Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Don't Tell People To Turn Off Windows Update, Just Don't' (troyhunt.com)

Posted by msmash on from the other-side-of-coin dept.

Security researchers Troy Hunt, writing on his blog: Often, the updates these products deliver patch some pretty nasty security flaws. If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as "MS17-010" pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched. It's because of this essential protection provided by automatic updates that those advocating for disabling the process are being labelled the IT equivalents of anti-vaxxers and whilst I don't fully agree with real world analogies like this, you can certainly see where they're coming from. As with vaccinations, patches protect the host from nasty things that the vast majority of people simply don't understand. This is how consumer software these days should be: self-updating with zero input required from the user. As soon as they're required to do something, it'll be neglected which is why Windows Update is so critical.

25 of 507 comments (clear)

  1. Excluding the unfortunate exceptions by JimToo · · Score: 5, Insightful

    Unless you have a production environment with a software product that breaks with Windows update turned on. In which case you have to take additional security and maintenance measures and have a team that is tasked with (and funded properly) to do testing and updates on a regular basis.

    1. Re:Excluding the unfortunate exceptions by xxxJonBoyxxx · · Score: 5, Insightful

      Or the Windows 10 update doesn't work and keeps downloading/restarting/bluescreening your computer. (Looking at you, "Anniversary" edition.)

    2. Re:Excluding the unfortunate exceptions by mhollis · · Score: 5, Insightful

      Mod this up, folks!

      I know at least five different business environments which have been, essentially, shut down by a Windows update. One of them was signing a new service contract as I was talking to him—he had been down all day, unable to see his customer files, his books, the jobs his company was supposed to be doing, unable to route his employees to where they were supposed to go. They went back to a paper only system they have not used since 2002 and they were guessing at that. They were taking credit cards over their website, but could not record the result in their books and had to just save all of the emails and spend an additional day or so just doing data entry into their bookkeeping system.

      Of course, these are anecdotes (which is what the anti-vax community uses instead of Science). The problem is not the update, it is what Microsoft does to the computer upon emerging from the update. Elsewhere, people have written of resetting all of the browser preferences, BSODs and other issues. Microsoft needs to restore the previous state of the computer or server (as much as is practical) after the patch. They need to go in like a surgeon with the same motto: "First, do no harm." And if they figure out how to do that, their updates will be seen as innocuous as Apple's

      --
      Gods don't kill people, people with gods kill people.
    3. Re:Excluding the unfortunate exceptions by xxxJonBoyxxx · · Score: 5, Insightful

      >> How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

      So...Windows shouldn't be used by small or medium-sized business without IT workstation teams then?

      Microsoft, can you confirm?

  2. Microsoft's fault by sconeu · · Score: 5, Insightful

    If they hadn't done shit such as the forced Win10 update, or forced GWA, or done a lot of other crap that broke peoples systems (in the name of marketing), then maybe people wouldn't have said, "Turn it off".

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    1. Re:Microsoft's fault by TWX · · Score: 5, Informative

      Pretty much. I had to take some fairly convoluted measures to keep my wife's laptop on 8.1 or some of my various other systems on 7 without entirely disabling updates. It's not that I liked 8.1, but I did not like what I read about 10.

      The easiest way to avoid having 10 forced on me would have been to just disable updates. Instead I had to read up on every individual update that would push 10, and ultimately resorted to third-party software to block or remove those specific nuggets from Microsoft so that my platforms would be left in the state I wanted them in.

      --
      Do not look into laser with remaining eye.
    2. Re: Microsoft's fault by macsforme · · Score: 5, Insightful

      Agreed. A level of trust is required when you allow vendors to push automated updates to your system, and unfortunately there have been breaches of this trust when vendors saw this as an opportunity for more than enhancing user security.

    3. Re:Microsoft's fault by Anonymous Coward · · Score: 5, Insightful

      Plus, if Anti-Vaxxers could actually point to widespread deaths, they might have a point.

      People who advocate turning off Windows Update Can point to widespread windows deaths due to errant updates.

  3. Telemetry and Windows 10 by Anonymous Coward · · Score: 5, Insightful

    Windows Update also wanted to install telemetry on my Windows 7 system until I removed the patch. Then for 12 months Windows Update wanted to 'upgrade' me to Windows 10, the software employed all sorts of tricks to make me say yes and in the end I just disabled updates as it was less hassle.

    My Windows 7 system was not affected by the events over the weekend as all it does is run some test equipment. It still has Windows Update disabled and it's going to stay that way.

