Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Auto-Updates - Proactive or Begging for Abuse?

Cliff posted more than 10 years ago | from the a-sword-with-many-edges dept.

Security 35

narzy asks: "To me one of the most important steps to keeping a computer secure is keeping the systems software up to date. The problem I run in to is that more and more of the applications in everyday use are web enabled in some context or another, making them high targets for attack and exploitation. I am beginning to find it difficult to keep clients computers completely up to date. I find that applications that have an auto update such as my anti-virus Nod32 which updates every day on its own a real blessing. It's a feature that is an option but and option that I personally wish was in a lot more software. Windows has this feature (so does Linux if you want it to) however in the case of Windows it's not exactly all that consistent. Unfortunately it opens another can of worms that isn't so enjoyable that being companies who abuse such a system for advertising purposes, modifying the software in such a way to reduce or change its functionality either because of internal decisions or external pressures from 3rd parties, compromise and abuse of the server the company uses to distribute the updates. But is it worth the added risk to know that 95%+ of the time your software is up to date? It's not a cure all but is it or is it not better then a reactive approach?"

Sorry! There are no comments related to the filter you selected.

It's all about how lazy you are... (3, Interesting)

ivan256 (17499) | more than 10 years ago | (#9690738)

A changing system never runs; A running system never changes.

Ideally, this means you would take the time to understand every update to your system, and install only those that were critical in order to maximize stability. Automatic updates are the other extreme and, if you ask me, never a good idea.

If you are responsible for numerous machines, perhaps automated updates are right for you, but you should maintain control. Learn about the update, and personally send out the updates you deem important and know to be compatible to your client's machines. Letting a bunch of individual entities with no knowledge of each other all have free reign over a machine is never a good idea, no matter how well intentioned all the parties involved may be.

Re:It's all about how lazy you are... (3, Interesting)

BigBir3d (454486) | more than 10 years ago | (#9690875)

Flip side of that coin is how long do you have to wait before you can properly vet an update to make sure it works 100% for all hardware and software variants? How far behind do you fall? How insecure do you become? This is of course assuming your client machines are full fledged desktops running the OS of choice - Windows XP.

For general software updates I tend to agree with you. If it ain't broke...

Re:It's all about how lazy you are... - so wait (1)

SpaceLifeForm (228190) | more than 10 years ago | (#9690916)

Ifr you wait one month, the fixes to the fixes will be out.

Re:It's all about how lazy you are... - so wait (2, Funny)

AKnightCowboy (608632) | more than 10 years ago | (#9691624)

Ifr you wait one month, the fixes to the fixes will be out.

And if you're lucky the hackers will have patched the bug for you by then so that other hackers don't get access to their new zombie host and mess around. Hackers, auto-updating UNIX systems for admins since 1969.

Re:It's all about how lazy you are... (2, Insightful)

yotaku (26455) | more than 10 years ago | (#9691095)

That all very great sounding. But unfortunately sometimes its not that easy to find out exactly what an update does. Take this from Apple's website on a security update:

Security Update 2004-05-03 for Mac OS X 10.3.3 "Panther" and Mac OS X 10.3.3 Server AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue.
[http://docs.info.apple.com/article.html?artnum=61 798 [apple.com] ]

Improved the handling of long passwords huh? Doesn't sound that big of a deal, I dont have a terribly long password. Maybe I'll skip it. Oh what? I just left a buffer overflow remotely explotable bug unpatched! Sometimes its not all that easy to find out exactly what a patch does. And companies try to hard to sound like they have no real issues, sometimes making important updates not sound as important as they really are.

Its easy to see how come everyone thinks Mac OSX is so secure if this is how serious security issues are presented.

Re:It's all about how lazy you are... (1)

andreMA (643885) | more than 10 years ago | (#9691241)

You neglect to mention that that's one of three items that update addresses, and updates are rolled into subsequent updates.

If I recall correctly, the particular issue you cite was a buffer overflow affecting a password field, using (vi-style keystrokes to paste excessive data) in the screensaver module -- inherently local.

