Are Windows updates really that important?

Discussion in 'other software & services' started by amarildojr, Feb 24, 2016.

  1. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    Those of you who use Windows, do you consider Windows updates to be important if an user has various layers of protection in place? Even if the DVD is 6 years old?

    And if so, how can I differentiate SECURITY updates from cosmetic ones? Are security fixes marked as "Important" or are there other updates on the "important" category that are actually not security fixes?

    Here's what I use for security:

    • I set up a strong password for the first account created, named "Admin";
    • UAC to Max;
    • Then I create a non-Admin account, and so whenever a change to the OS takes place I must type the admin password;
    • MBAM Premium;
    • Avira Free for Primary resident scanning;
    • COMODO Internet Security, with HIPS on Safe Mode, custom Firewall rules, Sandboxing for most programs;
    • TrueCrypt for offline security and privacy;
    • EMET with MaxSettings on;
    That's basically it.
     
    Last edited: Feb 24, 2016
  2. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    301
    Location:
    Swiss
    Yes they are important, same like staying on the latest OS due several security improvements even if you can't see them directly this not means that there aren't some new.

    Updates are important and one important thing you should add to your list. If you hate gimmick updates then I suggest you switch to an enterprise windows version because it only get ONE update and not get any new features (btw which new features was added in Pro -> I only saw gimmicks and glitch fixes).

    I think the lowest level should be patched and hardened first and then you can install tools because there might be know security issue and then to 'patch' this by external tools needs trust and knowledge because this requires maybe several additional steps which would all be obsolete because a patched system.

    Most malware need administrative privileges so you can almost destroy everything with the correct windows version and correct settings (secpol/gpedit) and then your fine without any tools.

    You may should give VeraCrypt a try and replace it with outdated TrueCrypt.
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    They are not as important as some might make them to be.
    They can be useful, though.
    Mrk
     
  4. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    301
    Location:
    Swiss
    It's not important to fix security related things ... Huh? :confused:
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,886
    Location:
    Australia
    You can use an AV or other software to try and catch all of the drips from a leaky bucket, or you can plug the [known] holes.
     
  6. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    301
    Location:
    Swiss
    Makes no sense to me..... o_O
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,886
    Location:
    Australia
    In my analogy Windows security updates plug the leaky bucket.
     
  8. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    301
    Location:
    Swiss
    I guess that there are reasons why updates market as important, even if you not understand or agree with them. E.g. recently Windows 10 was marked as 'important' update and I agree, using latest OS is simply a must no matter if you like it or not. If you use something which isn't anymore supported or known as weak you're always on your own. In fact Win 10 fixes a lot of holes from 7/8 e.g. Kerberos and such dramatically things - and this has nothing to do with 'I not use it and then I'm not affected' such things also affecting other security related aspects. Even if you not see it there are changes which are worth to look closer at it.
     
  9. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    I cannot understand how anyone can even admit such ridiculous question. Of course that updates are important. Any updates for any application simply because they're updates.
     
  10. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,886
    Location:
    Australia
    If that is for my benefit, you are preaching to the converted. I am already happily using Windows 10.
     
  11. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    @amarildojr been there, done that. I'm guessing you ran into the issue where Windows Update running time is CPU bound, and apparently quadratic with respect to the number of updates?

    Yes. Very important. Most especially if the DVD is 6 years old.

    Back when I was testing Windows stuff against Metasploit, I found that Windows updates made a bigger difference than any security software, period.

    You'd probably have to read the summaries on Microsoft's security bulletins site:
    https://technet.microsoft.com/security/bulletin/

    AFAIK all the "important" updates are either security or other bugfix, though. None of those should be additional features.

    ...

    For the record, my advice is

    a) Check out WSUS Offline Update:
    http://download.wsusoffline.net/
    It's still slow, but not nearly as slow as Windows Update.

    b) Create an updated install image using Sysprep, either on a spare PC or under Virtualbox.
    (I may post a guide for that at some point.)

    Keeping Windows up to date is unfortunately a lot more of a nuisance than with Linux, but it is still a very good idea.
     
