Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Friday, April 06, 2007

Not All Computers are Updated Equally

The truth is, not all computers are created equal. Over time as various programs, updates and configurations are introduced, our computer are even more diverse.
Here lies the problem of updates and even worse, the evil "auto-update".

While I still recommended everyone download this weeks ANI Vulnerability patch, I knew there was still a risk it could adversely affect some computers. It did in fact, mess up folks who have Realtek Audio. Imagine that, a fix to animated cursors screwed up an audio control panel application.

I have written about this before but this weeks episode is just another reminder. The increasing trend towards applications using auto updates is more dangerous to computer users than global warming is to polar bears.

It's not just Microsoft updating your system. Everyone is getting into the act. Adobe wants to update your PDF reader, Macromedia constantly updates Flash, Google wants to update your toolbars, and more computers come installed with a global auto update program from Installshield available to all developers who use the #1 InstallShield.

If we look at the history of auto updates, it's pretty scary. One Microsoft patch made it impossible for people to use their HP printers and scanners. Even a virus update to Windows Defender caused some people to lose all their Outlook Email. In that case, it was just an update of data, not even a patch.

This trend is bad for computing and needs to stop. No matter how long the "beta" test or preview has been out, you just can't guarantee that a change will affect everyone the same. Updates need to be a user's choice and there should be an easy fall back method available if errors occur.

Update from Microsoft:
As of April 5, 2007, Microsoft is aware of the following third-party programs that are affected by this problem:
• Realtek HD Audio Control Panel
• ElsterFormular 2006/2007
• TUGZip
• CD-Tag

Share on Facebook


Blogger Cd-MaN said...

I would make the argument that Automatic Updates are a good thing and that you fail to take into account the needs of the non-technical people (eg. 99% of the users) because by the nature of your product you have a more knowledgeable user base.

While it is true that updated software may break some things in a small percentage of cases, the large majority of users gets added protection from it, protection which they otherwise wouldn't know how to achieve on their own (because they are not aware of the dangers in the first place). Maybe managed security is the answer for these people, but I don't see this coming anytime soon.

Also, the percentage of people truly understanding the security implications of the vulnerabilities is very small (because you have to know how different parts of the system interact with eachother - like the recent ANI vulnerability - it was a bug in the OS, but because browsers relied on the OS to display the ANI file, it became exploitable by any website. And the "I don't visit porn websites" doesn't cut it as we seen with the compromised Asus webpages).

In conclusion: people should not turn off automatic updates. With imperfect software this is a necessary evil and you basically have:

-Non-technical users who have the choice between a 0.0001% probability of experiencing problems due to patches or 99.9999% of being owned

-Technical users who have a chance of 0.0001% to experience problems, 10% of being owned (we all make mistakes) and 90% (ok 89.9999% :)) of nothing happening.

In both cases the "being owned" risk far outweighs any potential problem that a patch might cause.

2:20 AM  
Anonymous Anonymous said...

Active X Controls a New Necssity.

For the longest tme I have known a group of people more technically inclined who quietly shared a simular philosophy. We were the group that starts a good computer setup by first removing software, not installing it. Along with this came the termination and disabling of programs which we considered ridiculously risky, snoopy or unnecessary. Active-X scripted softwares was at the top of the list: There were many that talked about disabling this function in Windows altogether for the simple reason of increasing security and safety on a user's machine.

Microsoft has a history of promoting it's products to such a great degree that it's always full-speed-ahead and risks will be dealt with on the other side. What this means is that you end up understanding what might be 'prudent' to do but in reality, and realisically speaking, you end up not having much choice in the matter. By the time the extent of the losses is clearly evident, the industry has integrated these softwares so well into the system that it has become impractical to think of doing this.

This is such a boon for the internet security industry that has spent untold time and expenses trying to keep up with various exploits created to take advantage of the holes left behind by the lack of planning. Microsoft security updates to Windows operating systems end up making me think of the old saying, "Physician, heal thyself!" How convenient, that unlike it's hardware counterparts, software has the capacity to come back and fix what it never got right in the first place. Try building and selling an electronic product produced with the same low-standards. But software... it's experimental, cutting edge, right? So was your VCR but it probably pretty much worked from day one until you hauled it to the dumpster 10 years later.

I find it ironic that I actually came to this website to offer a request to the author of Winpatrol for a simular type of control today. It will allow a user to choose to stop some of those annoying repeated requests that one get's after your computer has been invaded that want you to add a setting to your registry that has nothing to do with any legitimate software on your system. I have been having a problem with this type of messaging over the past week. It seems outrageous that one cannot reach out to the attached offending software and shut the cycle off. From what I have been able to surmise, I am suspecting that the culprit behind this very annoyance is... would you believe? Active-x WIndows scripting from malicious adware or trojans that have managed to download themselves from the internet.

We need you Winpatrol! Thanks again for your useful utility.

3:02 PM  
Anonymous floworks said...

updates are very important because it has the new files that need to include on the existing program the creator doesn't need to let the user download by themselves the new updates in which case burden for the users so they include it to be automatically updated the softwares.

8:02 AM  

Post a Comment

<< Home