{"id":15587,"date":"2019-06-17T02:30:04","date_gmt":"2019-06-17T10:30:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/06\/17\/news-9336\/"},"modified":"2019-06-17T02:30:04","modified_gmt":"2019-06-17T10:30:04","slug":"news-9336","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/06\/17\/news-9336\/","title":{"rendered":"The case against knee-jerk installation of Windows patches"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Mon, 17 Jun 2019 03:10:00 -0700<\/strong><\/p>\n

Heresy. Yes, I know. Any way you slice it, from my point of view anyway, Windows Automatic Update is for chumps. <\/span><\/p>\n

Just like the \u201cusers must be forced to change their passwords frequently\u201d argument that\u2019s no longer <\/span>au courant<\/span><\/i>, the \u201cusers must get patched immediately\u201d argument is based on old, faulty, and totally unsubstantiated claims that make security people feel better \u2014 and little else. <\/span><\/p>\n

With a few notable exceptions, in the real world, the risks of getting clobbered by a bad patch far, far outweigh the risks of getting hit with a just-patched exploit. Many security \u201cexperts\u201d huff and puff at that assertion. The poohbahs preach Automatic Update for the unwashed masses, while frequently exempting themselves from the edict. <\/span><\/p>\n

Yes, you need to get patched eventually. Yes, your Sainted Aunt Martha who\u2019s afraid of playing mahjong because it\u2019ll break her Microsoft something-or-another, needs to be on auto updates. Yes, there are highly unusual patches (e.g., for <\/span>EternalBlue\/WannaCry<\/span><\/a> and <\/span>BlueKeep<\/span><\/a>) that need to be applied shortly after they\u2019re released. But in the vast majority of cases, for the vast majority of reasonably coherent Windows customers, waiting a week or two or three to install the latest crop of Windows and Office patches just makes sense. <\/span><\/p>\n

Conventional wisdom be damned.<\/span><\/p>\n

To my mind, the parallels with the \u201cusers must be forced to change their passwords frequently\u201d tripe are manifest. Back at the dawn of password time, some well-meaning security folks figured that forcing people to change passwords along a set schedule would make it harder for the bad guys to break in. <\/span><\/p>\n

Sixty-day expiration periods reek of common sense, but they just don\u2019t help. Microsoft studied the situation, dropped the preconceived notions, and <\/span>recommended in late April<\/span><\/a> that admins stop the practice, calling it \u201cancient and obsolete.\u201d<\/span><\/p>\n

Microsoft hasn\u2019t, as best I know, studied the \u201cwait a couple of weeks to apply updates\u201d heresy. It\u2019s hard for me to envision how to test it. But it has looked at something similar, which can be quantified. Back in February, a handful of Microsoft researchers<\/span> did show<\/span><\/a> that the chances of getting infected by just-patched malware is tiny, compared to all the other ways of getting infected.<\/span><\/p>\n

Yes, you need to get patched eventually. Right now, for example, the old Equation Editor vulnerability \u00a0CVE-2017-11882 \u2014 which was <\/span>fixed at the end of 2017<\/span><\/a>\u00a0\u2014 is enjoying a resurgence. Patch it. The <\/span>EternalBlue SMBv1 hole<\/span><\/a> hasn\u2019t gone away. Thank you, NSA. Patch it. BlueKeep <\/span>hasn\u2019t been cracked yet<\/span><\/a>, but you definitely need to put a fork in it.<\/span><\/p>\n

But in all of those high-profile cases, folks who waited a week or two or three to install the latest patches didn\u2019t get bit. In fact, I struggle to come up with a recent example of a just-patched security hole that turned into genuine mass-market malware in just a couple of weeks. On the flip side, I can point to hundreds of recent patches that have brought down some Windows machines.<\/span><\/p>\n

I\u2019m not talking about organizations that guard state secrets, trade securities in real time, or calculate the meaning of life, the universe and everything. Those big organizations have their own security battalions that dig into the patches as soon as they\u2019re out and \u2014\u00a0<\/span>mirabile dictu!<\/span><\/i>\u00a0\u2014 they don\u2019t patch right away either. Instead, they spend enormous amounts of effort and money making sure that new patches won\u2019t break anything on their systems before they get rolled out.<\/span><\/p>\n

