Forgot your password?
typodupeerror
Security Software

Auto-Updates - Proactive or Begging for Abuse? 35

Posted by Cliff
from the a-sword-with-many-edges dept.
narzy asks: "To me one of the most important steps to keeping a computer secure is keeping the systems software up to date. The problem I run in to is that more and more of the applications in everyday use are web enabled in some context or another, making them high targets for attack and exploitation. I am beginning to find it difficult to keep clients computers completely up to date. I find that applications that have an auto update such as my anti-virus Nod32 which updates every day on its own a real blessing. It's a feature that is an option but and option that I personally wish was in a lot more software. Windows has this feature (so does Linux if you want it to) however in the case of Windows it's not exactly all that consistent. Unfortunately it opens another can of worms that isn't so enjoyable that being companies who abuse such a system for advertising purposes, modifying the software in such a way to reduce or change its functionality either because of internal decisions or external pressures from 3rd parties, compromise and abuse of the server the company uses to distribute the updates. But is it worth the added risk to know that 95%+ of the time your software is up to date? It's not a cure all but is it or is it not better then a reactive approach?"
This discussion has been archived. No new comments can be posted.

Auto-Updates - Proactive or Begging for Abuse?

Comments Filter:
  • by ivan256 (17499) * on Tuesday July 13, 2004 @04:54PM (#9690738)
    A changing system never runs; A running system never changes.

    Ideally, this means you would take the time to understand every update to your system, and install only those that were critical in order to maximize stability. Automatic updates are the other extreme and, if you ask me, never a good idea.

    If you are responsible for numerous machines, perhaps automated updates are right for you, but you should maintain control. Learn about the update, and personally send out the updates you deem important and know to be compatible to your client's machines. Letting a bunch of individual entities with no knowledge of each other all have free reign over a machine is never a good idea, no matter how well intentioned all the parties involved may be.
    • Flip side of that coin is how long do you have to wait before you can properly vet an update to make sure it works 100% for all hardware and software variants? How far behind do you fall? How insecure do you become? This is of course assuming your client machines are full fledged desktops running the OS of choice - Windows XP.

      For general software updates I tend to agree with you. If it ain't broke...
    • That all very great sounding. But unfortunately sometimes its not that easy to find out exactly what an update does. Take this from Apple's website on a security update:

      Security Update 2004-05-03 for Mac OS X 10.3.3 "Panther" and Mac OS X 10.3.3 Server AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue.
      [http://docs.info.apple.com/article.html?artnum=6 1 798 [apple.com]]

      Improved the handling of long passwords huh? Doesn't sound
      • You neglect to mention that that's one of three items that update addresses, and updates are rolled into subsequent updates.

        If I recall correctly, the particular issue you cite was a buffer overflow affecting a password field, using (vi-style keystrokes to paste excessive data) in the screensaver module -- inherently local.

      • And companies try to hard to sound like they have no real issues, sometimes making important updates not sound as important as they really are.

        Very nicely put.

        This is a terrible problem in the computer industry. Because most commercial software is sold as a "closed box" and software is complex and difficult for end users to analyze, software companies can get away with a phenomenal amount of misrepresentation and truth-bending.

        This is a major thing that I like about open-source software. The folks in
        • hey, it doesn't do desireable behavior, so the authors overlooked something.

          It depends who's defining "desirable".

          Like who in the world came up with the idea for a Javascript function in IE that allows a webpage to set the users' homepage!?

          http://blogs.msdn.com/jeffdav/archive/2004/04/1 3 /1 12632.aspx

          Was that a dumb one or what? Though, it allowed the exact behavior that Microsoft intended. Unfortuantely, the malicious users used it for other things...
  • by XCorvis (517027)
    As someone who has had to clean viruses off infected campus computers, I say that automated updates are 100% worth it, even if they do have problems once in a while. When Sasser ripped through, our help desk was swamped with calls from students. But not one single lab computer that had automatic updates set was affected. The benefits are obvious.
    • The question is not of updates themselves (which the students clearly didn't bother with) but with automatic updates. It's not too hard for a sysadmin to check microsoft.helpmycomputerisonfire.com each morning for updates and then do (well, initiate) a system-wide update manually. Same effect, less risk.

