Windows update nightmare scenario

[Tinto Tech]

Can I play devil's advocate?

Hands up all those sysadmins here who always patch their Windows servers every 2nd Tuesday of the month? How about those who patch their RHEL6, CentOS, or other *nix boxes fequently?.....any takers?

On the presumption that there aren't too may takers (and from what I've seen that's a fair proportion of corporate systems), can I ask a rhetorical question: Why?

Having asked it, can a presume to suggest an answer: because introducing new patches needs to be tested and may introduce an unknown security or reliability issue.

So, what's different in the "home PC" market? Financial losses are lower if it goes pair shaped; average user experience is lower, complexity is lower, but most other things in terms of patching are similar.

So....why are residential users encouraged with an almost religious zeal to patch while sysadmins get a nod. Perhaps because the sysadmins are paid to take the risk, perhaps because given the lower average user experience with residential systems the balance of risk is to install rather than not.

My point is, there is no black and white. Everything is a shade of grey. Not patching as per JPF's approach is a valid work practice in certain circumstances. However, as noted in my earlier post, there are some patches that warrant installation even if nothing is broken on the local machine (As is the case with the OP's reference to the forged MS Certs).

My approach for the experienced user is to help them understand how to make a judgement on whether to install or not. True enough there are some circumstances where I might say "yes, always install Windows Updates", but those users are the least experienced and the balance of risk falls squarely on the install side. Just the same, there are commercial clients that I work with where each patch is investigated on it's own merits analysing the risk of not installing against risk of impact if they do install and it breaks something. Some clients have a formal sign-off by senior staff in the IT group before any patch is installed.

In my book there are risks and the potential for trouble with both blind adherence to patching and a never-patch ideology. I consider a judged position to be the best option. At least then if something goes wrong, the user may have an idea why and how to fix it.

So, while I don't agree with JPF's approach to patching in most circumstances, I at least acknowledge it is as a result of a rational thought process and backed up by knowledge and understanding of how to manage a system.

None are so hopelessly enslaved as those who falsely believe in NIS (or McAfee or Trend Micro, or,or,or)...or System Patching.

[mart44]

I think that your comments about Norton products are unfair.

Fred. I think sometimes it's best to just let people have their opinions. Too much hassle to keep defending Norton. You know NIS works well and I know it works well but you'll never change anyone's mind who has a poor opinion of it. I mostly just get on and use it and don't say much. Some people seem to be talking about a different version of Norton to the one I have been using without a problem.

I think professional repairers could have to deal with more Norton problems simply because there are Norton users around. This perhaps being because Norton often comes installed on new computers bought from the main stores. Many people buy from such places, hence a lot of computers with Norton installed on them. If some other AV program or security suite that currently has a good reputation came bundled with new computers, I think we might see that brand much maligned too. Saying that Norton is bad would be a bit like me saying that Thorn televisions and video recorders were rubbish because I repaired a lot of them. The truth was that there were simply more of that make around than any other. Stands to reason that I had more hassle with them.

Back to Norton. Some of the worst part is that people might have kept it had it not been for listening to some poor opinions about it. Also the lure of free software and its general promotion makes people want to change. It doesn't matter if Norton is working, the word 'free' is a powerful one, regardless of any detection rate figures and other features.

What with taking notice of the Norton naysayers and the lure of free software, an attempt is made to uninstall Norton and install other software. This can be the beginning of a slippery slope into trouble that can cause people to seek professional help. The repairer sees the mess but maybe not the steps that lead up to it.

The Norton Removal Tool does OK at the job but it's true that bits and pieces of the program are still left behind. These need removing manually, including Registry entries. This is a bit involved but I think a good security/AV program should not be easy to remove. If a user can do it easily, then malware could stand a chance too.

[BruceR]

PS: I never patch a working OS...with any of MS's offerings so long as everything is working and stable.. so like i said I'm never concerned anymore with "Patch Tuesday"....Ever!

Apart from never getting any security updates, do you also never get any bug fixes for any Microsoft software?

Bruce

[Just Plain Fred]

Apart from never getting any security updates, do you also never get any bug fixes for any Microsoft software?

Bruce

Bruce,
Hello... No... I never "Patch" a stable and working OS... Question : If your OS is working with all programs running and stable .... What is there to be gained ? Can you make a OS better than "Everything is Working"?... If you do , your only looking to shoot yourself in the foot.....Regards Fred

PS: The only thing i would consider and have done ....Is if there is a program that i want that requires something like some ".NET update" thing or something similar.

[Drew1903]

There's a 'preventative medicine' aspect to things. Patches, oft, are insurance policies stopping negative events & known issues that might happen, would (be allowed) to happen were the patches not there (beforehand).

Regards,
Drew

[Drew1903]

Another good point, Bruce.

[Just Plain Fred]

Drew,
Hello... Like i said If your OS is "Stable and Working" (and for more than a few minutes...talking years here)... that is nothing more than MS Blah, Blah....Regards Fred

[Tinto Tech]

Question : If your OS is working with all programs running and stable .... What is there to be gained ? Can you make a OS better than "Everything is working"?

A long time ago, in a galaxy far far away.......

