How necessary is it to take all Windows updates?

Hi Experts:

I am looking for an informed opinion regarding some of the updates from MS's monthly security patching.  Specifically, is it really necessary to take security updates that are described as applying to attacks from "authenticated local attackers", or even "authenticated remote attackers?"

I always download and install any other security updates involving unauthenticated attackers, since I take that to mean someone who could somehow break in to my machine remotely by any method, even though he/she lacks login credentials for it.  I do know that occasionally, a Windows Update is problematic and causes trouble for a few PC users. Even so, I consider the risk worth it to take those updates, because of the security holes supposedly patched... especially after checking around the Internet for a couple of days, and not finding anyone reporting problems with an update from the latest batch.

But, as is done with "not fixing something that ain't broke," I've been passing on updates pertaining to "authenticated local attackers" because that scenario is so unlikely for me.  

There are currently three computer users in my house: myself, my wife and my 19-year-old son.  Everyone has their own computer.  My wife's computer knowledge is pretty much limited to checking/writing email and accessing websites.  She  wouldn't know how to gain control of my machine, and has no reason/interest in doing so.  My son might know how, but I doubt he would want to.  There is nothing on this machine that would interest him, he probably knows that, and further, he knows full well the kind of hell that would result if I found out he did break in.

Even so, because we are all on a local network, and I don't know where he goes on the Internet and what his machine might collect while there, I have used the firewall module from my Norton Internet Security suite to specifically block his computer from accessing mine, just in case something nasty wants to spread itself over the network.  Also, I do it  just in case he forgets his age and thinks he is 15 again, and would like to try something on my machine over the LAN, just to see if it would work.

I haven't blocked the computer my wife uses, because I use it too and I need access to and from it over the LAN.

No one else lives here, although two other people have keys to the house. The place is a private home and is not an office or store or some other location where various employees come and go.  If nothing else, if I do leave my machine on when I go out, I have it set up to lock at the screen saver.  The Admin user account also has it's own unique password different from the one for my user account, and the machine has a boot password as well, so no one could just jump on, fire it up, and try something.

So, under these circumstances, is it wise to skip any security updates that just pertain to authenticated local attackers, just to avoid the slight chance of problems from those particular updates?

Thanks in advance.

ChristopherNls

ChristopherNlsAsked:
Who is Participating?
 
Yannick74Commented:
Hi Christopher,

   first of all, do you have any issue with downloading and applying updates from MS to your computer ?
(disk space, limited bandwidth at home)

If not, don't skip  anything !

Then if you are just curious, and it's look like as you already analysed your "network", here is my critic against this:

Physical access is one point, but you forget remote access !

Any of you home computer that is infected by a trojan that transform it to a Zombie may become the starting point to a "local" attack.

Most of the time if this kind of malware take the control of a computer it will run and use the current user credential.

If there is any link between the user of the infected computer and your computer (share), it's even easier.

Regarding your son computer, it sounds like you have no share space, and even more a specific rule on a software firewall.

Your wife computer is the door that could be use as:
- You allow file sharing from one to the other (means credentials are recognized)
- Your wife has "limited knowledge"

This last point is a nightmare for security, in industry too.
We receive tones of spam, pishing... We see so much website that display Fake antivirus alert...
users with limited knowledge, are not aware of the risk, they click OK almost every-time the computer ask something without reading the message.

They are the target of all those traps and they fall time to time in some of them.


My advises :
> Apply all updates (that's true for Win Update but also for drivers, antivirus...)
> Take care of all your computers with the same level of security (antivirus / firewall / updates / regular checks) to insure YOUR computer security.
YOU may have to setup admin account on each of them only for you, and setup limited accounts for users (son, wife).
> Spend time with your wife and train her in the use of email / internet and explained / show the most common traps and defined YOUR rules (don't open attachment from unknow senders, tell you if she have add any "strange experience"...)

Keep cool, you are not a target for any serious hacker that don't care about personal computers.
The only use of personal computers for hacker is to get more zombies.
Those attacks are known / detected / removed by any good antivirus up to date.