      You know what would be useful? A mandatory virus drill, like a fire drill or siren testing. Every new user would get a fake virus that would pretend to thrash the computer, only when the computer was reboot
  • by NanoGator (522640) on Tuesday July 13, 2004 @04:57PM (#9690757) Homepage Journal
    ...and keep in mind that shit happens.

    I would also suggest, though, that you'll never ever have a secure reliable system. Your computer can always be stolen or struck by lightning. A hard drive can fail. Etc. If you take the approach of "My computer could spotaneously combust" and deal with it that way, then you're in a far better world. Even the worst virus wouldn't cause you to lose your data.

  • I am beginning to find it difficult to keep clients computers completely up to date.

    Welcome to the club.

    I don't think there's any way around this issue.

    Vendor updates (whether paid-for subscriptions from Microsoft, Red Hat, or beneath the pond-scum from adware spyware companies) probably haven't been completely tested for your corporate environment.

    You need to have a person or an organization committed to testing the latest updates in a lab environment before they are more widely deployed to check for

  • I like to compromise (Score:2, Informative)

    by Anonymous Coward
    I sign up for automated notifications of updates, and then I review those and apply them when appropriate.
    • I'd love to see something a bit more intellegent... recently we switched to running Services Update Server on our corporate LAN for our workstations (all of our servers are Gentoo linux) and I rather like it (I have to admit). Here's what we do:

      The windows admin checks windowsupdate for updates twice a day, and approves what he wants, and those push to the client every night...

      The servers (my responsability) run an emerge sync every night, and then an emerge -Upv world (gentoo's tool to upgrade the whole
      • I think a lot of companies would like to use a plan similar to yours, simply because if they get past the first hump of making you check for updates they are at least halfway there to getting you to INSTALL those updates. Unfortunately we have seen the way some of our less than reputable corporate citizens would abuse that. They know a lot of people won't read the descriptions, so removing a feature here, or adding DRM there would not even be noticed until the "upgrade" is done.
  • The real concern (Score:3, Insightful)

    by greywar (640908) on Tuesday July 13, 2004 @05:04PM (#9690827) Journal
    The real concern I think is some guy finding a way to hack one of these. With a 8 hr waiting period...if it then simultaneously reformated everything.

    Imagine windows update hacked. I update daily-lets assume 100 million other folks worldwide do. Within 8 hrs 33 million computers are infected...and reformat themselves.

    THATS my concern
    • Re:The real concern (Score:4, Interesting)

      by Kaali (671607) on Tuesday July 13, 2004 @06:24PM (#9691531)
      Doesn't Windowsupdate have any security checks on the validity of updates?

      I use Gentoo Linux and it has quite nice security checks for checking that everything i'm installing through its package manager is what it is supposed to be. First i use random rsync server to fetch "package-definitions" called ebuilds and with them MD5 hashes of the software files. What makes it secure is that we have random rsync servers and random mirrors for the files themselves. So in theory cracker has to crack at least two servers(main rsync server and main file server where everything gets mirrored from) to infect a Gentoo Linux system. I'm don't really know all the details of Gentoo Linux package-manager and its security checks, but this is how it acts approximately, at least the last time i checked. Hmm.. ofcourse there is a possibility that the original software server is already cracked when Gentoo Ebuild-developers make their ebuilds&hashes.

      Well, nothing is completely secure.
  • by ijones (83977) on Tuesday July 13, 2004 @05:14PM (#9690906)

    "Apt-Secure" [debian.net] has a nice sense of "which package sources are trusted". That means, APT maintains a list of places to get packages from. Some of these sources are trusted, and their packages can be cryptographically verified to be truly from those sources.

    If there's a new version of a package from an "untrusted" source, it'll ask you if you're sure you want to upgrade that package.

    I think it's silly to have package go and upgrade themselves, especially where each package has it's own way to perform the upgrade, and you have to trust each vendor's security implementation (instead of a single central one). A bunch of packages running off and upgrading themselves, each with its own security model (if any) is a great way to open yourself up to a man-in-the-middle attack several times a day. The OS should handle this in a consistent, secure way that the administrator can understand.

    peace,

    isaac

  • by airjrdn (681898) on Tuesday July 13, 2004 @05:22PM (#9690987) Homepage
    I'm no longer on dial-up thank goodness, but if I were, it would be a pain to want to dial-up, check email and disconnect to leave in a hurry only to be interrupted by a 3M patch that had to complete before I could really utilize my blazing 46k connection.

