Blog / Slippery Software Security Surprises: Managing Your Operating System’s Updates
The world is an interesting place. Sometimes things happen that make you question the very nature of “coincidence.”
For example: Dave White (My Boss, you may have heard of him) does newsletters from time to time. Just the other day he did one about Windows Updates.
Now then, at the same time I do a Security Newsletter every two weeks or so.
So, imagine my surprise when I saw that his most recent newsletter was about Windows 10 Updates. The thing that surprised me was that the newsletter I was preparing (at the same time) had to do with Updates. “Great minds think alike” … or was it the other one? Enough rambling, lets get to the point.
So first off, let me explain a few things about Windows Updates. In the past, Microsoft had a thing called “Update Tuesday.” They only released updates on Tuesdays, unless is was something major. They also gave users the ability to turn updates off. The logic behind this stance was pretty straightforward.
Why updates on Tuesday?
Well, Mondays are busy, since you have all that catch-up to do from the weekend. So they’re not a good choice, as the updates would interfere with your office work. Weekends are bad, because companies would need to pay their IT staff overtime, so updates would become an expense. Tuesdays are the best, since if something goes wrong, the IT department has 4 days to sort things out and fix it before the weekend.
Why give users the ability to not update at all?
As someone who has overseen networks before, any sort of change to the environment (Hardware or Software) is always a gamble. So being able to lock down the environment from changes, is better because “If it ain’t broke, don’t fix it.” Don’t forget “Murphy’s Law”, which states: “Anything that can go wrong, will go wrong.” There’s the less famous (but equally correct) O’Reilly’s Law, which says” “Murphy was an optimist.” So, don’t mess with working software, by updating it all the time.
So, that’s the logic behind how it used to be. Makes good sense, right? Well, let me tell you what happened in REALITY. Time and time again Microsoft would release a patch, A CRITICAL PATCH, and say: “Update now because of XYZ vulnerability.” Then, months or years down the line, some big company would get hacked. Obviously, there would be an investigation and it would be because some vulnerability was exploited, and people would point the finger at Microsoft. Microsoft would then respond with: “The patch for this has been available for a long time.”
This is why Microsoft no longer gives people the choice on updates anymore. In short, it’s because IT Admins (people in charge of doing updates) weren’t doing it.
Remember that old expression, “If it isn’t broken, don’t fix it”? The thing to remember is that if there’s a patch that fixes a vulnerability, it means the software IS broken. It’s just broken in a way that you can’t see and doesn’t impact you directly.
Now, I’ve spent a lot of time talking about Windows Updates, which is great. However, what about all the other software that’s installed on your computer? What about the office software, or that database installed on the server, or Java? Sure, the operating system has an automatic update feature, but what about the other software you use? Just because there might not be an automatic update feature, doesn’t mean the company doesn’t have patches for the software.
It’s vitally important to remember that EVERYTHING on your computer needs to be kept up to date. This includes:
- The operating system
- Firmware updates for any/all hardware
- Any/all Software (not just the things your use regularly
All of these are run by software, which means they can all be exploited, and those exploits can be prevented with updates.
When I do a Security Audit, one of the things I do is inventory the software. I don’t stop at the operating system, or the primary software the company uses; I look at everything they have installed. It’s easy to do, because there’s software to do it automatically. I also look for any updates that might exist for any of that software (again, it’s simple because it’s done automatically.)
In most cases, the single biggest problem I find is that there are patches and updates that have not been installed.
Having a Windows Update server is great for managing the updates to your operating system. It even allows for a certain level of control, when it comes to Windows 10 Updates. It’s all the other 3rd party software that can’t be forgotten about. Having a similar system in place to manage updates to different software, will help reduce the amount of work that goes into keeping your corporate network protected.
If you have any questions about updating your software, you can reach out to your TRINUS Account Manager for some stress-free IT.
Your Friendly Neighbourhood Cyberman.