Re:It's all about how lazy you are... (1)

yotaku (26455) | more than 10 years ago | (#9691914)

No there was another overflow problem that was in the screensaver module that as you say is inherently local. And incidently it was described in almost exactly the same way for that patch. But no, this one is a remotely exploitable stack buffer overflow that allows an attacker to obtain administrative privileges and execute commands as root.

http://www.atstake.com/research/advisories/2004/a0 50304-1.txt [atstake.com]

Re:It's all about how lazy you are... (1)

andreMA (643885) | more than 10 years ago | (#9696130)

I stand corrected; I wasn't sure it refered to the screensaver issue and I should have looked more deeply.

About the only upside to this one that I can see is that among home users it's unlikely to be an issue unless they have multiple Macs (since AFP is off by default)

Re:It's all about how lazy you are... (3, Insightful)

flonker (526111) | more than 10 years ago | (#9692055)

local root exploit + remote non-root exploit = remote root exploit

Not always, but often enough to count.

Beautifully put (1)

0x0d0a (568518) | more than 10 years ago | (#9692394)

And companies try to hard to sound like they have no real issues, sometimes making important updates not sound as important as they really are.

Very nicely put.

This is a terrible problem in the computer industry. Because most commercial software is sold as a "closed box" and software is complex and difficult for end users to analyze, software companies can get away with a phenomenal amount of misrepresentation and truth-bending.

This is a major thing that I like about open-source software. The folks in it tend to be reasonably honest. If everyone in the world can see the patch that was just checked in, there's no way you can get away with "Improves functioning of Web pages" for "eliminates remote exploit seizing control of your computer". Furthermore, because there are no marketers involved to work on misrepresenting the software to the user (and thus selling more copies), it's okay to be publically critical about your own software. Bugs aren't "issues", they're *bugs* (God, I hate software companies that insist on calling their bugs "issues"). It's not an "issue", it's a bug. You screwed up; be honest and be trusted in the future. In the open source world, sometimes feature requests are considered "bugs" -- hey, it doesn't do desireable behavior, so the authors overlooked something.

If Microsoft had made Bugzilla, it would be dubbed "Microsoft Advanced Issue Tracker".

Re:Beautifully put (1)

caseydk (203763) | more than 10 years ago | (#9696556)

hey, it doesn't do desireable behavior, so the authors overlooked something.

It depends who's defining "desirable".

Like who in the world came up with the idea for a Javascript function in IE that allows a webpage to set the users' homepage!?

http://blogs.msdn.com/jeffdav/archive/2004/04/13 /1 12632.aspx

Was that a dumb one or what? Though, it allowed the exact behavior that Microsoft intended. Unfortuantely, the malicious users used it for other things...

Of course it's worth it! (2, Informative)

XCorvis (517027) | more than 10 years ago | (#9690751)

As someone who has had to clean viruses off infected campus computers, I say that automated updates are 100% worth it, even if they do have problems once in a while. When Sasser ripped through, our help desk was swamped with calls from students. But not one single lab computer that had automatic updates set was affected. The benefits are obvious.

Re:Of course it's worth it! (1)

E_elven (600520) | more than 10 years ago | (#9694041)

The question is not of updates themselves (which the students clearly didn't bother with) but with automatic updates. It's not too hard for a sysadmin to check microsoft.helpmycomputerisonfire.com each morning for updates and then do (well, initiate) a system-wide update manually. Same effect, less risk.

You know what would be useful? A mandatory virus drill, like a fire drill or siren testing. Every new user would get a fake virus that would pretend to thrash the computer, only when the computer was rebooted (after the smoke effects), it'd be gone with just the text: "If this were for real, you wouldn't see this text."

And I mean made by the OEMs, not 1337h4XXX0Rrr32

I just use Autoupdate.. (4, Insightful)

NanoGator (522640) | more than 10 years ago | (#9690757)

...and keep in mind that shit happens.

I would also suggest, though, that you'll never ever have a secure reliable system. Your computer can always be stolen or struck by lightning. A hard drive can fail. Etc. If you take the approach of "My computer could spotaneously combust" and deal with it that way, then you're in a far better world. Even the worst virus wouldn't cause you to lose your data.