  12. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    But I can't switch. In fact, this Windows 7 Home Basic license that I have was given to me :D That's the only reason I'm considering the temporary switch to Windows; I would never use a pirated version of it.

    What is that "1 update"? I remember trying Windows 7 Enterprise and it had tons of updates too.

    Could you be more specific?

    That's a very good analogy, although from what I know Windows Updates don't fix half of the exploits out there :/ Specially since they (updates) happen once a month.

    But Windows 7 still has 4 years of support, so they should make it secure in a way that is comparable to Windows 10 :)

    When dealing with only updates, then sure, it is a ridiculous question. However, as you might have read, it takes me way too long to update Windows, and the updates only cover Windows itself and not in a very good way. That's why I want to know if using 3rd party security programs is somehow an alternative to the updates.

    Exactly. Almost 300 updates and 12 hours to patch them :D It's one hell of a long time! :D

    Thanks.

    Thanks.

    Thanks.

    If it's Legal, than I'm OK with it. Please mark me with "@amarildojr" if you do so :)

    Thanks.
     
  13. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    301
    Location:
    Swiss
    End of life updates have nothing much to do with the fact that there are holes which can't be that easily fixed in 7 with an KB.

    In Windows 10 Entp. you only have 1 single update because it makes all others obsolete (superseded).

    Pirated or not WUS always works, the activation process is running all the time and connect to other servers as WUS. WUS only check against to see the current status. As said no matter which mode you select Windows update works always, and if I say always I mean always because toggling such modes not stopping them, that only is possible via gpedit, services.msc, registry or scripts which calling them.
     
  14. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    @amarildojr

    Sysprep is the tool Microsoft provides for creating OEM images of Windows, with updates and preinstalled software. It does not allow Windows licensing to be bypassed. I am obviously not a lawyer, but I'm fairly sure it's legal for any licensed Windows user to make use of.

    In any case I'll remember to mention your handle if I post a HOWTO on this. And thank you! :)
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    With a bunch of updates just trying to slip in Win 10 stuff what I am doing now is automatically hiding the optional updates. Then I go to important updates and hide the regular updates. The ones marked security I check each on to see what it is first. I also do apply all the .net updates.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Pete. You have more gumption than I do.

    My updates settings are completely 0ff and it's going to stay that way until I can find confidence in them again (if ever).

    Security for the hard core and long time Windows enthusiast (yours truly) is much tighter and lot more safe then anything that might come down the pipes from those updates anyway IMO.
     
    Last edited: Feb 24, 2016
  17. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    FWIW, when I recently did a clean install of 7 again (SP1), I set it to notify only and not download or install, and also I made sure the "recommended" box was unchecked. I went thru and installed everything in the important main section and everything turned out great. Unchecking "recommended" seemed to keep out all of the Win 10 and telemetry related stuff, so I didn't feel the need to examine every update. On the surface, it seems to have worked well, but I suppose it's possible that something might have slipped thru. But if it did, I saw no sign of it at all.
     
  18. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    OK, thank you! :) Looking forward to use it, it would make my life so much easier.

    Thank you both. I was thinking of using a rather similar setup.

    What I did last time I isntalled Windows 7 was enable all updates, but checked the thread here called "list windows 7 telemetry updates to avoid". All updates were installed, recommended and important, and I didn't get the Windows 10 Upgrade message.
     
  19. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Yes, I also did that a few months ago with pretty good results too.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Hi Easter

    Some of the security updates can be important. Not to long ago there was an update relating to SHA1 and Sha2 hashes. If you didn't have that installed it broke things depending on what vendors were doing. I generally check one machine, and then if all the security updates are okay. I just take them all on the other 3. But all non security updates go in the trash.
     