  4. Maybe if Windows Update behaved decently... by ToTheStars · · Score: 5, Insightful

    The reason folks turn off Windows Update is that it behaves kind of like malware itself! I'm technologically savvy enough to set my registry and so on to disable the awful "Get Windows Ten" updates, but when so many users got shafted by Windows "self-updating with zero input required from the user" to a completely new operating system (a new operating system that actively thwarts end-user control over updates!), is it any wonder that so many of them switched it off?

    The comparison to anti-vaxxers is interesting, and apt in more ways than Troy may have known. Much like Microsoft hijacked their Windows Update program to push Windows 10, the CIA used a Pakistani polio vaccination campaign to gather intelligence about Osama bin Laden (see here: https://en.wikipedia.org/wiki/...). This has resulted in the killing of other relief workers and general suspicion of medical aid programs in that region, and so polio persists.

  5. Re:Generally Sound Advice by dc29A · · Score: 5, Insightful

    I would do that if (1) MS didn't cram W10 down my throat; (2) every major update doesn't reset browser preferences; (3) stop updating and breaking hardware drivers; and (4) I could disable telemetry. My Macbook and Ubuntu machines are auto-update enabled. Not my Windows gaming box. No thanks.

  6. Those fuckers at MSFT ruined security updates by Anonymous Coward · · Score: 5, Interesting

    Those fuckers at MSFT ruined security updates by force-feeding the user spyware, or even forcing an "upgrade" to Windows 10.

    Now nobody trusts Microsoft, and would rather take their chances without the "essential updates".

  7. Re:Poor advice. by Anonymous Coward · · Score: 5, Insightful

    nobody cares what you do on your PC

    Then why did they implement telemetry in Windows?

  8. Re:There should be a separate "Security Updates On by green1 · · Score: 5, Insightful

    There is, it's the "critical updates only" checkbox.
    The problem isn't the lack of said checkbox, it's the fact that Microsoft doesn't respect that checkbox and considers all sorts of marketing fluff and malware to be "critical"

  9. Microsoft could be a big help here by JohnFen · · Score: 5, Insightful

    If Microsoft would just go back to the days when security patches were done separately from other sorts of updates, that would be a huge help. I know a lot of people who disable updates to avoid feature changes, but would accept automatic security updates.

    Microsoft's position of not making a distinction between the two is a large disincentive to allowing automatic updates for a lot of people.

  10. Consider the source. by Gravis+Zero · · Score: 5, Interesting

    at troyhunt.com

    Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

    It's obviously in his interest to make everyone Microsoft's puppets.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Consider the source. by mugnyte · · Score: 5, Informative
      This isn't necessarily a problem. The problem arises from a cult-of-brand and groupthink that MS cannot do wrong. If Troy Hunt wrote honestly, he'd explore the customers that had turned off MS Update with some interviewing and surveys, then report the results, give a nod to their core cause, report MS's renewed efforts to address these *core* causes and then talk about why Updates should be left on. Instead he delivers these sugar-free platitudes:

      It's not fun, it costs money and it can still break other dependencies, but the alternative is quite possibly ending up like the NHS or even worse. Bottom line is that it's an essential part of running a desktop environment in a modern business.

      He's a fly-around shill just trying to look good in the eyes of Sales. His "workshops" are an insanely expensive way of selling low-calorie information that's already discussed online in much finer detail. His Ghost-powered blog site doesn't offer a search feature, but I'd bet it wouldn't return any meaningful results for two-factor authentication, separation-of-concerns, what certifications exist for software security, or the track record of non-MS products. Quick example: There's no mention of Google's recent publishing of security flaws in open-source projects. Instead we get a pass-the-buck, blame-the-victim blog post that ignores the annoyances of MS Update and tells everyone to "just deal with it".

  11. Microsoft only have themselves to blame by Gadget_Guy · · Score: 5, Informative

    Microsoft only have themselves to blame for people disabling Windows Updates because they made it untrustworthy:

    • The Windows 10 upgrade fiasco
    • The backporting of the telemetry to previous versions of Windows
    • The updates that crash or cause problems
    • The update mechanism that in older Windows peg the CPU usage at 99%
    • The forced reboots at highly inconvenient times
    • The massive Windows 10 updates that mean that I have to reinstall some of our legacy software because Windows keeps resetting some crucial registry entries
    • The bundling of updates into a single entity so that we don't have control over what gets installed on our systems
    • And the hiding of what is in those updates so that we don't ask questions.
  12. Re:Generally Sound Advice by Anonymous Coward · · Score: 5, Insightful

    The blame for people not updating/patching computers lies squarely on Microsoft.