One day you phone the local secure courier company to collect some sensitive papers and deposit them at a bonded warehouse. Unknown to you, a bad guy intercepts this call and turns up on your doorstep with a fake ID. Unlocking your triple padlocked door, you inspect his ID and concluding it is ok, you give him the sensitive papers asking him to take jolly good care of them. You lock your door again, safe in the knowledge that nobody can break in or do damage to your castle.

It now doesn't matter how strong or how high your walls are. No amount of guard dogs, drawbridges or moats will safeguard your private letters. The bad guy has your private mail and no amount of Jedi mind tricks will get them back.

If however, you had allowed the crime prevention officer to post a leaflet through your door with a mug-shot of the criminal known to be impersonating the courier, you might have recognised him when he came to your door and turned him away. Unfortunately, the guard dog chewed it up when the good guy came knocking.

[Just Plain Fred]

Hi "Techmiester"

The question wasn't referring to anything "Security" (BruceR #19) but the OS Patches... Standing by my statement . Regards Fred

[Tinto Tech]

Hi "Techmiester"

The question wasn't referring to anything "Security" (BruceR #19) but the OS Patches... Standing by my statement . Regards Fred

Hmm, "Techmiester"...I rather like that!

I'm genuinely interested here Fred, do you apply any security fixes; such as the Diginotar revocation list, or the MS fraudulent cert removal? If so, is that process manual, through a MS Fix-It or via Windows Updates?

[BruceR]

Bruce,
Hello... No... I never "Patch" a stable and working OS... Question : If your OS is working with all programs running and stable .... What is there to be gained ? Can you make a OS better than "Everything is Working"?

Yes, I certainly think you can. Because new vulnerabilities become known and old bugs get fixed.

... If you do , your only looking to shoot yourself in the foot.....Regards Fred

I always install all updates immediately and have yet to shoot myself in the foot (at least, not with Microsoft/Windows updates; occasionally with poorly tested third party program updates, but the fix is usually easy on those very rare occasions by reinstalling the previous version.)

The question wasn't referring to anything "Security" (BruceR #19) but the OS Patches... Standing by my statement . Regards Fred

But most OS patches are security related. Norton and Malwarebytes can't protect you from everything that the OS inadvertently leaves open to abuse until properly patched.


Bruce

[Drew1903]

Drew,
Hello... Like i said If your OS is "Stable and Working" (and for more than a few minutes...talking years here)... that is nothing more than MS Blah, Blah....Regards Fred

I cannot comment due to the fact that my machines & those of my clients are, in large part, kept "Stable & Working" by virtue of Windows Updates set to Automatic.

[Just Plain Fred]

I'm genuinely interested here Fred, do you apply any security fixes; such as the Diginotar revocation list, or the MS fraudulent cert removal?

"Techmiester"

Hello...I'll try to explain...For my "Web Surfing" and going to various sites... (I apply no MS security patches) ...

1. I use FireFox , With the "WOT" add-on

2. NIS has a "Safe Search" function...see screen shots

3. NIS has a "Safe Surfing" function ...I Quote " Detects and Alerts on fraudulent web sites and provides site safety information in Internet search results"

4. If the web site does not have a rating (NIS \WOT) i will then use Acronis True Image Home "Try & Decide" ..Sets up a sort of "Virtual Machine" or "sand box" so when your finished you simply "Discard" all that has transpired doing your search.

5. NIS also scans all downloads, and alerts you in a "Pop Up" as to the downloads "safety"

6.Malwarebytes PRO will also Alert if there is some problem...In a "Pop Up"

Hope this answers your questions... One other thing ... I'm not the only "user" of this PC ...My "Significant" also does a fair amount of "Surfing" and has as much interest in PC safety as i have in "Shoe Shopping" Regards Fred

[Just Plain Fred]

I cannot comment due to the fact that my machines & those of my clients are, in large part, kept "Stable & Working" by virtue of Windows Updates set to Automatic.

Drew, BruceR
Hello.. I never said that "Patching and Updating" doesn't provide PC safety...If you read my post #11 i state that at the end of the experiment that there were no "Security Issues". in either the fully patched OS, or my paradigm ..no patches or updates..Only some divergence and some slight "buggyness" in the patched OS. Proving that my un-patched OS 's are not any different than the fully patched. The question that you all should be asking is not whether this is a crazy and I'm insane ( I'm not, my mom had me tested) But why is this so???? Maybe you should carryout some experiments of your own, and post back with your results in 4 or 5 years ...Then we might be able to have an actual discussion about your results, instead of discounting mine. Regards Fred

[Tinto Tech]

Thanks Fred,

I've used Acronis Try & Decied before. Yes, it sets up a sandboxed partition on the machine through which all activity is routed. I found it quite good and may still use it if it were not for a "senior moment" a couple of year ago involving Try & Decide and a partition manager.

I like the idea of combining WOT and NIS identity protection with the fallback to Acronis. I'm not sure exactly what technology NIS Identity protection uses, but I would imagine it is looking at scripts etc. My concerns melt away, if it augments that with it's own cache of trusted CA's to replace the specific MS updates revoking compromised certs.



I've said it before and see no harm in reiterating: your approach although not mainstream is valid and effective. Others may disagree, but as observed earlier there is no black and white in applying updates. I have to say that I would have some discomfort recommending your methodology to less experienced users, and in general I prefer to fix newly discovered problems at source rather than ring fence them, but I'm not going to shout you down because you do things differently.

Stay safe, it's a bad world out there....