Are Windows updates really that important?

Discussion in 'other software & services' started by Amanda, Feb 24, 2016.

  1. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Just to clarify: That wasn't me who said that :D All I said is I'll use Windows only because I do have a license.

    Has Windows 7 update scheme changed? Because last I remember I only had "Optional" and "Important" updates.

    @MisterB I'd use Windows XP if newer games were available to it. IIRC, BF3 is not compatible and was made in 2011, and many other DX10/DX11 games aren't XP-compatible as well. Otherwise, I'd use XP to this day :)

    And I'd use Vista as well, but I don't have a license to it and it's lifetime will end soon. Too bad because the things looks amazing IMO. And it performs good.
     
  2. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss

    Not true, you can set whatever you want if an exploit exist to bypass the firewall, the permission system or privilege escalation then you could set whatever you want....

    You should understand that security fixes fix something which means there already exist something which can lower or compromises 'somehow' the security aspect.

    Yes, because you don't have had not any single malware infection not means that this is a good strategy, remember we are in a public forum and everyone can read this.

    In some cases you can be careful and get anyway infected because several reasons and then as I said you simply lowered the attack surface. An scenario is the encryption/BitsLocker, this was vulnerable and was patched and then according to your strategy you stay possible on the vulnerable level. Of course all of this is mostly theoretically but it is present.

    Don't get me wrong I also not believe in any tools/programs but this is really a minimum everyone can do, stay up2date.

    As mentioned there is a little 'problem' because non Win 10 users get the important Kb which wants to download Win10 ... But I see this as not critical, just install them and then block it by renaming the .exe file and you're good to go because then MS is 'happy' you have that installed and not get anymore any offer to install something. To not install it is in my eyes not good because another KB then may come or you forgot something and get this anyway.
     
  3. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    2,286
    Location:
    Canada
    I'll take all important updates, as I'm not savy enough to discern, important updates to ignore.

    WU - Can be the most difficult, problem to repair!
     
  4. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    I have another laptop that runs Vista right beside this one. It handles print jobs and a few other tasks. No reason to update either. A Pentium Mobile with 2gb ram is not going to be able to handle much beyond Xp in the Windows world. I tried Windows 7 in the Core Duo Vista laptop but it didn't do well on the low end GPU and wasn't any faster.

    Actually, for me it has been the perfect strategy. The ACLs I've set are not something just anyone would do. I've completely replaced the Microsoft default ACL structure with my own which is much simpler and more effective. It took me some time and effort to learn Windows ACLs and I use the knowledge to tighten up all versions of Windows. I've found that it is actually harder to bypass my ACL settings in Xp than in later versions of Windows. There is no UAC in Xp. In later versions of Windows, when permission is denied, a UAC prompt comes up asking for the administrator password. In Xp, there is just an error message and no opportunity to elevate privilege without fully logging onto the administrator account.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    In win 7 yes there are only optional and important. But under there are updates and security updates. And some of the get you ready for win stuff has been moved into important updates, just not security.

    Rico it's easy. Just hide anything that isn't list as a security update. Then those click on more information, and just make sure there's nothing about preparing for an operating system upgrade. I haven't found any of those in security updates yet.
     
  6. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    I find it easiest to install every available update, with a few occasional exceptions such as when Windows Update offers to install Silverlight or Microsoft Security Essentails, as I don't use either of these.

    However, it's not just that it's easier to install every update rather than doing some reasearch and then picking and choosing which ones to install. It's also because I see no good reason not to install every update. While I do think it's good practice to install security updates when Microsoft releases then, I would not feel too insecure if my computers were not updated.
     
  7. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    The problem about the research is that not everyone want to do that, now we got changelogs (on win 10 kb's) which is nice but how many people reading this? I mean each time!?

    On one hand I understand that MS want to force user to use the new OS on the other hand I understand people which finding this annoying, I mean the KB which want to download the iso and offers gwx stuff. But to not install it and watch every patchday again and again if there are new updates that may also containing this is pretty annoying, as a workaround just install it to make MS 'happy' then just block or rename the executables and Windows still think you're good to go. The benefit is that you simply can install now all kb's, if something changed and you see it again just re-name it again and everything is fine. Even it's present on your hdd it not brothers you if you just rename the executable(s). So win win situations because you not get the warnings and Windows is happy because you installed it. :p
     
  8. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Well, I already installed Windows 7 Premium on a Pentium 4 with 512 MB of RAM, but that was 6 years ago. It did run fine, with the exception of a frequent high memory usage, which slowed things down. But I think 2 GB is enough for Windows 7, it uses around 1 GB of RAM after installation.

    Were the drivers installed?

    Would you be interested in teaching us? It doesn't have to be the complete process, if you're concerned with someone else reading and exploiting your "scheme"; but having a notion of what to do would be nice :)

    Thanks, I'll check it out today. I'm doing a test install of Windows 7. I just hope it doesn't take me 6 hours just to find the updates.

