ArsTechnica ponders if it’s time for Microsoft to force critical updates.

Meanwhile back in the Windows ‘verse all the anti-virus and system patches in the world won’t make a bit of difference if no one bothers to actually apply them to their systems. A new malware package known as Conficker has been making sudden gains on systems across the net taking advantage of a vulnerability in Windows that was patched months ago. This prompts Joel Hruska over at ArsTechnica.com to ponder whether critical updates should be forced onto systems:

Microsoft issued a patch for MS08-067 on October 23 and rates the severity of the flaw as “Critical.” for all previous versions of Windows 2000, XP, XP-64, and Server 2003. Windows Vista and Windows Server 2008 are apparently less vulnerable; Microsoft’s aggregate severity rating for these two operating systems is “Important.”

There’s a story within the rise of Conficker that I think is worth exploring. Microsoft appears to have dealt with this issue in textbook fashion; the company issued a warning, released a patch, and (presumably) rolled that patch into November’s Patch Tuesday. A significant amount of time—five to six weeks—has passed since Microsoft released its fix, yet PC World reports Conficker may have already infected as many as 500,000 systems.

It would be extremely fascinating to see data on how a patch spreads throughout the Internet once released by Microsoft as well as information on whether or not the severity of any particular flaw affects how rapidly users move to apply the patch. Events like this this raise the question of whether or not Microsoft should have the capability to push critical security updates out to home users automatically, regardless of how AutoUpdate is configured. I say home users for a reason; businesses and enterprise-class companies may still need to deploy the patch on a specialized timeline in order to ensure servers stay operational.

The idea of mandatory updates is unpopular with a lot of folks, myself included, but there’s a fair argument to be made here. Microsoft takes a lot of shit for having major holes in their OS, but a lot of those holes are patched within a reasonable time upon their discovery. Those patches don’t do any good if they’re not applied and the average PC user is not a technical support guy like me and probably won’t even be aware that he needs to apply patches, but he won’t hesitate to blame Microsoft if he gets infected. At the very least I could see an argument for setting the option for critical updates to be installed automatically as the default with the option to turn it off for folks who know what they’re doing. We already have a number of different software packages, mostly DRM systems, that update themselves automatically whether the user wants them to or not and a lot of folks seem to have no problem living with that situation (the rest of us just don’t use that software). I see a much stronger argument that can be made for Microsoft doing the same with critical updates than any DRM system.

The problem of unpatched systems has gotten bad enough that back in 2005 some ISPs started blocking infected systems from using their services and others have been breaking Internet protocols in controversial ways to try and combat the problem, but the best offense is a good defense and that means individual users keeping their systems patched and running current anti-virus software.  The question then becomes: Should Microsoft be allowed to at least force the critical updates on its users?

14 thoughts on “ArsTechnica ponders if it’s time for Microsoft to force critical updates.

  1. I know that I don’t want to allow Microsoft access to my computer by default.  I don’t do automatic updates and did a few manually, but then ran into a problem where I was advised that I would have to download something in order to do an update.  Something about verifying that my software is legit.  Since updates more often than not screw up my computer, I quit doing them.

    My first computer was given to me, and I knew nothing about computers.  As I learned, I discovered 58 viruses on it and got rid of them.  That computer had been severely abused, but still lasted me a couple of years.

    I use AntiVir and have my browsers set up in such a way that I consider myself less vulnerable than most people.  I use CCleaner at least once a day.  I block ads, certain websites and certain cookies.  I think most people don’t think much about cookies and think they are part of the territory.  As far as cookie and content-blocking, I even give myself problems sometimes when I have an actual need to visit a site or cookie that I’ve blocked.

    I don’t want anything forced on me.  I would like the easy option to download an update, if I’m convinced that I ought to do so.

  2. I think a compromise might be reached here.  Windows already presents users with a bubble saying “Updates are available.”  Just use a red icon and a “Critical Update available, please apply as soon as possible” bubble, along with only auto-selecting critical updates seems to be a reasonable solution.

    Users aren’t forced to accept the update by default, and users that don’t know any better have a more visible warning of the problem.

    As it is, that “updates” bubble and icon are far too easily ignored for something as important as a critical update.  I suggest keeping it as is for normal updates, but making it more intrusive for the rare critical update.

  3. I think that software companies should focus on making finished products that don’t need patching after release. That’s really the only proper solution.

    In this case, as with many other vulnerabilities, simply using Window’s built-in firewall prevents the abuse of the vulnerability. Since this is on by default since XP SP1, the question is why are there computers that aren’t firewalled?

    Also, it’d be interesting to know how many infected PCs have an illicit copy of Windows.

