Results 1 to 5 of 5
  1. #1
    iNET Interactive
    Join Date
    Jan 2010
    Location
    Seattle, WA, USA
    Posts
    376
    Thanks
    1
    Thanked 29 Times in 24 Posts



    PERIMETER SCAN

    Bug-counting is a false measure of security


    By Ryan Russell

    Measuring the vulnerability of operating systems and applications to attacks from hackers is vital to safe computing on the Internet.

    The most-common measure of computing security is counting vulnerabilities. But using this metric is horribly inaccurate and needs to stop.

    The full text of this column is posted at WindowsSecrets.com/2010/09/09/07 (paid content, opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.
    Last edited by revia; 2011-01-19 at 15:40.

  2. #2
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Ryan, about Silent Updating:

    I would never want Windows to do Silent Updating, and this includes .NET Framework and Internet Explorer. Too many Blue Screens have resulted from Microsoft's often half-baked rush-job patches for me to trust this Company with any kind of Automatic Updates. I have them set to Notify but do not Download until I ask for them. Which has sometimes meant never.

    Google seems to do a good job with Chrome patching, and it never has crashed, except for hanging endlessly in non-Administrator Accounts when the update was a full-version upgrade. (These need Administrator rights, and Chrome is installed on a per-user basis, hence the problem.) Flash Player and Shockwave plug-ins also have never caused me any major headaches with their automatic, silent patching. (Although removing previous versions is not automatic.) Thunderbird is pretty good about its updates as well. Adobe Reader is less good. Most browser Extensions seem to update just fine in Silent Mode.

    Firefox is a different matter. Nearly one of every two updates has wrecked my Windows XP Pro SP3 User Account Profile. And the most reasonable way to recover is to have a FEBE Extension Profile Backup for the Profile just before the update, then to delete the corrupted Profile and reconstruct it from the FEBE Backup data. This of course would be impossible if the update were silent and did not have a Notify Before Updating option.

    And then there's the problem that some updates require a system reboot to complete their installations. This clearly should not happen silently without warning. And Flash Player and Java Runtimes need to have the old versions removed before the updates can be installed. Obviously, this is not going to happen with silent updating.

    So, the quality of automatic updates varies by program and by vendor. And free software is often an even greater problem than commercial software in this regard.

    My conclusion is, in general I do not favor Silent Patching. It simply can cause too many instability and rebooting issues to be worth the small gains in speed of receiving patches and forcing everyone to update in a timely fashion. And in more than a few cases, the patches break features or cause entire programs to stop working. When this happens in a security program, it is a disaster. When it happens in a mission-critical Application program, it is anywhere from mightily inconvenient to a showstopper for any further productive work.

    If software patches never caused unintended side-effects, I would be mostly in favor of silent patching. But we live in the Real World, where software writers are not perfect and patches often go awry. And some vendors or resellers have plenty of motives to do more than just patch their own programs -- they can and do try to wreck anything they find on a computer which was written by their competitors. In this Real World I cannot justify handing over the keys to my computer to vendors, to do as they please on my computer, with no liability for the damages they might cause.

    This is why I will never buy a computer from Best Buy -- they have a Software Installer and Remote Assistance which they can use to force unwanted changes on the computers they sell. And end-users have no opt-out and no recourse if we want to take back control of our use of our computers which we have paid for. It's almost a throwback to the bad old days of the Internet, when ISPs like AOL and NetZero had Portals instead of Browsers, which allowed access to only part of the Internet, dictated more by advertising relationships than by freedom and neutrality. Not the way I want the world to work.

    How about you?
    -- Bob Primak --

  3. #3
    New Lounger
    Join Date
    Dec 2009
    Location
    Fallston, MD
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Regarding silent updates, I think it depends on the user really. Take my mom or in-laws for instance. They don't understand a whole lot about the machines they use and if there wasn't some automatic process in place to update their machines, they never would. Nothing on their machines are mission critical and anything that gets lost wouldn't be devastating outside of photos. So, to have those types of machines updated silently, I think is a good thing. Sure issues will come up, but I've rarely had any issues with updates on any of my machines. I'd rather fix those rare instances where, if needed, trusted support can be available than dealing with malware or the like.

    Mission critical machines in an enterprise of course will want to wait for testing of the patch before being deployed.

  4. #4
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Hartford, WI, USA
    Posts
    370
    Thanks
    153
    Thanked 62 Times in 37 Posts
    @Bob Primak

    Loved your comment, thanks
    This is why I will never buy a computer from Best Buy -- they have a Software Installer and Remote Assistance which they can use to force unwanted changes on the computers they sell. And end-users have no opt-out and no recourse if we want to take back control of our use of our computers which we have paid for.
    Bob, generally I agree 100%.

    I happen to de-gunk, update and "protect" a lot of new machines for home users that consider themselves to be computer illiterate. For that clientele automatic updating is a must, sorry.

    In my "real life" experience working with/for my customers (at least 400 per year) I have had maybe two or three mishaps with updates since Windows XP SP2! I believe that many of the (true) horror stories are memories from before XP SP2. I could add some myself over a .

    And re. Best Buy Downloader/Installer/Remote Assistance (Backdoor?) software: That is one of the things that I remove as part of what I call de-gunking. And I get paid for it, ain't that nice?

    Just very recently I had to send numerous customers of mine to Best Buy; they all needed a new basic machine that we found at Best Buy out of the store for $379.99. The lowest price on the Internet was $399.- plus S&H. Trust me, I have a healthy disdain for Best Buy but that difference matters to many of my customers.
    Eike J Heinze
    What I am about
    SE Wisconsin

  5. #5
    New Lounger
    Join Date
    Jan 2010
    Location
    Emeryville, California, USA
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I'm against silent updates as a default or only option. There are control and reliability issues, as have been mentioned. Not only are some updates problematic, in larger companies there is often a whole approval procedure that is supposed to be followed before updates are applied. In our BigFix product, we often have to produce content to let administrators disable a variety of autoupdate and patch notifications to end users, because that's under central control.

    The other problem, on the individual machine level, is that if your browser is silently updating, how do you know when you need to restart to apply the changes? I don't know about you, but I leave browsers running for weeks at a time, with the machine sleeping or locked. It's only when the OS itself needs rebooting that I end up picking up those changes. The fix is relatively easy, just add a nag like MU/WU has.

    If you want to have silent updates as an option for Mom or something, I don't see a problem with having it as something that can be enabled.

    I think the sentiment they're going for is to make patching happen as fast as possible, and reduce the opportunities to put it off. I'm not sure silent patching is quite there...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •