Troy Hunt hits some nails on their heads:
If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as “MS17-010” pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched. It’s because of this essential protection provided by automatic updates that those advocating for disabling the process are being labelled the IT equivalents of anti-vaxxers and whilst I don’t fully agree with real world analogies like this, you can certainly see where they’re coming from. As with vaccinations, patches protect the host from nasty things that the vast majority of people simply don’t understand.
Great article, which also goes into Windows Update itself for a bit.
Not having automatic updates, not on anything, seeing as I own my systems – I’ll be the one to decide when and what gets updated. Under linux, BSD.. that’s pretty much everything except systemd, and I update it more or less every day. No problems.
With automatic updates under windows, a simple reboot or shutdown is all-to-often an “install stuff” time, really annoying on laptops when you try to grab them and go. The updates themselves regularly go beyond security patches, rolling up all sorts of undesirable software, notably.. WGA.. Windows 10 ads.. Windows 10 itself.. and messing with unrelated settings and services.
I don’t let windows update run whenever it likes, and as Microsoft’s patches can’t be trusted without carefully filtering the KB’s, I’m not about to let it pick those on it’s own either. Updates, yes, mostly. Automatic, no. They have and I presume will continue to abuse it.
Yeah. If MS could make automatic updating suck a lot less, more people might be inclined to leave it on. And who knows… they might even start testing their shit one day before releasing it.
Were dragons there? In that fantasy story of yours? /s
If you can commit to a regular update schedule for yourself, then good, turn it off.
What you DON’T do is “helpfully” turn them off for your friends, who will never update, and result in what I’ve seen too often on Windows 7: 72 pending updates and open to absolutely any attack made in the last three years.
1) Don’t put operating system on hardware it don’t support. As this will force you to disable updates and run into hell. Like if you cpu was build 2011 and before you should not be running windows 10 and then windows 7/8.1 should not be put on current generation hardware because Microsoft will not provide updates in that case.
This not support hardware Linux suffers from has well. But windows users stupidly believe this fault does not apply to them so bring more trouble as they apply updates or failure to apply updates.
2) Be aware if you are running on metered and windows knows this you have to manually update. So yes auto updates on and you can still have no patches being applied.
3) setting active hours can also cause this disaster if you always shutdown your computer inside the active hours so it never installed updates when it should. So even setting that you should be checking on update application.
Basically another lot of swiss cheese instructions. Leaving out a key step that you should check when the last update was and that patches are applying every so often because things do break at times.
Troy Hunt write up is defective as the instructions to disable updates in the first place. The correct process need to be got to end users.
Patch tuesday isn’t each week. And software is evolutionary/incremental.
Though I am sure some neowin-er will tell me that I am wrong. And that updating twice a month is a monumental chore.
And this. Calling people idiots just because one has a shorter and narrower line of sight only makes one a bigger idiot.
While this doesn’t count, I have to add that my personal experience backs up my claim – for me at least – that even Win10’s updates are not good enough. It was actually a failed update cycle – resulting in a completely unusable and non-booting system – that made me switch from a Win10 work environment to a Linux work environment using Win10 only in VMs. Never going back.
Is the second everyone started turning it off. the ONLY one to blame if any PCs get infected after having to kill updates to stop MSFT shoving spyware onto their PCs is MICROSOFT as the SECOND it went from being about security patches and turned into a revenue stream? It became toxic.
Now I advise people to use Autopatcher or WSUS Offline and turn WU off, it simply can no longer be trusted not to be a source of malware.
people have been turning them off since the 90’s
Other than the attacker of course…
First off, it’s of course Microsft’s fault. They introduced the bug, nobody else.
Second off it’s the fault of people not updating and using that software.
After that it’s the fault of anyone not reporting the bug.
And later on you can blame anyone you’d like, but don’t act like MS is not to blame.
You wouldn’t say someone making a typo isn’t to blame for a typo, or someone building a house that collapses or that the piece of bone isn’t the fault of the cook or the doctor who forgets the tools isn’t to blame for it.
Of course there is other supporting stuff, but you could just as well blame the programmer’s wife or something, cause she was on his mind while the bug was introduced.
For the more subjective part. Yeah, I also think that in today’s world if you disable updates, cause they are annoying and you don’t manually you really shouldn’t expect any kind of sympathy.
Unless someone forced you to you are the one making decisions on your system.
Yes, bugs are to be expected. You really should. However, acting like that makes it business of the user is just ridiculous. Bad analogy again: Fires, earthquakes, storms are to be expected. Does that mean architects and builders are fine to design and construct inflammable buildings? That would be horrible.
Are they to be compared by the outcome? I really hope nobody died because of that, and if so whoever made an unpatched Windows system able to result in the death of people is of course also not free of guilt.
I really think it’s time to stop pointing at others always blaming them. The outcome of this is a society where people don’t give a fuck, cause they can point at others. Politicians, bankers, foreigners, Arabs, Jews, black people, white people, men, women, software developers, the employer, employees, some politcal party, North Korea, Russia, Assad, the system, …
And when people act like that I don’t think they should be saying anything in the lines of “it’s my personal choice”. Because either you are capable of making decisions or not.. and not just when you find it convenient. That’s just not how things work. I’d like that too. It’s still wrong.
Go to America. They still believe the best think to build a house out of is paper and wood.
The part of America I live in requires housing to withstand 100+ MPH sustained winds. Not sure what part of America you think you’re referring to, but I think your housing code knowledge is a few decades out of date.
Also, in an area where earthquakes and tornadoes are common, it might actually make sense to build wooden homes instead of brick – a wooden home is a lot cheaper to rebuild.
A house properly build on regions with high risk of earthquakes and tornadoes can be constructed to resist to most but few really powerful events. In the long run it does make sense to use better construction techniques, like the previous post suggested, if not based on costs alone (and I suspect it does as poor made houses require a lot of maintenance in the long run) at least for the lives it could save.
Oops wrong reply
Edited 2017-05-17 14:48 UTC
My comment got vanished as usual on Slashnot.
After many years working retail I learned NOT to allow Windows Updates after a service. There’s a warranty period and more often then not Windows update would find a way to destroy the fresh install of Windows.
I would update as much as I could then hope that last patch wouldn’t corrupt things and make me re-install. Not going to force an anxious customer to deal with the aftermath of bad update interaction.
Just nope. Nope. Nope.
Edited 2017-05-16 08:34 UTC
idiot
then microsofts attempts to force windows 10 down your throat can be compared to this cia operation which used fake vaccinations.
Microsoft demonstrating that their patches do not have security as their primary concern gave some very good reasons to be suspicious of their update policy; blaming people for that is silly.
Edited 2017-05-16 08:58 UTC
MS deserves a lot of blame for the problems in Windows – oh come on – MS deserves it all – it’s their baby.
It’s a weird thing to be both a fan of Windows, and complain about the Windows 10 update thing, and complain about people who don’t update their OS – which again, is Microsoft’s fault. They make the experience excruciating – there’s no reason it should take that long or require so much user input. (and why does it take so long to re-install a printer driver when you simply plug the printer into a different USB port – what a pile of crapware)
I switched to OSX years ago and while it has some quirks, in general I don’t spend much time pondering the operating system, or this and that. It mostly just works, and I get to be more productive. I’m not sure why people stay on Windows at this point (I mean, I do know why – initial sticker price – some people know the price of everything and the value of nothing, or maybe “buy for price buy twice” applies).
The good news is people are moving more and more to Android and Chrome OS, which are much safer for them than Windows, which no one seems to be able to keep running.
Edited 2017-05-16 21:24 UTC
apparently you have not installed or updated a windows 10 machine. It is easier than dealing with OS X.
While I agree for the most part, especially for home users, dealing with corporate IT is a little different. Yes, you should review patches weekly at minimum and yes, you should be controlling your update process (WSUS or equivalent for your os). However, one can’t just blindly install every patch that comes up either, especially if in-house software is involved which cannot reasonably be updated or replaced. Testing is needed.
Having said all that, testing should be weekly at a minimum and, if you do your job right, you won’t be caught two months out of date.
Also, you should have reasonable security other than your os. Tightly hardened edge firewalls and email security are also an absolute must!
I suspect what most home users really object to is the interruption in their workflow and, let’s be honest here, Microsoft in particular could (and should) handle this a lot more gracefully. The machine should not restart while the user is working and should not restart if there is a document open which has not been saved or other similar project. Bug the user, sure. Don’t wipe out their workflow on the spot though (Windows 10 Home in particular).
Edit: Added some clarification.
Edited 2017-05-16 12:09 UTC
I don’t agree with some of this. I run IT for our small office and Microsoft updates are a scary thing. And until just a few months ago, using IE was required for access to critical information systems off site. So I have had to keep 4 systems running Windows 7, with IE, safe and secure. Applying updates to Windows has been a pain for years. Don’t apply them during a work day when the computer might be needed. Don’t apply them if you don’t have a backup from 10 minutes ago. Don’t apply them in big batches. Be ready for anything to break. Be prepared to reinstall Windows because sometimes even Restore won’t fix a bad update. And then people wonder why I run Linux on our server and of course all MY own computers run Linux. Yes, you need updates, but Microsoft could make the process so, so, so much better.
<wall o’ text warning>
i concur.
as i have been left to administrate the computers at work, even though im simply a counter person selling parts, i find windows update to be at least very annoying.
the reasons:
1. usually it strikes at some point during the workday.
2. we have very limited bandwidth, and the internet is REQUIRED to do our job.
if 1 computer decides “hey lets update” , we cannot do our jobs. we have only 4 computers on site, but WU will hog all the bandwidth, which causes our POS to disconnect from its cloud based server. thus its a DOS attack IMHO.
therefore i have elected to control WU via group policy (win 10 pro/enterprise only) and update manually after hours. additionally i download larger updates (>10MB) at home and carry them in on a flash drive, as WU sometimes can take days to download them (all the while we cannot access our POS server). yes our bandwidth is that low.
the ability to pick and choose which updates to download is NOT available, thus i use a combination of wumt_x64 to enable this functionality, download the larger ones at home as above, and WSUS offline for a backup to catch the rest.
since corporate wont upgrade our internet these measures are the ones i adopted.
my personal computers run linux or freebsd, and are also updated continuously. my kids have a win10 machine, and its set to autoupdate as that’s not an issue at home where i have ample bandwidth.
Windows update uses less bandwidth than loading web sites. It tries to be as low-impact as it can be.
So if it is giving your POS trouble then your network is doomed in any case. Simply hitting the internet for a large Disqus JSON load would hurt you. Or what if your POS system is downloading an update?
You seriously need a router with QoS settings. Give your POS cloud highest priority. Now you can use the rest of the network for anything.
I do not have access to said router to do as such. I have worked within the limits i am allowed by corporate policy and/or law.
The real solution is better internet bandwidth, which seemingly is out of our reach for the time being, due to corporate not wishing to upgrade it. And yes ,it is highly frustrating as id rather just let windows update itself, but alas that is not possible due to corporate decisions.
Please note: IF WU could be scheduled, i would happily schedule it for after hours (aka weekends) and let it do its thing. I attempted to do so via the task scheduler, but windows kept reverting it back to the defaults, against my wishes.
Enough bandwidth can hide the problems, I guess. It isn’t the best solution.
I used to do very well on 144Kbps and later 1.5Mbps with a Linux router doing QoS.
The biggest issue today is buffer bloat. Instead of dropping packets the systems buffer up multiple seconds of data. TCP/IP can’t handle that. It expects an overloaded link to drop packets and that is how it knows to back off.
But if you can’t change the router then there aren’t many options so you’re stuck.
Still, good QoS can make almost any link usable. I used to download hundreds of megabytes while simultaneously playing MMO and FPS games with a ping under 100 ms and sharing the link with my parents doing web and email, all at 144 Kbps. It’s all about packet priorities and latency.
BLeh, everyone thinks they’re smarter than the average bear. They’re not. Update regularly. If you have special needs, then test on on critical systems then update on critical systems. Its not rocket science, and you aren’t Goddard.
http://www.osnews.com/story/28874/Nerves_rattled_by_highly_suspicio…
You can see why some ‘terrified’ people might chose to disable this.
At one end of the spectrum are the people who have no idea what a computer is other than a gateway to porn and free movies and mp3’s– they tend to get hacked pretty often.
However, in my experience, the more someone is convinced they know better than Microsoft about how Windows should be run and updated, the worse their computers tend to run.