  4. I think that software companies should focus on making finished products that don’t need patching after release. That’s really the only proper solution.

    That’s the ideal, but it’s one that won’t realistically ever be achieved with software as complex as an operating system. Software is subject to the same law of unintended consequences as any other complex system in which you can make changes.

    I have no doubts the engineers are trying to make it as bullet proof as they can, but they are only human. Linux, considered one of the most secure OSes available, can have patches released for it several times in a single week. I’ve updated my install of Ubuntu at work twice out of the past three days so far and the main reason I probably didn’t have to update on Sunday was because I wasn’t at work.

    In this case, as with many other vulnerabilities, simply using Window’s built-in firewall prevents the abuse of the vulnerability. Since this is on by default since XP SP1, the question is why are there computers that aren’t firewalled?

    I’m not sure using the Windows firewall is an adequate solution. The firewall in XP is generally regarded as substandard at best.

    Also, it’d be interesting to know how many infected PCs have an illicit copy of Windows.

    More than likely quite a lot of them. People who use software illicitly are less likely to apply patches for fear of having the software disabled or being caught.

  5. There’s no way I’m going to let Microsoft force an update on my system. I use my Windows machine from behind an independent firewall and have never had a virus infect it when I wasn’t using Internet Explorer.  If Windows made me update, every third update would break my system and force me to get rid of the update or reinstall the OS, which would make me have to reinstall all my apps.  No thanks. 

    If MS can’t make updates that don’t screw me over worse than a virus, then why should I let them decide when to give me that update, much less give me the update without permission?  At least when I do it manually, I can be prepared for it.  In any case, the bottom line is that I don’t NEED their stupid anti-virus software.  If people behaved themselves and didn’t do stupid things, they wouldn’t need AV apps either.  I’m not going to give control of my system to someone who might upload something that would turn my computer into a paper-weight (which btw sounds an awful lot like what virus’ do anyway), and I’m certainly not going to do it because other people can’t keep their own systems clean.

  6. More than likely quite a lot of them. People who use software illicitly are less likely to apply patches for fear of having the software disabled or being caught.

    I know from personal experience that having illicit copies of Windows OS does not make you more vulnerable to being infected by a virus.  Anti-virus software only works on virus’ (virii?) that have been out for a little while or those that are based on a virus that has already been dealt with.  The most effective way to protect yourself from a virus is the same as it’s been for a decade: third-party firewalls and using good email control (mostly the latter).  Don’t let Windows control your internet connection, even if it’s the only computer you have, and there’s no excuse for getting a virus through email any more.

    I know my setup is pretty unusual (running Mac and Windows through a Linux router, and I use Mozilla, not MSIE) but I don’t and never have used AV software and the only time I update my Windows system is when I have to to make an app work.  According to Microsoft, my system should be swarming with infections, but it isn’t.  I can count on two fingers how many times my system has been infected in the last ten years, and both times I did something I knew was risky.  Good email skills and realizing that Microsoft does not always know best counts for more than AV software or whether you update when they think you should.

  7. Swordsbane writes…

    If Windows made me update, every third update would break my system and force me to get rid of the update or reinstall the OS, which would make me have to reinstall all my apps.  No thanks.

    If MS can’t make updates that don’t screw me over worse than a virus, then why should I let them decide when to give me that update, much less give me the update without permission?

    I find that interesting because I can’t think of the last time a critical update fucked up my system and I apply every single critical update that comes out as soon as it’s available.

    I have had Service Packs cause problems on the odd occasion when they’re first released, but not a critical update. Occasionally a driver update will go wonky and require a rollback, but it didn’t cripple my system in the process.

    I know from personal experience that having illicit copies of Windows OS does not make you more vulnerable to being infected by a virus.

    Never said it made you more vulnerable. I said people who use illicit software tend not to apply patches for fear of being caught or having the software disabled. Not applying patches will make you more vulnerable.

    Anti-virus software only works on virus’ (virii?) that have been out for a little while or those that are based on a virus that has already been dealt with.

    Not entirely true. There are known attack vectors that can be monitored by anti-virus software that can stop a new virus from getting installed. It’s not as fool-proof as stopping an already known virus and it has the occasional false positive, but it helps.

    The most effective way to protect yourself from a virus is the same as it’s been for a decade: third-party firewalls and using good email control (mostly the latter).  Don’t let Windows control your internet connection, even if it’s the only computer you have, and there’s no excuse for getting a virus through email any more.

    I concur on the firewall, but that doesn’t necessarily stop you from getting a virus as much as limiting the damage if you do. Still, having one helps.

    Email isn’t the most common way of getting viruses anymore. Hasn’t been for a long time. Drive-by installs using vulnerabilities in unpatched browsers and social engineering are the two main ways people get viruses on their systems these days. I can’t remember the last email message I got that had a virus in it. Having an unpatched system directly connected to the Internet is another way.

    An unpatched freshly staged Windows XP system sitting on a direct connection to the Internet (e.g. not behind a router but directly connected to a cable modem) will be compromised in about 4 minutes these days. Not installing critical patches is just stupid.

    I know my setup is pretty unusual (running Mac and Windows through a Linux router, and I use Mozilla, not MSIE) but I don’t and never have used AV software and the only time I update my Windows system is when I have to to make an app work.  According to Microsoft, my system should be swarming with infections, but it isn’t.  I can count on two fingers how many times my system has been infected in the last ten years, and both times I did something I knew was risky.  Good email skills and realizing that Microsoft does not always know best counts for more than AV software or whether you update when they think you should.

    I’d attribute that more to your being behind a router than anything else. Having a router between you and the Internet adds a hefty bit of protection, but it’s not foolproof.

    The point remains, however, that you, like me, are not an average computer user. Your Mad Email Skillz may be enough to let you go without AV software, but you are the exception to the rule just as I am.

    I don’t run a software firewall on my PC beyond the standard one included in Vista and I manage to get along just fine. Does that mean that a good firewall is unnecessary for the average computer user? Not at all. It means I know enough about what I’m doing that I don’t need it myself.

    Again the question should be considered from the standpoint that the vast majority of computer users are not the experts you and I are. I can see a strong argument for a default setting of install all critical updates without prompting with an option to turn it off for people like you and me.

  8. When installing an update terminates my ability to connect to the internet, forcing me to rollback my system, naturally I get just a little leery of running updates. Having updates that get forced to run, which then break something, I rollback, the update gets forced again etc – I’d end up with a computer I couldn’t connect to the net as it would immediately have an update forced into it that would break it. No thanks.

  9. Not applying patches will make you more vulnerable.

    Apparently not.  I don’t patch unless I get new software and it doesn’t run on non-patched systems, which isn’t all that often.  I’m WAY behind as far as Windows security is concerned.  I still don’t get infected.  I suspect it’s mostly because I don’t use MSIE.

    Email isn’t the most common way of getting viruses anymore. Hasn’t been for a long time. Drive-by installs using vulnerabilities in unpatched browsers and social engineering are the two main ways people get viruses on their systems these days. I can’t remember the last email message I got that had a virus in it. Having an unpatched system directly connected to the Internet is another way.

    I’d have to take issue with that.  When I still had my 9-5 job, every few months the company network would get nailed by a virus.  It was always because someone opened an email when they shouldn’t have.  I know MSIE is wide open to vulnerabilities.  Perhaps that is why most Windows systems need AV software.

    An unpatched freshly staged Windows XP system sitting on a direct connection to the Internet (e.g. not behind a router but directly connected to a cable modem) will be compromised in about 4 minutes these days. Not installing critical patches is just stupid.

    I upgraded to XP later than most and my first install was on a PC that was hooked directly to the internet.  Trust me, it takes a lot less than 4 minutes if you’re not paying attention.

    and what do you mean by critical patches?  Does that mean what Microsoft considers critical?

    I don’t run a software firewall on my PC beyond the standard one included in Vista and I manage to get along just fine. Does that mean that a good firewall is unnecessary for the average computer user? Not at all. It means I know enough about what I’m doing that I don’t need it myself.

    Again the question should be considered from the standpoint that the vast majority of computer users are not the experts you and I are. I can see a strong argument for a default setting of install all critical updates without prompting with an option to turn it off for people like you and me.

    I would guess that either a non-Windows router or religiously current AV software will have about the same effectiveness.  Since keeping your AV software current is an ongoing cost, I would pick the router option, but like everything else, it seems that if you don’t take the time to learn what you’re doing, you pay for it, either by getting virus, or continually paying for an AV service.

    And I’m by no means an ‘expert’  I’m not a programmer and my network skills are spotty beyond the basics, and my knowledge of Windows has atrophied somewhat since 3.11.  I have some experience with almost every OS out there and my strong suit is getting the operating system to do what I want rather than what it thinks it should do.  Any idiot can use a computer, but I think that before you do anything with a computer connected to the internet, you should at least read through “Networking for Dummies” or something similar.  If you can’t understand it and apply what you learn, then maybe using a computer is not for you.  One of the greatest things about computers is that they are everywhere.  One of the worst things about computers is that they are everywhere, and you don’t need to demonstrate any brain power whatsoever to connect one to the internet and mess around with it.  The problem with that is that the consequences of your lack of knowledge can be visited upon others.