No Magic Bullet (1)

4of12 (97621) | more than 10 years ago | (#9690775)


I am beginning to find it difficult to keep clients computers completely up to date.

Welcome to the club.

I don't think there's any way around this issue.

Vendor updates (whether paid-for subscriptions from Microsoft, Red Hat, or beneath the pond-scum from adware spyware companies) probably haven't been completely tested for your corporate environment.

You need to have a person or an organization committed to testing the latest updates in a lab environment before they are more widely deployed to check for the inevitable laws of unintended side effects.

I like to compromise (2, Informative)

Anonymous Coward | more than 10 years ago | (#9690808)

I sign up for automated notifications of updates, and then I review those and apply them when appropriate.

Re:I like to compromise (1)

PhaseBurn (44685) | more than 10 years ago | (#9691278)

I'd love to see something a bit more intellegent... recently we switched to running Services Update Server on our corporate LAN for our workstations (all of our servers are Gentoo linux) and I rather like it (I have to admit). Here's what we do:

The windows admin checks windowsupdate for updates twice a day, and approves what he wants, and those push to the client every night...

The servers (my responsability) run an emerge sync every night, and then an emerge -Upv world (gentoo's tool to upgrade the whole system, in pretend mode, so it doesn't actually MAKE changes, just says what it WOULD do), and then e-mail me the results... every morning when I get in, I review those results and apply the necessary patches manually...

What I'd love to see in commercial apps is this feature:

Automatic upgrades, that DISABLE THE PRODUCT if not used. Now, before you flame the crap out of me, I don't mean that all patches need to be APPLIED to use it... I simply mean have Windows refuse to get on-line if it hasn't been to windowsupdate in a week. The only way to get it on-line is to attempt to get to windowsupdate.

Make the end user consciously aware that the updates to in fact exist, and let them decide if they should be applied or not... but force them to at least check... It comes down to rights and responsabilities... You can argue that they have the right to run whatever they want on their computer, just like they have the right to speak their mind... And I mostly agree... however their rights can't interfere with others... for example, I may have the right of free speech, but I don't have the right of slander. I may have the right to run whatever I want, but I don't have the right to let somebody else compromise my system and DDoS somebody else into the ground...

Just my 2 cents...

Re:I like to compromise (1)

narrowhouse (1949) | more than 10 years ago | (#9691475)

I think a lot of companies would like to use a plan similar to yours, simply because if they get past the first hump of making you check for updates they are at least halfway there to getting you to INSTALL those updates. Unfortunately we have seen the way some of our less than reputable corporate citizens would abuse that. They know a lot of people won't read the descriptions, so removing a feature here, or adding DRM there would not even be noticed until the "upgrade" is done.

The real concern (3, Insightful)

greywar (640908) | more than 10 years ago | (#9690827)

The real concern I think is some guy finding a way to hack one of these. With a 8 hr waiting period...if it then simultaneously reformated everything.

Imagine windows update hacked. I update daily-lets assume 100 million other folks worldwide do. Within 8 hrs 33 million computers are infected...and reformat themselves.

THATS my concern

Re:The real concern (4, Interesting)

Kaali (671607) | more than 10 years ago | (#9691531)

Doesn't Windowsupdate have any security checks on the validity of updates?

I use Gentoo Linux and it has quite nice security checks for checking that everything i'm installing through its package manager is what it is supposed to be. First i use random rsync server to fetch "package-definitions" called ebuilds and with them MD5 hashes of the software files. What makes it secure is that we have random rsync servers and random mirrors for the files themselves. So in theory cracker has to crack at least two servers(main rsync server and main file server where everything gets mirrored from) to infect a Gentoo Linux system. I'm don't really know all the details of Gentoo Linux package-manager and its security checks, but this is how it acts approximately, at least the last time i checked. Hmm.. ofcourse there is a possibility that the original software server is already cracked when Gentoo Ebuild-developers make their ebuilds&hashes.

Well, nothing is completely secure.

Re:The real concern (1)

cperciva (102828) | more than 10 years ago | (#9717151)

So in theory cracker has to crack at least two servers...

Or at least one machine on the same network segment as you.

apt-secure, don't let packages upgrade themselves (5, Insightful)

ijones (83977) | more than 10 years ago | (#9690906)

"Apt-Secure" [debian.net] has a nice sense of "which package sources are trusted". That means, APT maintains a list of places to get packages from. Some of these sources are trusted, and their packages can be cryptographically verified to be truly from those sources.

If there's a new version of a package from an "untrusted" source, it'll ask you if you're sure you want to upgrade that package.

I think it's silly to have package go and upgrade themselves, especially where each package has it's own way to perform the upgrade, and you have to trust each vendor's security implementation (instead of a single central one). A bunch of packages running off and upgrading themselves, each with its own security model (if any) is a great way to open yourself up to a man-in-the-middle attack several times a day. The OS should handle this in a consistent, secure way that the administrator can understand.

peace,

isaac

Auto Updates has another issue as well (2, Interesting)

airjrdn (681898) | more than 10 years ago | (#9690987)

I'm no longer on dial-up thank goodness, but if I were, it would be a pain to want to dial-up, check email and disconnect to leave in a hurry only to be interrupted by a 3M patch that had to complete before I could really utilize my blazing 46k connection.

My machines are on notify, but not auto-download & install. I'm on broadband and I've opted for this, I sure wouldn't want them forced on if I was on dial-up.

If I'm in the middle of an Unreal Tournament 2004 match, the last thing I want is a forced update on Notepad++ or whatever.

I'm not saying OP was indicating to force them, but this would be something to consider if you are considering forcing the updates.

autoupdates (1)

perlchild (582235) | more than 10 years ago | (#9691037)

The problem is one of trust. Windowsupdate seems like a clone of the old Oil Change, on a more limited basis. Oil change would charge consumers a nominal fees for a whole bunch of updates, and they would enter into arrangements with Software publishers on their behalf.
Microsoft took the same approach, minus the fees.

The only problem is that if software X does not update properly(with drivers being autoupdated, that could be something like incompatibility, mis-detected hardware, etc...), and you pay for updates you hold the company who gets you the updates responsible. But if company X and company Y release incompatible updates, and the company selling you the updates gets caught in the middle, that's not good, both for consumer trust and fiduciary responsability.

As a user I might accept paying for getting "tested" upgrades, but I know most people who don't use computers as work tools wouldn't understand the logic. Now with firewalls/antivirus/other security tools, getting updates to the consumer in a timely fashion is essential, so much that many such software would be well advised not to sell the software, but to sell the updates, as a service, provided consumers, who are normally allergic to such things, can be convinced to overcome their allergy.

Perhaps that's why there's no single update service, at least, in the consumer world. Updates have varying impact, depending on what's updated, computers have varied uses, and the value of keeping them updated varies with use, and because that value varies, few update services can address the perceived value properly, and yet address the kinds of hardware/software combinations that exist in the real world.

That would explain why 2003 Server's update come from the hardware manufacturers come to think of it.

That also explains why so many update systems now come up for companies (Microsoft's SUS, Redhat Network Satellite, Mandrake's etc...) to allow them to keep updates for their software inventories and maximise their availability and minimise their bandwidth bills as well.

In many years of computing (2, Insightful)

Muggins the Mad (27719) | more than 10 years ago | (#9691086)

I've had several more cases of "security" patches breaking my systems through changes to things not related to the security issue than I have of being hacked/infected/spywared.

So I couldn't in good faith recommend auto-update on any system where the supplier has a history of this.

Maybe when the software industry is mature enough to release security patches that *only* contain a security patch I'd think about it. I expect I'll be a long time waiting.

Ok, so some free *nix distros do, and that's nice, but these generally aren't the ones getting infected all over the place.

Plus, as someone else mentioned, having an auto-updater interrupt the one game of UT2004 you've managed to fit in this week is just not on.

I don't understand how certain software suppliers are finding this so hard. Release a patch that fixes the security issue. Only the security issue. Make it small. Make auto-updaters check for updates when the screensaver kicks in. Duh.

- MugginsM

autoupdating apps are annoying.. (2, Insightful)

Suppafly (179830) | more than 10 years ago | (#9691107)

Autoupdating as it is used by most apps is just annoying.

Certain things need to be updated frequently, such operating systems and antivirus programs. Programs like quicktime and real don't need to be updated more that a few times a year, at yet they try to have tray icons running all the time.. Generally these autoupdating utilities are used to steal file associations everytime you try to change them back to media player or winamp.

It's one thing for an app to look for updates (after asking you) once you open it, but it is a complete waste of resources for every app to have a tray icon using a few megs of ram to periodically download updates.

Re:autoupdating apps are annoying.. (1)

0x0d0a (568518) | more than 10 years ago | (#9692328)

I'll second the "autoupdating as used by most applications" bit. It really needs to be a single OS-wide *good* updater with logging, decent error recovery, and the like. apt with deb or rpm is a good example. Having a load of applications, all with their own half-assed updaters that break under particular situations is a *bad* thing.

I've never been able to figure out why nobody provides an automatic application update service for Windows. Once you get used to having an automatic (or manual "tell me what's out of date on my entire system, including applications, and if I choose to do so, download and install updates") update, it's very hard to use anything else.

I'm thinking... (1)

Short Circuit (52384) | more than 10 years ago | (#9691233)

...about essentially putting "apt-get update; apt-get install" in the crontab.

I'd make sure the session is interactive in a SSH/screen session, and monitor how long the process has been running. If it's still running after half an hour, it'll fire an email at me saying the update process needs my attention.

If all exits normally, it'll email me the stdout and stderr of the session, so I know what was updated.

Re:I'm thinking... (1)

Carnildo (712617) | more than 10 years ago | (#9691409)

emerge sync && emerge --update world

Babble much? (-1, Offtopic)

slartibart (669913) | more than 10 years ago | (#9691268)

Unfortunately it opens another can of worms that isn't so enjoyable that being companies who abuse such a system for advertising purposes, modifying the software in such a way to reduce or change its functionality either because of internal decisions or external pressures from 3rd parties, compromise and abuse of the server the company uses to distribute the updates.

This may be one of the most unintelligible run-on sentences I've ever encountered. It's 55 words. Prefer sentence fragment.

HP AutoCrash (1)

kmahan (80459) | more than 10 years ago | (#9691317)

Autoupdates are nice if they work. But they are damned annoying when they don't. My lone WinXP box (used to talk to the HP Scanner and the Epson "I only work with my windows drivers" Color printer) is a good example. The HP Scanner software decided it needed to update itself. It's an annoying feature but I mistakenly said "ok". So after applying its updates the HP AutoUpdater now crashes whenever the screensaver kicks in. Nice AutoUpdateOfDeath...

Obviously I now have to take the time to go search the web for the solution and hope that it works without corrupting too much else.

I wonder how much time people waste "fixing" the updates that they download due to the incessant nagging of the applications?

May be redundant... (1)

Idealius (688975) | more than 10 years ago | (#9693628)

..but, as a Windows Technician of almost 4 years now I believe that people should be aware of 99% of what happens to their computer.

Treat it like a car.

Wouldn't you be upset when you find out that your engine was "automatically updated" one day and that's why you were limited to 5 mph making you cancel meetings, miss deadlines, etc..

Treat your computer like it's your car, unless you're an FFR* masochist.

Trust me, you'll save time AND money in the end.

*FFR -- Fdisk/Format/Reinstall, somewhat ancient but it still applies. :^)

Re:May be redundant... (0)

Anonymous Coward | more than 10 years ago | (#9694176)

Wow, 4 years... that takes you all the way back to, what... Windows 2000? Windows Me?

Certified Auto-Update Support for Third-party (1)

prabha (538549) | more than 10 years ago | (#9693876)

Give the amount of spyware and other such softwares available, it would be wise if microsoft develops a new technology(API) for Auto-Updation feature of Third-party applications.

Other approach for the Software manufacturers is to make use of independent testing houses.(for functionality and Security/privacy issues)
There will be good acceptance rate for such certified softwares in the market.

Auto-Update (0)

Anonymous Coward | more than 10 years ago | (#9701335)

This scares the h*** out of me. The reason being, if I was a hacker (which I'm not), this is the service I would try to hijack. This combined with someone finding an exploit to this service, well enough said.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?