Friday, August 23, 2013

The Latest Ain't Always the Greatest... Revisited

A few years ago, I posted The Latest Ain't Always the Greatest about upgrading applications for no real reason. Today, I would like to look at updating your Windows OS and whether it is really such a good thing to do.


One of the first things I always do on a new Windows (or any other) system is disable automatic updates. Instead, I periodically check for available updates manually and decide which ones to install and which ones to ignore. Yes, it takes more time than to blindly apply all the updates automatically, but, if you consider that just one crappy patch will take hours (if you are lucky) to recover from, it is time well spent.

As you are sure to know, Microsoft puts its Windows updates into two categories: important and optional. Don't even waste your time going through the latter category. As to the important ones, not all of them are really that important. And that includes even those that are called security updates.

Let me give you a recent example: Security Update for Windows 7 for x64-based Systems (KB2859537) published on August 12, 2013. Bear in mind that it also applies to quite a few other Windows systems, so on your system it may appear under a different name (something like "Security Update for Windows XP Service Pack 3" or "Security Update for Windows 8 for 32-bit Systems", etc.).

Microsoft Security Bulletin MS13-063 says in large letters "Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege", which, I admit, does sound pretty scary. However, if you resist your immediate paranoid impulse and continue reading, in the very first paragraph of the executive summary you will read: "The most severe vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users." What is the likelihood of an "evildoer" with a "specially crafted application" getting physical access to your home machine (even if it automatically logs in to your account, which definitely isn't good practice, but that's beyond the scope of this post)? Probably not very high. In business setting, such a situation seems even less likely to occur.

Of course, you can go ahead and install the update if you can't resist the temptation or are too lazy to read a short paragraph, but be prepared to face the consequences. I have to confess that, with this particular update, I was too lazy to read even the first paragraph (happens even to the best of us) and ended up with a pretty much unusable system that took me about two hours to fix. Could have been worse.

Conclusions:
  • disable automatic installation of updates; you can check whether updates are available automatically if you want to, but do not install them automatically;
  • ignore all optional updates unless there is a specific issue with your system you need to address;
  • read the documentation carefully first and then decide whether the security risk the update claims to address outweighs the risk of messing up your system;
  • before you do anything to your system, make sure that you will be able to undo the changes (backup, disk image, system restore, etc.).

I know that the above may seem like I am stating the obvious. I am because over the years I have seen too many people who keep "stepping on the rake" of trying to have "the latest and greatest" without thinking whether they actually need it or not.


Image from sMart-lab.ru. License unknown (I claim "fair use").


P.S. Theoretically, a scenario is possible when a legitimate user of an unpatched Windows system gets tricked into, say, downloading and running what Microsoft refers to as "specially crafted application" which, in its turn, creates a remotely exploitable security hole (again, I am just theorizing here). This may be a legitimate concern, but, obviously, if applying a patch prevents legitimate users from running any applications (as it happened to me with this particular update), it is too high a price to pay.

UPDATE: There seems to be a new incarnation of this security update. See MS15-038: Description of the security update for Windows: April 14, 2015 and the corresponding Microsoft Security Bulletin Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege (3049576). After this one is installed, your Windows 7 system may fail to start.

UPDATE: Here come two more potentially destructive "elevation of privilege" updates: KB3060716 (MS15-090: Vulnerabilities in Windows could allow elevation of privilege: August 11, 2015) and KB3071756 (MS15-085: Description of the security update for Windows Mount Manager: August 11, 2015). Just like with the one above, after any of these is installed, your Windows 7 system may (I am not saying it will, but it may) fail to start. The good news is that System Restore (to which Startup Repair Tool falls back when it fails) appears to work most of the time (not guaranteed, of course) even though it also returns a failure message.

No comments: