does is run some test equipment. It still has Windows Update disabled and it's going to stay that way.
The reason folks turn off Windows Update is that it behaves kind of like malware itself! I'm technologically savvy enough to set my registry and so on to disable the awful "Get Windows Ten" updates, but when so many users got shafted by Windows "self-updating with zero input required from the user" to a completely new operating system (a new operating system that actively thwarts end-user control over updates!), is it any wonder that so many of them switched it off?
The comparison to anti-vaxxers is interesting, and apt in more ways than Troy may have known. Much like Microsoft hijacked their Windows Update program to push Windows 10, the CIA used a Pakistani polio vaccination campaign to gather intelligence about Osama bin Laden (see here: https://en.wikipedia.org/wiki/...). This has resulted in the killing of other relief workers and general suspicion of medical aid programs in that region, and so polio persists.
I would do that if (1) MS didn't cram W10 down my throat; (2) every major update doesn't reset browser preferences; (3) stop updating and breaking hardware drivers; and (4) I could disable telemetry. My Macbook and Ubuntu machines are auto-update enabled. Not my Windows gaming box. No thanks.
The problem is that around 30% of MS Updates actually hurt the user, either by introducing "features" that (like Apple) inadvertently or deliberately adding things that are of no benefit to anyone but MS and in many case hurt he users. Windows 10 Basically is capable of hijiacking itself (as per it's design) so it's hard to know what is good and what is not especially MS gives VERY vague descriptions of it's updates as per the new windows 10+ policy to tell users, it's our update, just take it (up the rear end). The sooner we start admiting that we don't in fact NEED MS Windows at this point, the better. Linux anyone?
"Imagination is more important than knowledge" - Einstein
Those fuckers at MSFT ruined security updates by force-feeding the user spyware, or even forcing an "upgrade" to Windows 10.
Now nobody trusts Microsoft, and would rather take their chances without the "essential updates".
the continual additions of resource-heavy snooping spyware and telemetry services for in-app advertising delivery hammer many institutions that would otherwise happily install security patches, if they were JUST security patches.
But many of the Important patches we have recieved from MSFT are just that. Ads, telemetry to try to sell us stuff that blows out the bandwidth in mission critical software and pops up things that get in the way of doing actual work.
There's your problem. That and the "patching" of things in a way that breaks apps that believe the public documentation instead of the actual way MSFT codes and tests its apps.
-- Tigger warning: This post may contain tiggers! --
nobody cares what you do on your PC
Then why did they implement telemetry in Windows?
There is, it's the "critical updates only" checkbox.
The problem isn't the lack of said checkbox, it's the fact that Microsoft doesn't respect that checkbox and considers all sorts of marketing fluff and malware to be "critical"
If Microsoft would just go back to the days when security patches were done separately from other sorts of updates, that would be a huge help. I know a lot of people who disable updates to avoid feature changes, but would accept automatic security updates.
Microsoft's position of not making a distinction between the two is a large disincentive to allowing automatic updates for a lot of people.
at troyhunt.com
Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals
It's obviously in his interest to make everyone Microsoft's puppets.
Anons need not reply. Questions end with a question mark.
Microsoft only have themselves to blame for people disabling Windows Updates because they made it untrustworthy:
The blame for people not updating/patching computers lies squarely on Microsoft.
Automatic updates, with no user action required, is a really great thing, but ONLY when the updates are strictly for important security patches, and NOT all sorts of other crap that randomly changes or breaks things.
And then there's the whole "we're going to shove Windows 10 up your ass whether you want it or not" fiasco.
Microsoft has fucked so many people, so many times, that users have become averse to automatic updates.
Except if vaccines failed as much as a Microsoft patch did there would be no doctors... because people would be shooting them in the street.
Yeah, yeah... I can already hear the autistic fast typing from some keyboard warrior looking to 'correct' me on this one. But sorry... Microsoft no longer has any credibility to tell people what to do with their machines. The entire roll out of Windows 10 has been nothing but train wreck after train wreck. And you know what? Even if we get the occasional virus it's still better than having to deal with the rest of the continuing train wreck that is Microsoft. People are just going to have go back to the old day when people had to actually learn how to protect themselves. Instead of waiting on the industry to sell you a next generation of device that 'might' be eventually patched.
The number of problems caused by installing Windows updates for our IT department: THOUSANDS
The number of problems caused by holes left in the Windows OS that an update or patch supposedly has fixed: 20
Easy decision.
I don't think I've ever worked at a company that had "automatic updates" turned on. The reason being, company ecosystems tend to be predominantly all the same hardware, same Windows version and same patch level, and a bug in an update that affects that particular collection of hardware and software can take an astounding number of seats offline. (In much the same way a biological virus can take out an entire species if they're not sufficiently genetically diverse.) So yeah, no. Companies that want to stay in business don't do that. Of course, they *do* have a team that tests updates in a lab and sends out validated updates to the rest of the company, often a subset of what Microsoft spews out.
I do something similar at home. We have three Winders boxes, and none of them have auto update turned on. Every week or so, I look at what updates are available, and apply at minimum the security updates to the least used of those three boxes. If it survives a reboot and some reasonable amount of smoke testing, I install on the game machine, and if that works out ok, after a day or two I'll install it on my own workstation. I have to take care because my machine is (a) my only conduit to my "day job", and (b) my main workstation for my side-business. I can't afford to be down because Microsoft botched a patch any more than any large company can.
So yeah, security updates are important. Vital, even. But that doesn't mean you just install every update the moment it becomes available. An important part of "security" is "availability". And that's just as important as "confidentiality" and "integrity".
Another contributor had it right -- there should be a way to auto install security updates only. So if Microsoft botched a driver update and it renders unbootable a certain brand of PC running a certain brand of video card, it's less likely to take large numbers of users offline.
I know there are essential and optional updates (or whatever words they use) but most updates are considered by Microsoft to be essential.
And this doesn't even address compatibility of updates with installed applications. You know, the software you use to actually do work.
All that said, it does seem like Microsoft is doing a better job vetting their patches before release than they did the earlier part of this century. But being burned a few times breeds caution.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Yep. I had a laptop that came with Windows 8 on it.
I booted it once into Windows to change UEFI settings and then put Lubuntu on it.
Well, a friend had a Windows question for me when I was away at a conference. No problem! I booted my laptop into Win8, looked up how to do the thing, and told her. I went to bed.
I woke up to find that my system had:
1) autoupdated to Windows 10
2) fucked the bootloader so I couldn't boot into Linux any more.
This is on top of the fact that Windows updates take about a year to complete and reenable a bunch of crap that I keep disabling ("Windows Media x").
The blame for people not updating/patching computers lies squarely on Microsoft.
Automatic updates, with no user action required, is a really great thing, but ONLY when the updates are strictly for important security patches, and NOT all sorts of other crap that randomly changes or breaks things.
And then there's the whole "we're going to shove Windows 10 up your ass whether you want it or not" fiasco.
Microsoft has fucked so many people, so many times, that users have become averse to automatic updates.
Exactly correct. MS lost many people's trust with updating around the Win10 forced-upgrade fiasco. I've deleted wusa.exe from my win7 box and I've done the same for any number of family and friends on various win7/8.1 boxes. I just make sure backups are in place and re-image if infected.
If these devices get pwned and cause damage blame MS for destroying trust in their update platform.
Don't use the channel for security updates to force advertising on your customers, just don't.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
also, doctors don't break into your house in the middle of the night to give you a vaccine (and snoop around your house while they're there).
Support Right To Repair Legislation.
Option A) Turn automatic updates ON and risk Microsoft making your machine unusable due to a faulty update
Option B) Turn automatic updates OFF and risk Microsoft making your machine unusable due to the absence of a security update
So how often should people re-evaluate when a company like Microsoft breaks their trust by forcing upgrades and other such nonsense? 6 months are sufficient according to you apparently.
News flash: When a company breaks it's users trust, the time it takes can be measured in years and is often never. Yeah it'd be great for security if people were applying upgrades ASAP but MS's new policy of only making rollup updates forcing the inclusion of all previous updates can only backfire making people even less apt to apply them. Hey, they've already broken our trust once, they're likely to do it again.
The problem is in large part MS's own creation.
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
Because Windows Update reboots your computer without your permission or control over the process. We're essentially back to Windows 95 in terms of operating system stability because Microsoft cannot figure out how to update an operating system without resetting the computer in the process.