    My machines are on notify, but not auto-download & install. I'm on broadband and I've opted for this, I sure wouldn't want them forced on if I was on dial-up.

    If I'm in the middle of an Unreal Tournament 2004 match, the last thing I want is a forced update on Notepad++ or whatever.

    I'm not saying OP was indicating to force them, but this would be something to consider if you are considering forcing the updates.
  • The problem is one of trust. Windowsupdate seems like a clone of the old Oil Change, on a more limited basis. Oil change would charge consumers a nominal fees for a whole bunch of updates, and they would enter into arrangements with Software publishers on their behalf.
    Microsoft took the same approach, minus the fees.

    The only problem is that if software X does not update properly(with drivers being autoupdated, that could be something like incompatibility, mis-detected hardware, etc...), and you pay for u
  • by Muggins the Mad (27719) on Tuesday July 13, 2004 @05:33PM (#9691086)
    I've had several more cases of "security" patches breaking my systems through changes to things not related to the security issue than I have of being hacked/infected/spywared.

    So I couldn't in good faith recommend auto-update on any system where the supplier has a history of this.

    Maybe when the software industry is mature enough to release security patches that *only* contain a security patch I'd think about it. I expect I'll be a long time waiting.

    Ok, so some free *nix distros do, and that's nice, but these generally aren't the ones getting infected all over the place.

    Plus, as someone else mentioned, having an auto-updater interrupt the one game of UT2004 you've managed to fit in this week is just not on.

    I don't understand how certain software suppliers are finding this so hard. Release a patch that fixes the security issue. Only the security issue. Make it small. Make auto-updaters check for updates when the screensaver kicks in. Duh.

    - MugginsM
  • by Suppafly (179830) <.slashdot. .at. .suppafly.net.> on Tuesday July 13, 2004 @05:36PM (#9691107)
    Autoupdating as it is used by most apps is just annoying.

    Certain things need to be updated frequently, such operating systems and antivirus programs. Programs like quicktime and real don't need to be updated more that a few times a year, at yet they try to have tray icons running all the time.. Generally these autoupdating utilities are used to steal file associations everytime you try to change them back to media player or winamp.

    It's one thing for an app to look for updates (after asking you) once you open it, but it is a complete waste of resources for every app to have a tray icon using a few megs of ram to periodically download updates.
    • I'll second the "autoupdating as used by most applications" bit. It really needs to be a single OS-wide *good* updater with logging, decent error recovery, and the like. apt with deb or rpm is a good example. Having a load of applications, all with their own half-assed updaters that break under particular situations is a *bad* thing.

      I've never been able to figure out why nobody provides an automatic application update service for Windows. Once you get used to having an automatic (or manual "tell me wha
  • ...about essentially putting "apt-get update; apt-get install" in the crontab.

    I'd make sure the session is interactive in a SSH/screen session, and monitor how long the process has been running. If it's still running after half an hour, it'll fire an email at me saying the update process needs my attention.

    If all exits normally, it'll email me the stdout and stderr of the session, so I know what was updated.
  • Autoupdates are nice if they work. But they are damned annoying when they don't. My lone WinXP box (used to talk to the HP Scanner and the Epson "I only work with my windows drivers" Color printer) is a good example. The HP Scanner software decided it needed to update itself. It's an annoying feature but I mistakenly said "ok". So after applying its updates the HP AutoUpdater now crashes whenever the screensaver kicks in. Nice AutoUpdateOfDeath...

    Obviously I now have to take the time to go search the
  • ..but, as a Windows Technician of almost 4 years now I believe that people should be aware of 99% of what happens to their computer.

    Treat it like a car.

    Wouldn't you be upset when you find out that your engine was "automatically updated" one day and that's why you were limited to 5 mph making you cancel meetings, miss deadlines, etc..

    Treat your computer like it's your car, unless you're an FFR* masochist.

    Trust me, you'll save time AND money in the end.

    *FFR -- Fdisk/Format/Reinstall, somewhat ancient but
  • Give the amount of spyware and other such softwares available, it would be wise if microsoft develops a new technology(API) for Auto-Updation feature of Third-party applications.

    Other approach for the Software manufacturers is to make use of independent testing houses.(for functionality and Security/privacy issues)
    There will be good acceptance rate for such certified softwares in the market.

The moon is a planet just like the Earth, only it is even deader.

Working...