If you don\u2019t have a staff of security savants at your beck and call, you might want to consider doing the same thing they\u2019re doing but, instead of spending millions for test equipment and droids, just sit and wait and listen for the howls of pain from people who install the buggy updates. Think of it as crowdsourced patch debugging.<\/span><\/p>\n

If Microsoft\u2019s patches were more than half-baked when released, this would be an academic exercise. The fact is that Windows patches keep screwing up, often in devastating ways. While it\u2019s absolutely true that only a presumably small percentage of Windows users get hit by any one specific bug, the volume of bugs is enormous. Don\u2019t believe it? Look at the past two years of <\/span>patch whack-a-mole<\/span><\/a> documented in my monthly columns.<\/span><\/p>\n

Microsoft hasn\u2019t yet \u2018fessed up to the error of its ways \u2014 at least, not to the extent that it has sounded a \u201cforced password change\u201d caliber alarm. We may never get a definitive statement about “bugs as a service.” But we are seeing some progress. <\/span><\/p>\n

Two months ago, Microsoft MVP Mike Fortin <\/span>posted an announcement<\/span><\/a> on the Windows blog that promises that Win10 1803 and 1809 customers will have a chance to delay forced upgrades to version 1903 using the so-called \u201cDownload and install\u201d feature. Since then, we\u2019ve heard that 1803 customers won\u2019t be so lucky \u2014 they\u2019ll be forced onto 1903 starting this month, even though 1803 doesn\u2019t hit EOL until November. It\u2019s not clear which push is going to meet what shove, but at least there\u2019s an official opening for improvement.<\/span><\/p>\n

We\u2019ve also seen the Win10 1903 Windows Update settings sprout a new option, for both Pro and Home versions: As of this moment, anyway, you can click on a button in 1903 Windows Update that\u2019ll delay all updates for seven days. Click the button again and you add seven more days. You can click up to five times, with each occasion adding seven more days. For the first time ever, Win10 1903 Home users have some control over forced updates. Bravo.<\/span><\/p>\n

At the same time, the Win10 1903 Update options settings (Pro only, not in Home) have changed to eliminate the Current Branch for Business\/Semi-Annual Channel bafflegab that\u2019s gone through a dozen changes since Win10 arrived. Unfortunately, at this point, making any choices on the page to defer update results in <\/span>all of your options going AWOL<\/span><\/a>. <\/span><\/p>\n

I\u2019m guessing that behavior\u2019s a bug \u2014 one of many in 1903 \u2014 and I\u2019m not sure what behavior will ultimately shake out. Regardless, the easy availability of update\/upgrade deferrals, even on Win10 1903 Home, is a sure sign that Microsoft is backing away from its hardline \u201cusers must get patched immediately\u201d stance.<\/span><\/p>\n

That\u2019s progress. Too bad so many in the security community don\u2019t see the writing on the wall.<\/span><\/p>\n

If you want to follow the, ahem, \u201cancient and obsolete\u201d advice to enable Automatic Update and get patches installed the minute they\u2019re available, hey, I think that\u2019s great. <\/span><\/p>\n

When you hit problems with wayward patches \u2014 trust me, you will \u2014 be sure to tell us all about it<\/span> on AskWoody<\/span><\/a>.<\/span><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Mon, 17 Jun 2019 03:10:00 -0700<\/strong><\/p>\n

\n
\n

Heresy. Yes, I know. Any way you slice it, from my point of view anyway, Windows Automatic Update is for chumps. <\/span><\/p>\n

Just like the \u201cusers must be forced to change their passwords frequently\u201d argument that\u2019s no longer <\/span>au courant<\/span><\/i>, the \u201cusers must get patched immediately\u201d argument is based on old, faulty, and totally unsubstantiated claims that make security people feel better \u2014 and little else. <\/span><\/p>\n

With a few notable exceptions, in the real world, the risks of getting clobbered by a bad patch far, far outweigh the risks of getting hit with a just-patched exploit. Many security \u201cexperts\u201d huff and puff at that assertion. The poohbahs preach Automatic Update for the unwashed masses, while frequently exempting themselves from the edict. <\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10516,714,10525],"class_list":["post-15587","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-microsoft","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15587","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15587"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15587\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15587"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15587"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15587"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}