If Windows 10 (1) avoided reboots unless absolutely 100% necessary, and (2) prompted you to reboot (perhaps nagging you until you do) rather than running a timer you often don't even see before it expires do it, then, well, people would be a little happier about the tool.
Updating is good. Microsoft's implementation is shit. If you want people to install security updates, don't do implement it in a way that's indistinguishable from a kernel level bug that crashes your computer every few days.
You are not alone. This is not normal. None of this is normal.
Yah blame the user for the virus exploits and not the vendor that created the software with huge holes and the vendor who is blocking updates when running new gen CPU's on older OS versions just to try and push people to W10.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Exactly. If Microsoft behaved decently and simply provided security patches that fix vulnerabilities ONLY, there would be no issue. However Microsoft does shit like changing user settings (making IE/Edge your default browser), breaking hardware drivers, installing spyware etc.
In my particular case I run a pirated Windows 7 gaming machine, with the "Genuine Microsoft" Windows activation disabled via a pirate-written patch. Both were downloaded via a Piratebay torrent. It turns out every time I update this machine, the Windows activation gets re-installed and I get this "Your computer is not running Genuine Microsoft, certain features have been disabled, you have 30 days to register Windows blah blah" message. And I have to dig out the pirate patch again and re-do the activation all over again.
So I stopped updating, and changed the Windows Update setting to "Never". This was back in 2014. My Windows has not been updated since then.
So did I get hit by shitload of viruses and malware and Wannacry? Nope. Not been infected with anything, not one single issue that I'm aware of. I'm typing this on the same pirated Win7 machine, connected to the internet full-time 24/7, and it's running like a champ.
This is possible because 1) I don't click on email links or open attachments. In fact I don't even bother reading any emails unless I know exactly who is sending it. Rest get mass-moved into Junk folder. And 2) I run Ublock Origin adblocker, so I don't even get to see most of the malicious web adverts. And if I do see a web advert, I'm smart enough to not click on them. And yes, I never click on or buy any shit advertised on interwebs sites and I'm not missing anything as far as I know. Anything I need, I just go straight to Amazon or ebay and buy it that way, not through any ads. And 3) my firewall blocks random people trying to port scan or connect to my machine.
We personally have TWO laptops that got repeatedly broken by non-disableable driver updates (already told Windows to never update drivers, hid the offending update, etc) and it still managed to get through, multiple times, and do the blue-screen tango repeatedly until I gave up trying to fix, it went into safe mode and disabled the Windows Update service. I had to keep it that way for a couple months until I was able to load a "newer" driver from the video chip manufacturer that fixed it and/or MS stopped pushing the broken one. Then I was able to turn updates back on again.
All was fine, I THOUGHT, until several months later when the Anniversary updated got pushed to these systems. I bugged both my laptop manufacturer and Microsoft, repeatedly. Microsoft swore up and down that it would "only try to load the update once" and then stop trying if it failed. They also said the Anniversry update wasn't "certified" for this laptop model so I should just not install it, which would be fine except that _they forecully push it out, including to this laptop mode_! When I told them it had already attempted to update, failed and hung, at least twice they said it tries twice and then won't try again. Still incorrect. I tried basically everything including downloading the update to a USB and installing it manually, updating the drivers, downgrading the drivers, removing what I think was the suspect driver causing the hang during the update install, hiding the update with show/hide update tool, etc. Hiding disabled it for a while, but the dang thing is relentless, after a while it still comes back. The only 100% reliable way to make sure it will never try again, and hang the system (usually leaving it in a hung state with the fan blaring and screen showing 32% or something, all night long) is to completely disable the Windows Update service, or buy a new computer, or downgrade to an earlier version of Windows, or say to hell with and load Linux. The latter isn't an option because the laptops are used by family members who require Windows for specific applications.
If you value security, don't run the mission-critical parts of your infrastructure on a general purpose operating system like Windows, but rather run it on a minimalist, locked-down OS that has _only_ the facilities needed to do its job. The update carousel is a nightmare. If you want to ensure your Windows box doesn't sporadically reboot during a long unattended operation in order to update, what do you do? If you want to lock Windows down so it can only do the job to hand, and nothing else, you're screwed. If you run mission-critical stuff on a full-featured general purpose OS (and the same can be said for off-the-shelf Linux distros like Ubuntu and Fedora), you are kinda asking for it.