    Back on topic, if a user doesn’t know what to do with his system, automatic controls designed by a tech in Seattle aren’t going to know either.  Never mind that those people who know what they are doing are more qualified than Microsoft to decide when and how to protect their system.  If everyone had the same hardware, possibly automatic updates would make sense, but as things stand now, forcing updates will cause many more problems than they solve, if they solve any problems at all.  Maybe someday they’ll make idiot-proof (or at least idiot-resistant) PCs, but until then, I don’t trust anyone to mess with my system except me (and people I know understand what they’re doing)  I’m certainly not going to trust what amounts to a small batch of code that decides that my system is vulnerable simply because MS built another patch and I don’t have it yet.

  10. Swordsbane writes…

    Apparently not.  I don’t patch unless I get new software and it doesn’t run on non-patched systems, which isn’t all that often.  I’m WAY behind as far as Windows security is concerned.  I still don’t get infected.  I suspect it’s mostly because I don’t use MSIE.

    We’ve already discussed that you are the exception to the rule. The fact that you manage to not get infected doesn’t mean you aren’t more vulnerable to infection with an unpatched system than someone who keeps their system patched. I’d be willing to bet that if we put my system and your system on a naked net connection your’s would be compromised in very short order without you having to download even a single email or open up MSIE.

    Perhaps if everyone limited how they use the Internet to the activities you engage in then there would be no need for patches and AV software, but that’s an unrealistic expectation. Your methods may be flawless, but that doesn’t mean they will meet everyone’s needs.

    I’d have to take issue with that.  When I still had my 9-5 job, every few months the company network would get nailed by a virus.  It was always because someone opened an email when they shouldn’t have.  I know MSIE is wide open to vulnerabilities.  Perhaps that is why most Windows systems need AV software.

    How long ago was it you had that 9-5 job? And, again, it’s not necessarily all the fault of MSIE or email attachments.

    One of my relatives, I won’t mention which one to spare them embarrassment, has managed to infect their system with malware repeatedly in spite of my efforts to patch their system, have up to date AV software running, and making them switch from IE to Firefox. The reason? They’re addicted to watching goofy videos on sites like YouTube. Sometimes they hit a dubious site that looks perfectly legitimate and is prompted that they need to install a codec to watch the video. People are used to being prompted to install software to watch streaming video. It’s a classic social engineering scam. They give it the OK and it installs the malware without having to exploit a single vulnerability in the OS, Internet Explorer, or open an attachment. Ads for the dubious video sharing site show up on legitimate webpages all the time. I’ve seen one or two show up in the Google ads I have here on SEB.

    For you or me spotting a dubious codec request is child’s play, but for the average user, the ones like my relative, it’s not so simple. Having an up-to-date copy of Avast anti-virus on my relative’s PC has stopped some of the codecs from being run and as such it has helped reduce the incidence of this sort of thing occurring.

    I upgraded to XP later than most and my first install was on a PC that was hooked directly to the internet.  Trust me, it takes a lot less than 4 minutes if you’re not paying attention.

    and what do you mean by critical patches?  Does that mean what Microsoft considers critical?

    Four minutes is the average time. Your actual time to infection may vary. wink

    Microsoft categories the patches on Windows Update as Critical, Recommended, and Optional. When I say critical patches I am indeed referring to the ones Microsoft labels as such.

    When I patch I install everything listed as critical and a good chunk of the recommended (depending on if I use any of the things being patched under the recommended label).

    I would guess that either a non-Windows router or religiously current AV software will have about the same effectiveness.

    Are you saying that a good AV or firewall is as effective as patching a hole in the OS? I’m not sure I’d agree with that. Patches fix more than just security issues.

    Since keeping your AV software current is an ongoing cost,

    It doesn’t have to be. There’s several anti-virus packages for Windows that are free for personal use. I use Avast on all my machines and all it costs me is a yearly visit to their website to register my email address for a key so they can brag about how many PCs they’re protecting.

    If you’re a Comcast subscriber they offer you a free copy of McAfee. AT&T and Yahoo! both offer free online protection suites which include AV and personal firewall software. In fact many ISPs now offer free AV software at a minimum to help folks protect their systems.

    … I would pick the router option, but like everything else, it seems that if you don’t take the time to learn what you’re doing, you pay for it, either by getting virus, or continually paying for an AV service.

    Not everyone can be an expert and even if they were I’m not sure how that would negate the importance of critical software patches. As I said before, they often fix more than security issues.

