Auto-Updates - Proactive or Begging for Abuse? 35
narzy asks: "To me one of the most important steps to keeping a computer secure is keeping the systems software up to date. The problem I run in to is that more and more of the applications in everyday use are web enabled in some context or another, making them high targets for attack and exploitation. I am beginning to find it difficult to keep clients computers completely up to date. I find that applications that have an auto update such as my anti-virus Nod32 which updates every day on its own a real blessing. It's a feature that is an option but and option that I personally wish was in a lot more software. Windows has this feature (so does Linux if you want it to) however in the case of Windows it's not exactly all that consistent. Unfortunately it opens another can of worms that isn't so enjoyable that being companies who abuse such a system for advertising purposes, modifying the software in such a way to reduce or change its functionality either because of internal decisions or external pressures from 3rd parties, compromise and abuse of the server the company uses to distribute the updates. But is it worth the added risk to know that 95%+ of the time your software is up to date?
It's not a cure all but is it or is it not better then a reactive approach?"
It's all about how lazy you are... (Score:4, Interesting)
Ideally, this means you would take the time to understand every update to your system, and install only those that were critical in order to maximize stability. Automatic updates are the other extreme and, if you ask me, never a good idea.
If you are responsible for numerous machines, perhaps automated updates are right for you, but you should maintain control. Learn about the update, and personally send out the updates you deem important and know to be compatible to your client's machines. Letting a bunch of individual entities with no knowledge of each other all have free reign over a machine is never a good idea, no matter how well intentioned all the parties involved may be.
Re:It's all about how lazy you are... (Score:3, Interesting)
For general software updates I tend to agree with you. If it ain't broke...
Auto Updates has another issue as well (Score:3, Interesting)
My machines are on notify, but not auto-download & install. I'm on broadband and I've opted for this, I sure wouldn't want them forced on if I was on dial-up.
If I'm in the middle of an Unreal Tournament 2004 match, the last thing I want is a forced update on Notepad++ or whatever.
I'm not saying OP was indicating to force them, but this would be something to consider if you are considering forcing the updates.
Re:The real concern (Score:4, Interesting)
I use Gentoo Linux and it has quite nice security checks for checking that everything i'm installing through its package manager is what it is supposed to be. First i use random rsync server to fetch "package-definitions" called ebuilds and with them MD5 hashes of the software files. What makes it secure is that we have random rsync servers and random mirrors for the files themselves. So in theory cracker has to crack at least two servers(main rsync server and main file server where everything gets mirrored from) to infect a Gentoo Linux system. I'm don't really know all the details of Gentoo Linux package-manager and its security checks, but this is how it acts approximately, at least the last time i checked. Hmm.. ofcourse there is a possibility that the original software server is already cracked when Gentoo Ebuild-developers make their ebuilds&hashes.
Well, nothing is completely secure.