Merry Chritmas


0
 
JohnBusiness Consultant (Owner)Commented:
I keep my Windows 7 machine fully up-to-date. Nothing missing. I cannot see a reason to skip updates, and I do see security updates all the time. So I can see a reason to update.

Now, unlike some here, no updates have ever caused an issue with either of my Windows 7 computers, so again, I think it is a good idea to do them. .... Thinkpads_User
0
 
Dave BaldwinFixer of ProblemsCommented:
I do all updates except .NET 4 which have been a problem on my computers.  Other than that, I have only had a problem with one update in 10 years.
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
JohnBusiness Consultant (Owner)Commented:
I have .NET 4 running and use Office, Adobe, QuickBooks, VMware, IPsec VPN and a plethora of other applications. .NET 4 seems to play well with everything. .... Thinkpads_User
0
 
Gary CaseRetiredCommented:
Agree with the above => I would certainly apply ALL of the updates categorized as critical by Microsoft.    You may want to pass on some of the optional updates -- but even those are "safe" to install.    The ONLY update I'd advise against is the .Net v4 client on XP systems -- it can cause notable performance issues with some chipsets when running XP  (I've not seen any issues with it on Vista or '7 machines).

The problem with "self-analyzing" the updates and choosing which to install or not install is that overall security is an evolving and often inter-related process.    An update that doesn't actually address an issue you're likely to encounter may nevertheless be a prerequisite to some future update working correctly.     That's why service packs (e.g. SP1 for '7) always include ALL previous security updates.

Bottom line:   I'd simply set all of your systems to "automatic" for the updates and let them stay completely up-to-date.
0
 
Gary CaseRetiredCommented:
... interesting that .Net v4 was discussed while I was writing the above.    As I noted, I've definitely seen issues with this update on XP systems ... but not on those running later OS's.   From the tags in this question, I assume all systems are running Windows 7 ... so it's fine for these systems.
0
 
Dave BaldwinFixer of ProblemsCommented:
Didn't notice the Windows 7 tag.  Yes, I'm running XP.
0
 
JohnBusiness Consultant (Owner)Commented:
I have a couple of virtual XP machines, and XP machines at clients. I have .NET 4 on all of them with no side effects. The newest version of QuickBooks requires .NET 4 . .... Thinkpads_User
0
 
Fred MarshallPrincipalCommented:
I agree with the advice given so far.

But, have you considered that none of the updates ever refer to "bug fixes"?  Yet, anyone in the industry knows that there must be.  So, in passing up updates you're also passing up bug fixes.

There is but one situation that I would skip an update:  If the computer demonstrates that the update causes it (the computer) to stop working, then I have skipped a few .. but only after figuring out the minimum set of updates to be skipped.  This seemed the best use of time and energy.  But, it should not be undertaken lightly.
0
 
TolomirAdministratorCommented:
since why always apply all updates is discussed.

You should use this tool

https://secunia.com/vulnerability_scanning/personal/

to have an easy job doing so.

"Patching insecure programs helps safeguard your data and PC against cybercriminals. Secunia PSI is a security scanner which identifies programs that are insecure and need updates. It even automates the updating of many of these programs, making it a lot easier to maintain a secure PC."

Then you don't have to patch flash, java or adobe reader any longer manually.

Tolomir

0
 
ChristopherNlsAuthor Commented:
Thanks, everyone!  All these comments clarify the question for me.  It makes sense to take all updates, rather than relying on my own admittedly spotty knowledge and selectively skipping some.  

Yannick74, although my wife's computer knowledge is less than mine, (not that mine is so fantastic) she has the sense to avoid popups and the like that seem to offer fixes for problems we didn't know we had.  She is also good for asking me about things she is not familiar with, even something as innocent-looking as an Adobe Reader security update.  The unknown is my son's PC, since at his age I can no longer dictate to him where to go and not go on the Internet.  He is fairly computer savvy, and I have the Norton Internet Security suite on his machine as well.   But as everyone knows, even the most computer-savvy of us, and the best-designed security suite can be fooled by just one exploit that is just one step ahead of current knowledge.  In other words, nothing and no one is perfect, so you can't ever assume that your machine is impregnable.