    The problem with that is that the consequences of your lack of knowledge can be visited upon others.

    That’s true of so many things in life, though. Certainly it’s reason to try and educate, but that doesn’t mean prevention is a bad idea.

    Back on topic, if a user doesn’t know what to do with his system, automatic controls designed by a tech in Seattle aren’t going to know either.  Never mind that those people who know what they are doing are more qualified than Microsoft to decide when and how to protect their system.

    I disagree on both counts. To use an automotive analogy, it’s somewhat like a car that could detect a punctured tire and patch it without any intervention on the part of the driver. How many people wouldn’t want that? How would that not be an advantage to the average driver regardless of how good they are at changing a tire themselves? Would you really say that you don’t want some engineer in Detroit deciding when and where to patch your tire if it should get a hole in it? That you’d rather run on a flat with potential risk of damage to your vehicle just because you don’t think a car engineer is qualified to determine when a tire is properly flat? Would you go so far as to actively discourage people from taking advantage of such a system because you think they should know how to fix a flat themselves?

    Granted software is a far cry from tires, but I felt it was a decent analogy.

    If everyone had the same hardware, possibly automatic updates would make sense, but as things stand now, forcing updates will cause many more problems than they solve, if they solve any problems at all.

    I suppose that depends on whether you’re forcing updates for everything or just the critical issues. No one is suggesting that Microsoft force you to install every single update they come out with, or even to force you personally to update anything at all. What the question is is whether or not it would be a good idea to make installation of critical patches and opt-out rather than an opt-in service.

    If there’s a buffer overflow vulnerability in your OS it’s going to be there regardless of what hardware you’re running. It won’t matter if your HD is from Western Digital or Samsung or your video card is an ATI or nVidia, that vulnerability will be there regardless.

    Maybe someday they’ll make idiot-proof (or at least idiot-resistant) PCs, but until then, I don’t trust anyone to mess with my system except me (and people I know understand what they’re doing)  I’m certainly not going to trust what amounts to a small batch of code that decides that my system is vulnerable simply because MS built another patch and I don’t have it yet.

    Which is exactly why you’d have the option to opt-out, but again you’re not the average PC user.

  11. I think that software companies should focus on making finished products that don’t need patching after release. That’s really the only proper solution.

    That’s the ideal, but it’s one that won’t realistically ever be achieved with software as complex as an operating system.

    I believe that to some extent this is achievable, but largely ignored because it’s not a priority for software companies (outside of avionics and medical devices, where failure is not an option). Highlighting this, buffer overflows are still a quite common source of security vulnerabilities, even though they have been considered an essentially solved problem in computer science for about 20 years.

    I’m not sure using the Windows firewall is an adequate solution. The firewall in XP is generally regarded as substandard at best.

    I haven’t heard of the XP firewall ever having any actual vulnerabilities so it probably does a good job at stopping inbound traffic, which is enough to protect you at least from this particular vulnerability. I can attest to the vulnerability of an unpatched XP, but if you turn on the firewall before plugging it to the web, it shouldn’t catch anything by itself, unless you use the unpatched IE to access dodgy websites.

  12. Again the question should be considered from the standpoint that the vast majority of computer users are not the experts you and I are. I can see a strong argument for a default setting of install all critical updates without prompting with an option to turn it off for people like you and me.

    I see a strong argument against it.

    At the end of the day, the question is who controls the desktop—the user or the vendor. For the folks running large corporate IT infrastructures and those who distrust M$, giving M$ or anybody else the capability to install anything they label as a critical security update (WGN anyone?) at will is not acceptable.

    In short: No fucking way I’ll use Windows if I can’t control what M$ pushes to my desktop.

    The same goes for other vendors. Apple is known to pull some fast ones if you’re incautious enough to run their automatic update feature.

  13. I guess I’m not making myself clear. No one is suggesting that you wouldn’t be able to exercise control over what gets installed if you wanted the choice whether you’re an individual or an IT department. Windows XP and Vista already have an option to have critical updates installed automatically, but it’s opt-in.

    The question isn’t: Should Microsoft be allowed to install whatever the fuck they want without you having a say in the matter.

    The question is: Should Microsoft make the automatic install of critical updates an opt-out rather than an opt-in decision?

    We already know most users go with whatever the defaults are on their systems. That’s part of why IE has the majority of the browser market share. If the option to auto-install critical patches was opt-out then most folks who are clueless would have said patches installed automatically and anyone who wants to control what gets installed and what doesn’t could opt-out.

  14. The question is: Should Microsoft make the automatic install of critical updates an opt-out rather than an opt-in decision?

    Absolutely not, because it’s the thin edge of a wedge.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.