    Automatic updates, with no user action required, is a really great thing, but ONLY when the updates are strictly for important security patches, and NOT all sorts of other crap that randomly changes or breaks things.

    And then there's the whole "we're going to shove Windows 10 up your ass whether you want it or not" fiasco.

    Microsoft has fucked so many people, so many times, that users have become averse to automatic updates.

  13. Problems Caused by Updates vs Caused by Attacks by Anonymous Coward · · Score: 5, Interesting

    The number of problems caused by installing Windows updates for our IT department: THOUSANDS
    The number of problems caused by holes left in the Windows OS that an update or patch supposedly has fixed: 20

    Easy decision.

  14. Re:Generally Sound Advice by Entropius · · Score: 5, Interesting

    Yep. I had a laptop that came with Windows 8 on it.

    I booted it once into Windows to change UEFI settings and then put Lubuntu on it.

    Well, a friend had a Windows question for me when I was away at a conference. No problem! I booted my laptop into Win8, looked up how to do the thing, and told her. I went to bed.

    I woke up to find that my system had:

    1) autoupdated to Windows 10
    2) fucked the bootloader so I couldn't boot into Linux any more.

    This is on top of the fact that Windows updates take about a year to complete and reenable a bunch of crap that I keep disabling ("Windows Media x").

  15. 100% Microsoft's fault for forcing Windows 10 by Thud457 · · Score: 5, Insightful

    Don't use the channel for security updates to force advertising on your customers, just don't.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  16. also... by Comboman · · Score: 5, Insightful

    also, doctors don't break into your house in the middle of the night to give you a vaccine (and snoop around your house while they're there).

    --
    Support Right To Repair Legislation.
  17. Re:Generally Sound Advice by phayes · · Score: 5, Insightful

    So how often should people re-evaluate when a company like Microsoft breaks their trust by forcing upgrades and other such nonsense? 6 months are sufficient according to you apparently.

    News flash: When a company breaks it's users trust, the time it takes can be measured in years and is often never. Yeah it'd be great for security if people were applying upgrades ASAP but MS's new policy of only making rollup updates forcing the inclusion of all previous updates can only backfire making people even less apt to apply them. Hey, they've already broken our trust once, they're likely to do it again.

    The problem is in large part MS's own creation.

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  18. More hype than substance by WaffleMonster · · Score: 5, Interesting

    People get WannaCry by clicking on the wrong email not by SMB exploits. I get that repurposed NSA exploit angle makes for interesting and irresistible news stories but substantively it's way overhyped and using it to support blanket assertions is a nonstarter in my view.

    There is compelling quantifiable evidence to support the position vaccines help more than they hurt. The case for updates is closer to the question of whether throwing billions into the intelligence industrial complex makes real people quantifiably safer from being terrorized given opportunity cost of not investing these funds to address significantly more statistically substantial problems such as pulling down US murder rate.

    What we know for sure is social engineering accounts for 90% of general p0wnage worldwide. Even if all unintentional software bugs were patched with 100% coverage overnight absolutely nothing would change.

    In 2017 given Microsoft's proven track record of both incompetence and sleaze when it comes to updates it's an open question as far as I'm concerned whether updates are still worth applying at all. Majority of end users are behind stealth mode firewalls and the only whackable thing they have sticking out is a web browser. If you keep firefox or chromium or whatever up to date and lock down some associated configuration are you really appreciably safer vs probability of computer failing to boot or introduction of some new Microsoft "telemetry" malware or Microsoft false choice prompt dismissal scam? I honestly don't know the answer. I do know it very much depends on context not only in terms of the users needs and environment but the value judgments of the end user.

    If Microsoft would stop constantly peddling malware, firing QA staff, fix updates to not use insane amounts of resources while taking forever and requiring a reboot to sneeze... If only updates were properly labeled and people trusted Microsoft not to screw with them... my guess less will find value in disabling updates.

    I personally believe coordinated automated updates of billions of systems globally in a matter of days is an extraordinarily perilous activity in and of itself no matter how careful you are. Sooner or later this is bound to end in a major disaster. While updates do fix problems quicker they also significantly lower the cost and tolerance for releasing defective software. It sends a signal to the market releasing defective software is a cost free activity.