I had a friend who would always go into the Services page, and disable any service he didn’t recognize.
His computers always ran like garbage.
People who complain that Windows updates are always breaking, and have UAC disabled, are probably hacked already and don’t realize the bad behavior of their windows system is likely due to third party cruft on their machines, rather than “Micro$oft suxxors!”.
Given the amount of information out there, it’s pretty easy to disable “bad” updates before they hit your system, and take the rest by default.
Microsoft needs to fix its update process, otherwise I will always turn it off and help other to do the same should they wish to. It’s just nonsensical to have the machine decide it wants to download or install a load of updates whilst you’re gaming or watching a movie or whatever. Sure, it’s supposed to avoid that automatically, but in practise doesn’t.
It should at least give the user a day or two to skip the updates and only then it should be allowed to update the computer behind the user’s back.
Wish this was a black and white issue,but its not, my windows box has it turned on, as I can see many reason why you’d not have auto updates.
Nor do I have an answer as my brain hurts thinking on it.
Up until the point Microsoft started trying to shove NSA Spydows 10 down my throat. Haven’t turned it on since. As for WannaCry? Good luck trying to infect me. It used ETERNALBLUE which was a hole in SMB protocol. Guess what protocol I’ve never have had use for and as such it was never enabled (or ports used by it) on my computer?
Microsoft has decades of operating systems prone to malware. Updates don’t really prevent anything. Does anyone know a Windows user who wasn’t affected at some point by a virus?
Yes, me. I’ve never had a virus. Going strong since Windows 95.
Of course, I have automatic updates on, always use an adblocker, and I don’t use the snakeoil known as antivirus software.
Particular antivirus is one of the worst things ever because it fools people into thinking that it provides adequate protection against threats on the Internet.
Does it count if the only virus I ever had was on a 386 with 2MiB of RAM running MS-DOS and my age was measured in single digits at the time?
Edited 2017-05-16 20:43 UTC
Never got any viruses on any machine of mine, but fight them on many computers I support. Not from USB, CD, or any other media/mountable device. Windows is not my main OS now but I have been using it since windows 3.1 (actually, I started using MS OSes from DOS 3.x). As almost always, bad behavior/practices of users is, usually, the most important factor to spread an infection.
Granted, in a business environment it is a lot harder to protect the connected computers because we end up enabling a lot of services to make our life easier and there is always some idiot that, against all advices we give, go to somewhere they should not, click on things they are alerted to not do. Windows XP was a nightmare but it is possible to lock Windows 7 to almost death. Unluckily, many guys fight to have administrator privileges because some software they need only work properly under a high risk account, though this need has decreased over the years. The exceptions provides the path for lateral spread by using system exploits and do make things easier for crooks.
Microsoft has a large share of blame over them because of the ridiculously complex and full of holes security model they created.
Edited 2017-05-16 21:31 UTC
Then don’t run Windows. It’s a part of the ecosystem, anyone who doesn’t update their system is part of the problem, they allow these things to occur. This hole was patched in March, there is just no excuse.
Edited 2017-05-16 22:59 UTC
Update now! After 20 years of vulnerable systems…
Microsoft fixes severe 19-year-old Windows bug found in everything since Windows 95 http://www.pcworld.com/article/2846004/microsoft-fixes-severe-19-ye…
20-year-old Windows bug lets printers install malware^aEUR”patch now https://arstechnica.com/security/2016/07/20-year-old-windows-bug-let…
And beware of this on your updated systems Researcher Finds Way to Steal Windows Login Credentials via Chrome and SCF Files http://news.softpedia.com/news/researcher-finds-way-to-steal-window…
Operating systems should be like cars. They need to be “crash” tested and banned from using the data highways if unsafe.
There are hundred of millions of Windows PC. Most of them update on their own without a problem. Almost everyone is using automated updates. Once a month, the computer ask to reboot. That’s it. Nothing more.
No input needed, no problem to solve. If you can’t find 5 minutes to reboot in your week to do the update, well… life sucks big time. But most people don’t have that problem.
It’s curious how all the “smart” people in this thread are the ones having problems updating, and complaining at the same time about security.If you can run Linux without a problem, I’m sure you can handle the “yes, now is a good time to reboot” button you need to press to update Windows.