  21. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Let's see, I'm using a browser--Opera 12--that was discontinued several years ago in Xp to post this. This system has been cloned and re-imaged many times over a 6 year period with no security breaches or problems. So I tend to agree with Mrkvonic that updates are not as important as some people think they are. In the security panorama, I value ACLs and knowing how to set them much higher than updates. I used Xp for several years with updates completely disabled and no real problems. Updates are, in fact, not always good and often times break things and introduce problems that weren't there before. I realize this is heresy to some who have an almost religious belief in the value of updates but I see this as heavily influenced by a software industry that has a vested interest in keeping itself going and keeping those who code software gainfully employed at a high rate of pay. There is also a fashionista element to this and there are many who update simply because there's something new out there and everyone else is doing it.

    Yes, there are some security updates that are very important but most updates are not so important and keeping a system secure solely by updating is not a very good approach. As security becomes more lax and the users ignorance of good security practices grows, so does the importance of updates.

    I tend to update every so often when it is convenient for me. My systems are locked down to the point that automatic updating mechanisms fail due to lack of privilege and all my updates are manually applied.
     
  22. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    301
    Location:
    Swiss
    Driving without any security system like ABS or a strap is also possible but if something happens then you're on your own. Saying to not update is just like this, you need to know the possible consequences.

    And because of such statements I know why malware still is a huge problem, you should realize that some of them working in background without that you will ever notice something. I can't really believe what I'm reading here, suggest or recommend to not install updates because the OS works without them - of course they do but it's simply bad to think that this isn't critical. If you understand malware you know that even touching or modified .dll's also can help to prevent it because then the malware author need to change the payload because of updated files.

    If you really want to waste the time to audit all the kb's good, but just reading the changelog is mostly enough, but for most users this is anyway not understandable so it's better to recommend to apply the updated immediately. I also see no problem at all because if something not works like expected then you can simply remove it. Don't get me wrong, we're not talking about 'feature updates' we talking about 'important' updates and I doubt that someone knows all the changes they including to say which of them are 'useful' and which are not.

    Jesus, my old windows 3.11 also works without anything but that doesn't change the fact that this shouldn't be used for so many reasons, same like outdated software or OS. You simply lower the attack surface.

    I hope I will never again read such nonsense to not install updates because pirated OS or because OS works without them. The OS has to be patches and this is nothing we need to talk about. And not all holes are fixable with just installing an AV, especially because on encrypted stuff/attacks they don't get any access and they also not preventing on-drive attacks which may are already fixed with latest KB or even worst if OS is weak/vulnerable, and then you install an AV which uses techniques based on this.

    But I do agree 'feature updates' or beta tests is something that is optional - but not important/security related updates!
     
    Last edited: Feb 24, 2016
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Only problem is MS has moved some of the updates that are designed to get win 7,8 users to update to windows 10, have been moved to important updates, but not security. So a blanket allow of all important updates is no longer viable. So far they haven't put the security label on any of them but no telling what is next.
     
  24. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Consequences, at least for the Xp laptop I use for forums, are null and void. The security comes from the ACLs I've set to lock the system down, the firewall and and not from updates. I would quickly notice if something was wrong, even if it was trying to hide. It's not like I don't have ways to check such things or the means to quickly recover from any problems found.

    I'm not saying not to update, just that it is not the be all and end all of security and I put it in far lower position than other mechanisms like using a LUA and setting up effective ACLs. Updates are something to be dealt with sensibly just like any other thing and not to be applied blindly with the expectation that doing so will make your system magically secure. I also defend those who chose not to update their OS for whatever reason they chose. In my case, I have it all, every version of Windows from Xp to 10 and several flavors of Linux and I use them all on a regular basis. It's not that I don't update, I update and keep using what I used before and this Xp laptop with a huge display is perfect for forums and that is what I use it for.

    In the period I completely disabled MS updates, I actually engaged in far riskier behavior than I do now. That was long before I started limiting java script and I wasn't so adverse to downloading questionable software. What I did do then was to set strict ACLs and always use a LUA online and have the system partition imaged for a quick recovery. I never once had malware install itself on my system and I vet all the software I do use pretty carefully and never accidentally installed any from an administrator account.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    This is been my approach for years and that practice has safely kept things from breaking by avoiding them, but I also supplement that absence with some very unique layered security programs AND virtualization that's industry standard if not better, and some of that IS OPEN SOURCE.
     
Loading...