That this idea is older than me, but is ignored, is laughable.
John_Chalisque
I turn off Windows update on the boxes that I still have. I recommend everyone I know disable Windows update on all boxes that they have.
If you leave Windows update on, and just take the security updates by default, you will get owned by Microsoft. Constant telemetry will stream from your box.
I also recommend people look up how to stop this on Windows 7 and 8, where it is possible to stop it. It is not possible in 10, though some people have had some success at limiting it.
The article's advice is horseshit. WU should be disabled for personal computers if privacy is any manner of concern. Microsoft has revectored their security update mechanism to: try to upgrade you to Windows 10. Install sleeper services that only months after installation began transmitting telemetry. Remove useful names from KBs to prevent successful system administration. Transmit information about what programs you use, when you use them, how often you use them. Transmit information regarding crashes. Broadly expose envelope information about your non-Microsoft related activities to Microsoft and anyone they choose to share that information with.
Disable WU on 7 and 8. Tear out the bad patches. Only EVER manually apply patches that you actually require for security and functioinality.
Comparing being a sensible system administrator who doesn't want to transfer control over their personal activities to Microsoft to antivaxxers is disgusting. Anyone making this comparison is irresponsible.
https://superuser.com/question...
The list of KBs that you must manually remove (and prevent reinstallation of) to keep Windows without telemetry is provided on that su post. The list is:
KB3065988 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: July 2015 more info .NET Framework 1.1 when you upgrade Windows 8.1 or Windows 7 more info
KB3083325 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: September 2015 more info
KB3083324 Windows Update Client for Windows 7 and Windows Server 2008 R2: September 2015 more info
KB2976978 Compatibility update for Windows 8.1 and Windows 8 more info
KB3075853 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: August 2015 more info
KB3065987 Windows Update Client for Windows 7 and Windows Server 2008 R2: July 2015 more info
KB3050265 Windows Update Client for Windows 7: June 2015 more info
KB3050267 Windows Update Client for Windows 8.1: June 2015 more info
KB3075851 Windows Update Client for Windows 7 and Windows Server 2008 R2: August 2015 more info
KB2902907 MS Security Essentials/Windows Defender related update [no description/information available]
KB3068708 Update for customer experience and diagnostic telemetry more info
KB3022345 Update for customer experience and diagnostic telemetry more info
KB2952664 Compatibility update for upgrading Windows 7 more info
KB2990214 Update that enables you to upgrade from Windows 7 to a later version of Windows more info
KB3035583 Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1 more info
KB971033 Description of the update for Windows Activation Technologies more info
KB3021917 Update to Windows 7 SP1 for performance improvements more info
KB3044374 Update that enables you to upgrade from Windows 8.1 to a later version of Windows more info
KB3046480 Update helps to determine whether to migrate the
KB3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7 more info
KB3080149 Update for customer experience and diagnostic telemetry more info
KB3083324 Windows Update Client for Windows 7 and Windows Server 2008 R2: September 2015 more info
KB3083325 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: September 2015 more info
KB3083710 Windows Update Client for Windows 7 and Windows Server 2008 R2: Octobe
This is hard to argue with. I personally prepared for this by preventing the Win 10 upgrade (even using third party software to stop the constant, malware like badgering complete with deliberately misleading prompts) until I was good and ready to deal with it, then I did a full clean install and manually migrated stuff over because I knew there was no way my complex, roughly used installation could possibly upgrade well automatically. One simply cannot, however, expect a planet full of Windows users to take this conservative approach; even if they were inclined to, which they aren't; most of them simply aren't competent to deal with this stuff and would do more damage than what the upgrade inflicted.
So they all got put through the upgrade ringer creating bad outcomes for millions and leading to widespread "anti-vaxxer" behavior. Since then the "anti-vaxxers" have had their behavior affirmed by disruptive updates doing unwelcome stuff. The glacial slowness of the Windows 10 update process alone is a huge failure in my mind; this has badly regressed from earlier releases; I have a laptop I boot maybe once a month and I've come to expect the Windows 10 updates to take a hour or more. Ridiculous.
After putting the whole world through all this shit one simply can't point a finger at millions of beleaguered users and blame them for their negligence. I'm sure they'd be happy to have they're system automatically updated, as long as it wasn't the computing equivalent of getting a SOA style beat down every few months.
Maw! Fire up the karma burner!
You can trick windows from messing with it and bios that only look for a windows efi boot file. This will boot to grub and allow you to select windows if you want, and windows update doesn't mess with it. /s
open cmd.exe as Administrator and lunch the command vmount s:
go to s: and navigate the directories until you find where the grubx64.efi is located. Mine was under s:\EFI\debian\.
go to s:\EFI\Microsoft\boot and create a backup of the bootmgfw.efi file and then overwrite it with the grubx64.efi.
reboot. Now you should be able to reach the grub menu and boot to Linux but you'll be unable to boot to Windows. Boot to Linux then.
On linux you /boot/efi/EFI/Microsoft/Boot and restore the previously backed up bootmgfw.efi.
open a shell and go to
run grub-install (it may require root privilege - sudo)
run update-grub2 (it may require root privilege - sudo)
People get WannaCry by clicking on the wrong email not by SMB exploits. I get that repurposed NSA exploit angle makes for interesting and irresistible news stories but substantively it's way overhyped and using it to support blanket assertions is a nonstarter in my view.
There is compelling quantifiable evidence to support the position vaccines help more than they hurt. The case for updates is closer to the question of whether throwing billions into the intelligence industrial complex makes real people quantifiably safer from being terrorized given opportunity cost of not investing these funds to address significantly more statistically substantial problems such as pulling down US murder rate.
What we know for sure is social engineering accounts for 90% of general p0wnage worldwide. Even if all unintentional software bugs were patched with 100% coverage overnight absolutely nothing would change.
In 2017 given Microsoft's proven track record of both incompetence and sleaze when it comes to updates it's an open question as far as I'm concerned whether updates are still worth applying at all. Majority of end users are behind stealth mode firewalls and the only whackable thing they have sticking out is a web browser. If you keep firefox or chromium or whatever up to date and lock down some associated configuration are you really appreciably safer vs probability of computer failing to boot or introduction of some new Microsoft "telemetry" malware or Microsoft false choice prompt dismissal scam? I honestly don't know the answer. I do know it very much depends on context not only in terms of the users needs and environment but the value judgments of the end user.
If Microsoft would stop constantly peddling malware, firing QA staff, fix updates to not use insane amounts of resources while taking forever and requiring a reboot to sneeze... If only updates were properly labeled and people trusted Microsoft not to screw with them... my guess less will find value in disabling updates.
I personally believe coordinated automated updates of billions of systems globally in a matter of days is an extraordinarily perilous activity in and of itself no matter how careful you are. Sooner or later this is bound to end in a major disaster. While updates do fix problems quicker they also significantly lower the cost and tolerance for releasing defective software. It sends a signal to the market releasing defective software is a cost free activity.
I *have* to disable the update service on my laptop. Win 10 insists on installing newer Intel graphics drivers, except they don't work with the Optimus setup on my laptop. With the newer Intel drivers, any 3D game I start crashes when it tries to use the Nvidia card. So I have to let Windows 10 update my laptop, disable the update service, then reinstall the Intel GPU drivers provided by my laptop vendor (and also the Nvidia drivers if Windows 10 has auto-updated those).
When Win 10 first came out, it gave you the option to disable updates to a specific device driver. But for some inexplicable reason, Microsoft removed this option in the Oct 2016 update. Because of Microsoft's brain-dead update policies, I literally cannot use my gaming laptop to play games if I have Windows Update enabled.
The problem with the sound advice is that Microsoft is actively undermining the update process by treating customers so badly. They don't test their updates well, they make them forced in later versions, they tie the updates to earlier updates, and worst of all their malware inspired forcing of Windows 10 on people has justifiably trained customers to distrust Microsoft.
It's time consuming to check out each and every update to make sure it's safe. But I have to do that because I cannot trust microsoft not to play games with my systems.
Applications too, I don't update iTunes because every time I do it screws up, changing the UI in drastic ways, and takes me a very long time to get it working properly again. But that's ok, I do not use the store in iTunes, it does not execute any strange attachments, and as a malware vector it's pretty low compared to the OS itself. If it played nice then I'd update it more regularly.