Or the minuscule chance of having a problem updating is not worth it? I think people are just making excuses to bash Windows, because I suppose that’s cool?
Good thing almost all PC are running automatic updates and are not run by OSAlert readers.
Edited 2017-05-17 13:54 UTC
And it’s curious how someone willing to contradict those of us with actual experience simply spew insults and anecdotes about with zero proof whatever. Funny how the pot and kettle get along, eh?
Are you really doubting that the vast majority of Windows PC are updating without a problem? If that wasn’t the case, the world would be paralysed every month.
And what percentage of people are doing “arcane” things to remove automated updates from their computers? Almost no one outside of the small minority that knows how to do it. Are you really doubting that most people have no idea how to do it? And won’t do it? And don’t care about rebooting once a month? And don’t loose their shit because Windows as gain one or two new features in the update? Outside of the echochamber of techsites, the world is a very different place.
The fact is: the chance of having problems updating is very low. It’s much better than the chance of running a vulnerable system.
I get it that people doesn’t like giving away control to Microsoft. I love Linux for that. That’s fair. But Microsoft is for the mass, and it’s working pretty well most of the time. Things could be better, like anything in life, but there is almost no reason to not let the OS do it’s job.
“- Oh no! MS reset my privacy settings because I was one of the unlucky few with a bug! I took me 2 minutes to remove all the “spying” (lol) again! I’m so mad I disabled updates for all my family’s computers and let them become zombibotnetforDDOSattack ^A\_(~af")_/^A”
By the way, your “actual experience” is the very definition of an anecdote.
Edited 2017-05-17 14:52 UTC
I run a Linux home server, and a Linux laptop for work, but I also have four Windows systems (One of those is dual-boot on the Linux laptop).
All of them running Windows 10. All of them update with only minor issues.
Last year my Surface 4 Pro had an issue updating. Each time it would try to go to the Anniversary Update, it would fail and roll back. But guess what? It eventually succeeded and it never broke itself.
I’ve even got one of the desktops on Windows Insider updates. I’ve only had to reset the OS one time on that one.
My experience with the Windows updates has been pretty much positive. They will have to screw it up a lot to exceed the annoyance back in the day of upgrading from Debian woody to sarge, which took me four hours to fix and which I will remember forever. And when I rebuilt that server I went with Redhat/Fedora. Debian, bah.
As soon as a line starts with My experience stop.
Why because some people running Windows 10 some have had the wrong combination of hardware and had worst fault woody to sarge. Windows 10 wrong hardware and update system resulted not booting even into safe mode. woody to sarge update. I had 4 debian running machines at the woody to sarge event 3 made it ok 1 had trouble. So it was luck of the draw if the woody/sarge issue effected you exactly like Windows 10 update issues.
Please note having to go back to 2005 when sarge release was is before debian introduces
https://piuparts.debian.org/
That has lowered the distribution upgrade faults down massively. This is something Ubuntu has not implemented and I would question how complete Microsoft automated patch testing is.
https://piuparts.debian.org/
woody to sarge was awful!
some of us have special use cases, see http://www.osnews.com/permalink?644409 for mine.
and please note, i keep the four work computers continuously updated, via the methods detailed in a previous post.
I used to allow Windows Update to do its thing automatically, but then the forced Windows 10 upgrade showed up. Now it’s off.
Even if you go to Win 10, i keep reading that some of their updates break stuff. Since my only interest in Windows is games, i’ve noticed some warnings on Steam that games aren’t yet compatible with the “Creators Update” recently.
So damned if you do, damned if you don’t.
Because it may reboot computer while working. Because it may broke something. Because it may not only patch system, but for example upgrade Windows 8 into Windows 10, and people start to cry. Because it may install not only patches, but also spying elements. Because it may reset configuration of some OS elements. So there are too many reasons to not turn it on by default.
If you are actively using your computer there is 0% chance that you will get a forced reboot because it asks you if you want to reboot now or defer for a few hours.
If you need to ensure that you are not rebooted during business hours then you can schedule your reboots to occur off hours, once a week.
Leaving them on by default is perfectly fine.
I’ve seen people click those popup windows without ever reading them. Its some kind of unconscious action. See a popup, click it as fast as you can! Like it scores points somehow.
Then I ask “What did it say?” and they don’t know.