Garycase, your comment regarding "self-analyzing" updates makes good sense.  I can't possible foresee what might be needed in the future, from an update not installed.

Fmarshall, you bring up something I've wondered about: whether unspecified "bug-fixes" are included in security updates.  I've seen "stability"  and "enhancement" offered in Service Packs, but I bet they are sometimes included with an update called just a security update, because they would be  necessary to make the "security" part effective.

Tolomir: I've had Secunia in the past for a year or more, and then got rid of it because I became concerned that someone would have such a complete knowledge of my computer.  On the face of it, Secunia looks like a good idea: someone notifying me of every single, (I assume, every single) security update for all software, not just Windows.  But, I have to wonder what is really their game.  Their service cost nothing for a private user, (at least when I had it it was free,) so where is the payday in their business model?  Nobody works for free, at least not forever.   Plus, I prefer to wait a few days after ANY update, just to see if it brings more problems than it solves.

But I will consider it.  Feel free to comment further on the Secunia question... anyone.

I've increased the points, so I could reward and thank everyone for their fast and thoughtful responses.

Merryn Christmas/Happy Holidays to all!

ChristopherNls
0
 
TolomirAdministratorCommented:
their business model is to sell this service to companies and give it away for free to private customers.

Does this list  help?

https://secunia.com/references/vi_customers/

and this is how they get them:

https://secunia.com/solutions/compliance/
0
 
TolomirAdministratorCommented:
I have 83 programs under their surveillance, they keep me updated for possible new patches.
This is a huge help / time benefit not to check for / apply updates myself.

The Auto Update functionality in the Secunia PSI helps you to automatically detect insecure programs, download the required patches from the vendors, and install them accordingly.

The key benefit to you is that once installed and configured for Auto Update, the Secunia PSI automatically installs the most important patches without further user interaction, thus relieving you from spending time on fetching the patches by yourself, and then manually installing them.

To secure your computer with Auto Update, go to the Secunia PSI "Configuration" section, and ensure that the Auto Update option is checked.


If you like to can add a trigger to this: Prompt before running automatic program updates
When enabled, an approval icon will appear in the Scan Results if a program is about to be updated. The update will not start until the approval icon is clicked.


Tolomir
0
 
ChristopherNlsAuthor Commented:
Tolomir:

Thanks for your insights into Secunia.  It sounds like you have had good experiences with them.  I, for one, have never heard anything bad about the company or their security update concept., and I do know that these kinds of firms, (and others in the computer-related fields as well,) will very often offer a free version of the service to individual members of the online community for well-intentioned community reasons.  Plus, it doesn't hurt that many of these individuals in the community work in the very companies that are Secunia's paying customers, where they gladly share their good experiences those that make decisions about purchasing decisions.

Forgive me if I sounded a little paranoid in my reasoning regarding ending my Secunia service.  As we all know, there is a constant drum beat of warnings, both real and imagined,  that the everyday end user like myself hears constantly, coming from tech writers looking to do their job, from marketers for bonafide anti-malware suites, (who have a commercial interest in creating a certain level of fear and paranoia in the online public... "Its a jungle out there!  Quick! Buy our security solution and feel safer."  And of course there are criminal enterprises posing as Internet security firms trying to entice the gullible into buying a cure for problems they may not have...yet.
So I didn't mean to sound cynical.  It's just that the Internet environment trains us to be suspicious of everything... at least those of us who are paying attention.

So thanks again. I will take your advice and hook up with Secunia again on my two machines.

Happy New Year!

ChristopherNls
0
 
TolomirAdministratorCommented:
That's the reason for such a forum here. We can discuss the company in question.

Secunia is often mentioned also by well know it-magazines it would be quite strange if they are a fraud.

If you like you can report here after the 1st scan with secunia and the results.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.