Are Windows updates really that important?

I've always kept my Windows updated.
Nothing less...

 

I'm glad that there is someone else apart me who doesn't discuss whether update, update partly, wait a month before update or not at all. I don't care what updates bring, improved security or performance or whatever else. I always update since my very first computer and I never had issues.

 

I'm the same as you, Archive and pegas. I always install every single Windows Updates (except for the drivers one), and I never had a single issue. Even when I was running Kaspersky Internet Security, and Microsoft released an update that apparently caused computers running Kaspersky products to go in a BSOD loop because of it, it never happened to me.

 

Thank you very much!

I never had update issues on Windows as well, but it's nice to see other people's perspective on this

 

It's actually not maintained externally, but by Microsoft themselves. After changing the OS type to "embedded" the user will get security updates until 2019.

 

I like to keep up-to-date, as you can see from my signature, unless there are known problems with those updates.

It's better for the Internet as a whole if everyone keeps up-to-date. Of course some can be relatively secure without updates, those are exceptions that tend to have users who know how to exercise control over the system.

I do find that modern OS are becoming more and more self-reliant, which can result in loss of control for the system admin. But it hasn't gone off the deep end yet, and the updates are usually improvements overall.

I personally find patching to be an effective and easy solution for most users that will cause the least issues for the Average Joe. Also they can prevent exploits, which are the only threat to a security-competent user these days.

How reducing the attack surface compares to patching I wouldn't know. But I don't think they are necessarily mutually exclusive.

 

Windows updates mostly consist of security updates so imo its very important to keep it updated though setting it up so you don't accept updates for a week allows you to see if there were problems is preferred. Whats the thread here 'bork tuesday'? There are good reasons to schedule them a week late.

 

That doesn't change the argument that there are holes which not getting fixed because it requires an entirely re-write, if you ever coded something yourself then you know what I'm talking about, sometimes it's easier to re-write something than try to fix something which then only create new holes because it's by design insecure, I already gave an example Kerberos - this is only fixed with Win 10 and even there is support in 8 this not means it getting the same fixes to possible close the holes. The problem is simply compatibility and this what hackers can use.

Whitelisten the entire OS and not update is the worst strategy I ever heard here. This is not an option if you really need to 'work' with your system, because such mentioned strategy requires a lot of time and work especially if you install new software. Then you simply can better directly use HIPS.

As said every security expert recommend it and to say that there is something you could avoid or do is some other topic, because you do this but that doesn't mean it's good or recommend, as mentioned my Windows 3.11 system works too but that doesn't mean that it's a good suggestion to use it. Same like new OS, you simply must use it if you want or not, new CPU features are only included and supported by the latest OS and other stuff like that, especially for new users with such hardware this is simply a must, and I not want to hear the argument that you can use XP and update it to Directx 12 too, such arguments coming from people that not coded anything in there life. At some time you have to say goodby and use newer Software/OS this is how the Web 3.0 works.

If there is a hole in a security mechanism within WIndows then you reduce it by simply patch the system because this is then fixed and an attacker simply can't use this and need other ways to attack you, the first thing what hacker do is to look which software/OS you use and look for existent vulnerables - and not create something on his own if he not knows if that works, they usually test this in a VM to see how the OS reacts to check against. The attack level is lower because this not need to be fixed then by 'other tools' which people over and over recommended in this entire forum.

 

They certainly are not. It is best to use a layered security approach. Patching eliminates known vulnerabilities. Locking the system down works against unknown and unpatched vulnerabilities. I wouldn't rely on any one security approach, it is always best to combine and layer them.

I don't think you understand what I'm doing. I'm describing a whitelisting approach to ACLs which prevents any code from running that wasn't installed by the system admin. Whitelisting is generally regarded as the best approach to security whether it is in firewall rules, ACLs, SRP, Applocker, Javascript blocking rules or any rule set applied to security. It is always best not to trust and have a closed system and then whitelist exceptions than to have and open system and blacklist know bad actors. The problem with a blacklisting approach is that it is very easy to bypass and there are always new bad actors that won't be on the list yet. If the rule set blocks any new and untrusted connection, software or script, the fact that they are new and unknown won't matter.

 

You talking about different things. ACL is not ACE/DACL and SRP/applocker via GUI is not present in most Windows versions, so you have to differ. The fact that there are malware to bypass this by simply encrypt your files which aren't in any ACL list makes your entire security aspect useless because several malware not want to change system related files, just lock your private data or submitting them to an external server, so ACL won't help here at all. Especially that someone like a beginner not can monitor every file behavior manually, as said it would took long time to handle all this. That's why I'm saying better use in this case an HIPS.

There is also a difference between filesysten acl's and network bases acl's but you mix everything up without given an example if there is a possible vulnerable related to this how could protect this e.g. against known attacks like MITM, hardware attacks social. eng. and problems in implementation, and more. I also want to know how ACL helps if older OS are weak to BEAST attacks, so please if you want to talk this and recommend to not update you should give examples and you simply can't because there are attacks which are only fixable by updating the system/OS.

I give up now, better do some research first, just google 'bypass acl' and you will find 100+ examples, based on both network and file system.

You have to update all systems asap, it's widely known, if you think we all wrong give specific details or the entire discuss is very fast off-topic.

 

That wasn't the argument when I talked about Windows XP. I just said to him that it's possible to get security updates to XP until 2019. Will they fix every whole XP? No, but that's not the point, given the fact that MisterB does a very good job at securing his XP.

 

If you think so ....

 

It's called Windows Embedded Industry

 

Been looking for that link. I guess it's time for me to change my search engine hehehe.

 

Your link is inofficial link not provided from MS and wrong. Extended support ended 12. Jan 2016 and not 2019. XP is as mentioned in my link not supported anymore. And we not talking about Embedded Standard 2009 or Embedded POSReady 2009 version.

 

No, you are wrong.

It doesn't matter if the link of provided by MS or not; the information is true and has been proven to work. Editing that registry key will make Windows XP receive security updates until 2019, or until MS decides not to provide them anymore.

 

That is exactly what we're saying. The link wat0114 provided specifically states that we're changing XP to POSReady.

http://betanews.com/2014/05/26/how-...e-security-updates-for-windows-xp-until-2019/

 

Because every user install PosReady and Embedded 2009 edition ... makes sense, excuse me I'm out, makes no sense, if you talk like that why not install windows 3.11 ... still works....

Re-post the same link makes you wrong statement not valid....

Official recommendation from MS.

 

It does make sense. Just look at the registry key:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
"Installed"=dword:00000001​

 

So you refuse to recognize evidence and logic, and only provide links tied to a company that is clearly forcing the masses to switch to their new baby, despite the fact that they DO still provide updates to XP embedded. That's OK, you can believe whatever you want We know that registry tweak makes security updates available to XP, regardless of your beliefs.

 

• Your hack is unofficial and not supported
• Your hack only works on x86 and not x64 (because this requires .inf modification)
• XP (official) is no longer supported and we not need to talk about
• What you saying here is pretty dangerous because already given explanation + the fact it's a lot of easier to upgrade as using outdated OS to keep them 'secure' via workarounds which could be bypassed
• If you believe you secure something which can't be patched with 'security' patches as said Kerberos (only one example) you're are naive ...

Good luck now I know why people still getting infected ... because of such ^^

 

Not true. It's a Windows thing and it IS supported by MS;

Not true again. Just read the link that has been provided.

Not for someone who know about ACL's.

I never said anything about being secure, that's wasn't my argument to begin with. I only pointed it's possible.
In fact, looking at your posts I see you do that a lot: You distort what people say, you add in things which are not part of the conversation, and you always think you're right, even though you're not sometimes (like in this case). And on top of that, I see a lot of stubbornness. And although I do like your posts because they add a lot to the topics, I think it would be nice if we laid off the gas a little on how strong we state our opinions

 

Nope, MS official said it's not supported anymore, EOL for normal XP was 2016. Embedded version is not installed by normal users. So it's correct.

Test yourself instead of read, it not works on x64 because that needs .inf modifications. Try yourself and you will see, because X64 wasn't avl. in first place as x64 version so there was no reg for this, so tell me how this work if there was no reg for pos?

.. can be bypassed as shown many times. Just google 10 seconds yourself.

It's official not possible because this are unofficial 'hacks' and no they are not supported, if it would supported then why MS say it's EOL on 2016. Check the facts. Just because POS/Emg. becoming 'Security' updates not means the OS is secure compared to other systems. And I doubt that this change my mentioned things + that such updates are designed for the traditional XP, if it work then okay but it can add conflicts.

I not said I'm always right or think that, but what I'm reading here is something I can't believe and I not wondering why malware is widely present if people not updating, in latest OS you simply not need much because it get's mostly all the missing parts by default.


Opinions are opinions but this topic is about the necessary for security updates and not about XP/outdated OS. Working with ACL's and such is okay, but that's another topic, you should use security updates and this is indiscutable, especially because there are no reasons to not do this but 100 million to do it.


I normally not had answered on this but you quoted me and I not let wrong statements stand.

 

Exactly. We change the normal XP to the Embedded type, which receives updates until 2019. You still haven't figured that out?

Have you tested? I can't test because I don't have a XP installation CD.

I see you don't read what we post. No wonder you keep saying it's not possible.

The link provided says that users of XP 64-bit CAN get the updates as well. The link points to a site, and this site has the source code for a .inf file that makes the switch from normal to Embedded possible on x64 XP's:

"But i found a workaround by applying a modify update.inf"

Again, you should really consider reading what is posted instead of being stubborn.

Yeah yeah, whatever. Sorry, I had to stop reading there.
Everything has a limit, right