Why should (or shouldn't) you update your Operating System?

We've all seen these questions:

"Why should I update my OS?"
"Why should I use a supported OS? What happens when support is dropped?"

I came up with general security reasons rather quickly- vulnerabilities and errors are discovered in an operating system, and patches are created to fix them. As I thought about it I realized that beyond this, I'm not really certain exactly what updates will do and won't do for an operating system. Can anyone point me to some resources to explain the details? Or can you speak to specific, non-security-related hardware & software errors that updates would fix?

Of course some updates cause some incompatibility issues. Do you just remove the offending updates or do you stop updating totally?

The counter-point: Wilders is populated by a few folks that run unsupported operating systems. I believe those folks use third party sources (or compile their own) to continue unofficial support for themselves. But I don't think anyone here just runs officially unsupported Windows 2000 without doing something to it.

My goal is to more fully understand how updates affect security, performance, and the life of any operating system.

 

Reasons to update: any of the million vulnerabilities that get patched/ removed
Reasons not to: fight the system? idk

The only reason for not upgrading that I feel is credible would be not wanting to shell out cash for the latest.

Well, in terms of security it can be fairly huge. Moving from XP to Vista/7 brings you ASLR and that alone is a massive step up. There are a dozen other security features that I won't bother mentioning because they're all pretty much out there and have been discussed.

Performance features such as gpu accelerated UI or prefetching or a new kernel to take advantage of the latest hardware/ bring improvements to older hardware.

There is no "updates do X" it's "this specific update adds this feature and it does X" or "this specific update patches this hoel and and it does X." Each new OS brings new updates with new features.

 

I always run a current OS with the latest security updates. As an IT worker it is pretty much mandatory to make sure they company machines are updated. If you fail to do so and something goes wrong, it will be your fault for failing to prevent it. If I were to run something unsupported I would do so as a virtual machine, where changes are easily undone provided you have created the appropriate checkpoints. I can't see any reason not to stay updated, though I know there are some diehard fans of XP SP2 out there. I am not one of them.

 

Thanks guys.

@ Hungry Man- I agree about moving from XP to vista/7, however that's upgrading not updating. I want to focus on updating what you've got. Although come to think of it, maybe we can't ignore the fact that eventually you're accepting certain security flaws unless you upgrade.

@Jack- yes, I have always known that applying security updates is best practice, but I'm interested here in the WHY. What happens when you don't apply the recommended updates? (I think I understand what happens when you don't apply the important/security updates.)

I found the following resource, and it seems to contain a pretty thorough explanation of security updates.
http://technet.microsoft.com/en-us/library/cc751383.aspx

Can you expand on that?

 

.
Can I assume that you mean the usable or productive life of any operating system, as opposed to its supported life?

Can we discuss a question like this without the thread becoming a carbon copy of so many others, another rehashing of all the "advantages" of the newer systems and the theoretical "you're so vulnerable because your system doesn't have XYZ" or some other security enhancement? There has to be at least a dozen of those threads already.

 

What happens when you don't apply RECOMMENDED updates? Probably nothing. In a case or "recommended" you would need to review what an individual update if for and weight whether or not you feel you would benefit from installing it. I can't give you a compelling reason to install it or not. I usually do as I have never had any problems with them.

 

Probably not so I'm not too invested in participation as we've all seen those topics and while they were fun and informative I think their use has died out entirely.

edit: And to simplify - everything quoted pretty much sums up my opinions on the mater. XYZ are vital to security, those advantages are vast.

What's the difference? Upgrades are just packaged updates. Would you call a service pack an upgrade or update? Because XP's service pack brought a firewall and DEP.

Prefetching was brought to Windows in an upgrade - XP to 7. GPU accelerated UI is in 8. There have been performance benefits for multicore and single core devices in each os upgrade/ update.

 

I meant both.
As for the fate of this thread, I tend to be overly-optimistic about pretty much everything. Can't imagine why this would be an exception. I know there are seriously strong opinions on the subject (on both sides). I guess what I'm looking for are facts to back up those opinions. I want to point to evidence on either side to say "here are the advantages & disadvantages of running a supported OS, here are the advantages & disadvantages of updating it. Ideally I would love to produce a list of those so that a non-geek could look at the list, weigh the risks & benefits, and make a more informed choice moving forward.

I'm actually open to any practice so long as I can read some primary sources to better understand each practice.

 

Oh, and can you link me to some of those other threads on the topic please?

 

Hi Brandi,

A good resource is the monthly Black Tuesday Update produced by the Internet Storm Center. It gives a brief description of each update, and direct links to the Microsoft Security Bulletin; the Microsoft Support KB article; and the CVE Advisory for more details.

This lets you see which types of systems are affected (server, workstation), and in some cases, specific applications (MS Office, Internet Explorer).

Here is the one for April:

Microsoft April 2012 Black Tuesday Update - Overview
http://isc.sans.edu/diary.html?date=2012-04-10

regards,

-rich

 

On the Microsoft Update Website,
every update is Identified with an Knowledge Base Identification Number starting with (KB) followed by an number.

For example using the latest High Priority Update: Security Update for Windows XP (KB2653956)
KB2653956 is the unique Inentification Number for that update.

There are two avenues to reap all the detailed information about Microsoft Updates:

01] While on the Microsoft Update Website, click on the (+) symbol next to each avaliable update and at the bottom
of the brief description for that update, is an hyperlink labled: Details

Clicking on Details opens an New Window. There one will find more details about the Update, also there are more
hyperlinks leading to all the explicit details about the Update in question.

02] Navigate the Web Browser to: http://support.microsoft.com/
In the Search Box enter the Knowledge Base Identification Number and press Enter.
In our example we would be searching for: KB2653956

The Detailed information provided by the Microsoft Knowledge Base Articles list incompatibility issues and provide
remediations in most cases.

In regards to how updates affect security: any effective update to security improves security.

In regards to how updates affect performance: updates are just that, updates, or refinements. Performance improves.

In regards to how updates affect the life of any operating system: support for an operating system may cease, but
the life of the operating system is in the framework of the computer the operating system is installed on. As long
as the components of the computer are working the operating system will LIVE, however, the moment will arrive when
that particular computer will not be able to calculate "Time" in relation to the current format of "Time" for that
period of existance, and the operating system will DIE. One could back date the computers "Time" to the last working
Leap Year, but why resurect the dead.

I agree, Upgrades are just packaged updates.


HKEY1952

 

Not bad questions IMO.

It really depends on the OS, the way it's used and the user.

Updates can break things, introduce new vulnerabilities (poor quality of updates, updates can be reverse engineered, addition of new software like .NET in WIN 7 (technically an upgrade)), conflicts with security software are possible, they may be of little use on static systems, ? Not all updates are equal.

Supported OS ? I wouldn't mind using an unsupported version of Windows as long as it is reasonably safe and not used for critical activities.

Until recently I stuck with SP2 for my Windows OS. I never got infected.
I only added SP3 when a certain security program required it.

Using half a brain, caution and a good imaging setup will go a long way.

Not updating is not for newbies though.

Good questions IMO. I wouldn't mind some answers. Unfortunately I have no sources.

 

Thanks for all the responses. I was really hoping to produce a bullet list of benefits to updating and of potential downfalls to updating. But I'm starting to suspect that updating is just like every other security measure for it to be truly effective- it requires a deep knowledge of the specifics. I think you're right, HKEY & Rmus, that I really need to look at each patch and assess it to determine the benefits I would receive.

 

I'm actually prepared to say at this point that you can run a non-supported OS if you:

1. really understand its vulnerabilities,
2. can use other security methods to confine them effectively,
3. or use some other channel for getting patches.

I don't see myself being able to do this as I lack the extensive knowledge necessary to do it. It's not something a casual computer user could really do, either. I haven't seen a compelling reason why an extremely knowledgeable user shouldn't do it.

 

Rule 1 (well not really) is that your attacker knows your system better than you do.

If you don't patch and you're under a direct attack your attacker will love you. All of those kernel and program vulnerabilites that already have built exploit codes are at their disposal, no need to work with only the latest that's out there/ whip up a zero day.

If you're not actually interested in being secure in terms of defense-in-depth (actual security) but are instead only interested in dealing with the latest automated threat it isn't difficult. Patching is one method, or you can simply use 3rd party programs. Is it poor security in terms of an academic approach? Yeah, it is. But if all you're after is being better than the guy with no AV/ security programs and a Java 5.0 and Windows XP SP1 it isn't difficult.

 

Rule 2 (really) is to always install the 'Critical Updates' from the Microsoft Update Website.

I have never had adverse aftermath doig so.


HKEY1952

 

1.) Pirated copy of Windows
2.) Laziness? LOL

 

https://www.wilderssecurity.com/showthread.php?t=276783

 

More threads on the subject.
Ten years later, Windows XP still dominates the Web
Things you hate about Windows

Reasons for not "upgrading" in addition to those listed in the above threads.

1. I have better things to do with my income than replacing things that aren't broken and serve my needs just fine.
2. A new OS usually requires new hardware. The previous hardware works fine.
3. Every time they release a new OS, the same rhetoric comes out. "This OS is secure. Yours is vulnerable, obsolete, (insert derogatory term of your choice here). XP was so superior to 98 that they had to create patch day for it. It also made botnet a household word. I have no reason to believe their claims that the next OS will be any different. Each new OS appears to be secure at first but gets hacked to death in the end.
4. I have no use for a company that demands that I prove repeatedly that I didn't steal their product. Would you tolerate it if a repair shop or parts store required you to prove you owned a car before they'd service it or sell you parts? Why is it acceptable here?

 

I think this thread is about updating (or not) any Operating System (patches, service packs, etc), and not about upgrading (or not) to a new Microsoft OS.

BTW, some of your reasons for not "upgrading" are full of logical errors and fallacies, but I won't take the trouble in correcting them.

 

Thanks for the links.

I will second your comment about "This new OS is secure." None of them are bullet proof, they will always have security holes. A brand-spanking new OS will have flaws. When you upgrade you're trading one set of vulnerabilities for another. To truly understand whether those new vulnerabilities are better than the old ones requires a risk assessment for each use case.

I also agree with the idea "don't fix it if it ain't broke." If you know how to mitigate the existing vulnerabilities in the old system, then why not keep running it if it works?

And BTW, you're a die-hard open source fanboy but you just haven't realized it yet

 

lol
Most of the software I use is Open Source, as are several of the upgrades. Slowly getting used to linux too. Like anything else, it's another tradeoff and another set of problems.

 

The same principle that applies when you're being chased by a bear: you don't have to outrun the bear, you just have to outrun your friend.

I'm more interested in the academic approach. Ultimately I'd like to know how to secure an enterprise system, and the only way to do that is to assess each update. Do enterprises really do that? It seems unlikely that companies would pay for the expertise and time to really evaluate each update unless they were mandated to do so by law. Maybe small companies use the approach of install all updates & if one breaks it just roll back. Does anyone know?

 

"Thorough back program" being Online Armor, Sandboxie, Appguard, image and backup?