    I feel exactly the same way. My only reason not to update Windows completely would be time, which I'm running out of. I'm already without work for almost a week because I'm changing my OS, testing new Linux distros and whatnot. If I go to Windows I expect everything to work: from updates to drivers to, well, everything, which is harder than most would think. There was a point in Windows where if something went wrong, I'd have to wipe my drive before re-installing the system, and then expect that Kaspersky updates would work; then the NVIDIA installer (which could ruin my OS); then the Windows updates (if the electrical power went down while installing updates, I'd have to start all over, from zeroing my drive).

    So I'm actually kinda scared of going back to Windows :p

    But after that, it's all find and dandy. Most people would think I hate Windows; I don't, I actually love it. In fact, if I get a chance to know how to tune the privacy settings down, I might even go to Windows 10.

    There's actually a much easier way: there's a thread here on Wilders called "List of Windows 7 Telemetry updates to avoid". It's literally like 10 updates, you just search for them and hide them on Windows; after that you can install all updates and you won't get the Windows 10 thing.
     
  9. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    I research every 'important' update and wait at least a fortnight (often longer) before finally installing them. Everything else is hidden.
     
  10. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Is this because they can break the OS? If so, does Microsoft actually repair the broken updates in 14 days pariod, or this practice is to see if anyone else got their OS broken by the updates?
     
  11. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    @MisterB Don't forget that you can get a Service Pack 4 for XP. As with anything related to Windows, I don't know if this is Legal; if it is, all you have to do is change the device type (on regedit) to embedded, this will make you get security updates until 2019.
     
  12. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,167
    hi
    but is there a test about a windows 7 or 8 machine without any updates connected online for months ?
    once i read about a test , a machine with w7 internet connected for 1 year without any issue
     
  13. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    I'm convinced the vast majority of MS updates aren't that important.
     
  14. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    I was the creator of such list long time before it exists on Wilders and other forums, it's not easier and this is the reason I not mentioned over here because the user have the effort to update the list because in most scripts there is no automatically update included.

    The problem is also that such a list is very fast outdated because lack of interests.

    This thread is about the security aspect, so recommend or suggest not to update is simply nonsense, there is a reason as I said even if you don't get it that doesn't mean it fixes not stuff that isn't important.

    It's not illegal but you must trust the community because such external 'service packs' are maintained by someone who mostly not use this OS anymore and you don't know if this isn't infected, drive-by can exactly work like this.

    There is nothing to teach because this not changes the fact that exploit still could work, no matter what you set. I already did explained that very well. Same like Installing an Av on a vulnerable OS, makes less sense since an attacker could use a method to bypass the OS and then the game is widely open to do whatever he/she want.

    Because Win 10 was well optimized the boot process was re-written since Win 8 and other improvements which isn't much tweakable with other 'tweak' tools. The driver are also more hardened because it's a bit more complicated to bypass the checks (if you're on latest patched system).
     
  15. Aura

    Aura Registered Member

    Joined:
    Mar 19, 2015
    Posts:
    107
    Location:
    -
    Security Updates related to fix vulnerabilities in Windows and/or Microsoft software are important. Updates that are related to upgrading/updating components of Windows or Microsoft software are also important, since updates/upgrades also includes new security.
    All the other ones aren't in a sense that if you don't install them, your system isn't at risk and/or isn't behind. Drivers updates from Windows Updates are to be avoided in my opinion. Only use them as a last resort if you cannot find drivers for them (up to date) on your computer/laptop manufacturer website, or that hardware manufacturer website.
     
  16. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    any security setting or program is absolute useless as the code behind is vulnerable and attackable, even with acl or lua. simple buffer underrun and bang. any other standing is simple as stupid.
     
  17. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    Not true at all, quite often, the first step is reached but there is nowhere for the exploit process to go afterwards. The vulnerable part of the code is just one small part of the system and if it is blocked elsewhere, it fizzles, or maybe just causes a crash but does no serious damage.
     
  18. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    You simply can't block something if it exploits some elements like security mechanism. If it contains a payload which loads addition stuff the OS can't handle or know about then you seriously get security troubles, because this starts even after a crash or after OS boots. Some elements of the OS are also unprotectable even with AV installed, such as low level ground like firmware because you simply not have any access to it, so tell me how you restrict this?! For example just plug-in an USB with infected malware which may loads before OS is finished or AV is started by simply modifying the autostart order/boot then all of your harden stuff is useless. XP is for example a lot of more attackable due missing UAC and other mechanism, so in fact the USB (badUSB) has a good change to infect your system even with hardening.
     
  19. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Do you still get Win 10 related stuff even when you uncheck the box for the updates marked as "Recommended"? I was under the impression that unchecking Recommended left all Win 10 stuff in the Optional category. Now I'm not sure, but my recent clean install with Recommended unchecked seems to end up good with that logic.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Some of the stuff originally in optional is now showing up in recommended. Problem is you need the recommended to get the security updates.
     
  21. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Ok, so if you uncheck recommended, then you may miss some security updates. That I wasn't sure about. Thanks...
     
  22. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    As said, just install everything, and if something brothers you then rename executable and everything is good. Or if you know what you're doing use Windows UpdaterMiniTool and work with exclusions if you really want to avoid that KB.
     
  23. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    USB execution should be blocked in group policy. It also requires physical access to the machine. If your adversary has that the game is over and why bother with exploits. Your only defense in that scenario is encryption.

    This really has nothing to do with AVs or 3rd party software, it is about ACLs. I've been through this on other threads but here is a quick description: An exploit succeeds in step 1 and manages to get control of a section of memory and downloads a malicious file. The file is dumped in a location like a user download folder or temp folder where it expects to execute. In most systems, it either enters with admin rights or has at least user execute rights. If that is blocked, it can't get to step two. SRP can also be set to deny execution in these folders which adds another redundant layer if the ACL settings should fail. That is not likely as SRP is the weaker of the two mechanisms but I always set it up because it is still a good security layer. If there is UAC, the exploit might trigger a UAC prompt which a user could, out of ignorance or distraction, consent to. In Xp, there is no UAC and no possibility of this. UAC is a double edged sword and creates possibilities of privilege escalation that don't exist without it.

    This is not impregnable security. There really is no such thing. It will stop a lot of drive by exploits and malware looking for low hanging fruit. It might not hold up as well in a targeted attack but it will still give the attacker some trouble. There are always going to be exploitable vulnerabilities no matter how updated and patched a system is. Hardening a system this way deals with exploits in a broad way rather than patching specific vulnerabilities.
     
  24. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    You can't block USB/Ports in every OS + the fact that in some environments you need to work with them. Encryption anyway can be bypassed via firmware exploits I'm just saying because they are passed right before the OS started and AFTER the encryption initialization. It also not preventing the case your encrypted drive is unlocked and then get the infection.

    I already did say that your ACL stuff is not effective on a vulnerable OS because of local privilege escalation.

    Agreed that SRP is something to start with but this topic is about the necessary
    of security updates and it is definitely important because there are also some stuff mich may compromise that, on Vista it was UACMe which could bypass this, and this couldn't be restricted because it also can work in memory, similar like injection.

    Yes working with it stops maybe drive-by or most of them but you're entirely off topic now because we already said that the attack surface is much lower on a patched system as an unpatched system. Especially if you really work with it, sounds like your environment is nothing you can work with in real world because due all of these restrictions, and they usually only make sense if your a home user.

    You can harden what you want, if it's exploitable or more easier then the risk is much higher and this is usually on outdated OS or known as weak because the malware or attackers not coding something if they know that this is already patched, they usually looking if it's unpatched or unknown and then they checking against known protection mechanism. You should also avoid in some cases hardening because it could lower the security level because wrong configuration and and and, but this is another topic.

    As mentioned there is no negative effect on staying on a patched system but there are much more aspects why it's bad on staying on an outdated OS or unpatched. I do agree that maybe experts are not much affected by this but's more the matter how many effort an attacker want to spend to infect you because you not need to hack something if you can use e.g. social engineering, simply MITM his connection or use hardware based attacks, like giving him compromised hardware so then all of these is may obsolete.
     
  25. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    The basics are pretty simple. Groups are reduced to Administrators, System and Users. All other groups are removed from the ACL list. The users on the ACL list are the individual users in the "Users" folder or "Documents and Settings" in Xp. They have read/write permission in their home folders but not execute. The only places in the system partition that non administrators are allowed to execute software are the Windows and Program Files directories where they have no write access. The general principle is that read/write and execute permissions are mutually exclusive for non administrators. That is the broad outline. The devil, as always, is in the details. Windows permissions are overly complicated and not straight forward at all and often don't work as expected so everything needs to be tested. Read/write, for example, needs to have delete added in the advanced settings tab to be fully functional. Nothing like messing with Windows permissions for a while to make you appreciate the simplicity of chmod -R 644 in Linux. Doing the equivalent permission on a folder in Windows usually involves one trip to the advanced tab to remove inherited permissions, back to the basic tab to remove "read and execute and add "write" and then another trip to the advanced tab to add "delete" and "delete subfolders and files" and then checking "replace permission entries on child object" to make the change recursive.

    In Xp, I use a whitelisting approach and replace all permissions from the top down in the system folder and then make exceptions. In later versions, I haven't gone that far with the system folder because the default permission structure is much more complicated and there are many more exceptions to be made but it is not impossible, just a lot of work. Later versions also have better and more secure default permissions in the system folder but there is still a lot room for tightening, most notably in removing execute permissions from the user and temp folders and a few others favored by driveby malware.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.