The case against Windows Automatic Update

Credit to Author: Woody Leonhard| Date: Mon, 07 Aug 2017 05:19:00 -0700

There’s no question that you need to keep your Windows machine patched. In this age of EternalBlue and Shadow Brokers, Wikileaks and the CIA, avoiding Windows security patches is like hanging a sign out on the internet that says, “Kick me.”

That said, there’s no reason for savvy Windows users to succumb to Microsoft’s patching pace. Windows Automatic Update is great — vital — for your sainted aunt Martha, who’s afraid that anything other than playing mahjong will break her computer. But Auto Update’s an unnecessary risk for people who know how to use Windows and who keep up to date on Windows developments. If you’re knowledgeable enough to be reading this, you should seriously consider taking Windows patching into your own hands.

The core problem: Microsoft still hasn’t figured out how to deliver reliable Windows patches. Patch Tuesdays have turned into massive beta-testing grounds where bugs crawl out of the woodwork and attack in unpredictable ways. With a few notable exceptions, I don’t blame Microsoft for the mayhem — patching the mess we know as Windows, in all of its varied glory, is an NP-complete problem (that is, it’s “technically hard”). If everybody skipped Automatic Update, we’d be in an unholy mess. But folks who are willing and able to read the tea leaves don’t need to expose themselves to the risks of marching in lock-step with the Auto Update cadence.

Consider all the recent bugs we’ve seen delivered by Automatic Update. In March, Microsoft released a Windows 10 patch that broke its own product, Dynamics CRM 2011. Back in April we saw:

botched version detection for blocked updates, MSRT bugs, a problem with the Microsoft Baseline Security Analyzer, sync failures for Update Servers, more problems with a faltering Win10 1607 cumulative update, odd multiple reboots, and confusion over the .Net patches.

Those problems got sorted out over time, but then in June, Auto Update dished out 16 bad Office patches — which were ultimately fixed six weeks later. We were served an Internet Explorer patch that broke specific printing functionality. Then there was that rogue Surface Pro 4 driver patch a few weeks ago, delivered through Automatic Update, which clobbered Windows Hello functionality.

None of those are particularly debilitating for most people, but they’re a pain in the neck for some and positively agonizing for the unlucky. More to the point, the problems were completely avoidable if you just waited a couple of weeks for problem reports to die down, and for Microsoft to get its patches patched.

These kinds of glitches happen almost every month. Some people think of them as “scare stories” and, if you work for Microsoft, I suppose they are. But if you need to open an attachment in Outlook, or you wasted a couple of hours trying to figure out why Windows Hello suddenly stopped working, they’re important. If your company makes an Internet Explorer add-on that needs to print, your livelihood’s at stake. Microsoft routinely says these kinds of problems affect a “small number” of PCs, but the decibel level of the complaints make that seem disingenuous.

Even if Microsoft isn’t at fault — frequently it isn’t — the pointed finger comes as small consolation to folks who have their days disrupted by a weird conflict, or their products clobbered.

Of course, you have to get patched eventually, you just don’t want to be in that initial unpaid beta testing phase.

Two recent massive outbreaks, WannaCry and NotPetya, illustrate the point.

Microsoft patched the security hole used by WannaCry in MS17-010, released on March 14. On April 15, Efrain Torres tweeted a chart that explained what security holes MS17-010 actually plugged, and by April 17 the alarm was raised all over the web to get MS17-010 installed immediately. The WannaCry infection itself rolled out on May 12. If you blocked Automatic Update on March 14, you had two months to install one of the ten different patches incorporating MS17-010, or suffer the consequences.

NotPetya is a different animal altogether. The infection vectors are still being tabulated and discussed, but it appears as if the malware entered most networks through a poisoned update to an accounting package, MEDoc, and spread using a variety of techniques, including ones patched by MS17-010. NotPetya first appeared on June 27. Again, if you’re being moderately diligent, there was plenty of time to get patched.

Yes, you need to get patched. But, no, you don’t have to offer your production machine up to the Automatic Update beta program.

Certainly there are downsides to the wait-and-watch approach. Foremost among them, if Microsoft patches a vulnerability in Windows or Office, and malware appears very quickly to take advantage of a previously unknown security hole, those who are deferring updates may be caught flat-footed.

That’s happened in the past, but it has become uncommon. Sure there are patches for zero-days — Windows Update patches for security holes with known exploits — but this is a horse of a different color. Microsoft’s done a good job of obfuscating its descriptions and preventing its patched code from fast reverse engineering. Could a massive reverse engineered wave of malware roll out on some future Wednesday? Yes, and if it does, Automatic Update will save the day.

As with everything associated with patching Windows, there are pros and cons. You have to weigh the possibility of a giant, quickly reverse engineered attack against the certainty of buggy patches. History shows that the risk of blind patching on day one greatly exceed the risk of delaying for a couple of weeks.

Microsoft knows that savvy users frequently want to opt out of the Automatic Update game. MS built Group Policies in Windows 10 Anniversary Update (version 1607) that delay Automatic Updates by a specific number of days. Win10 Creators Update (1703) makes those options accessible in the Settings app. Although the interaction of the Group Policies and the Settings values aren’t clear, at least to me, it’s a huge step forward. In my opinion, the ability to easily delay updates is the single most important feature in Win10 Creators Update.

Unfortunately, those settings are only available to those running Win10 Pro and Enterprise, version 1607 and later. Win10 Home users, and Pro users who don’t know the magic handshake, are shunted to the Automatic Update beta-testing end of the gene pool, unless they go to extraordinary means to thwart the system. Fortunately, Windows 7 and 8.1 customers have tools readily at hand to block Auto Update.

So the next time somebody tells you that you have to turn on Automatic Update, take a few minutes before you flip the switch.

Yes, certainly, you need to install updates regularly. Yes, absolutely, if your sainted aunt Martha can’t be trusted to make an informed decision, her PC should join the unpaid beta testers. But no, you don’t need to swallow updates according to Microsoft’s timetable. A bit of diligence and discernment can protect your machine from threats coming in from all directions.

Think I’m all wet? You wouldn’t be the first. Join the discussion on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss