What is more harmful -- installing or skipping updates?

[dc2000]

Hi everyone:

I started thinking about something. We all hear these days that updates are important and that by updating we protect our systems from online threats such as zero-day-vulnerabilities, etc. But recently I started thinking about risks and benefits of installing updates.

So my question is what is more harmful for an average user:

A) Installing updates as they come out, or
B) Skipping updates?

Let's review my recent experiences. I personally deal with the following devices: Windows 7 desktops at work, iPhone and iPad for personal use.

Nov, 2015: After installing Windows 7 updates that came out on that "update Tuesday", Microsoft Outlook Office Home and Business 2010 started crashing sporadically while opening some emails. The problem could be reproduced on all Windows 7 workstations involved in our office. As it later turned out, Outlook, being one of the central applications used for business, was almost incapacitated for about a day by KB3097877. The issue was resolved the next day by uninstalling KB3097877.

Earlier, 2015: After updating from iOS8 to iOS9 on my iPad, I lost the ability to play video podcasts via full screen, as well as to fast-forward using the Apple Podcast app. The issue is still not resolved today.

Earlier, 2015: After upgrading iOS on my iPhone I lost convenience of familiar buttons in the music app in favor of Apple Music, that is totally useless to me. The issue is still not resolved today.

Earlier, 2015: By updating to Windows 10, (one of the people I know) lost the ability to use his Windows Media Center application.


Now let's see, what else happened.

Have we ever gotten a virus or a malware on our Windows 7 desktops at work? Nope. Not a single one for the last 5 or so years that Win7 was out. We don't pay for antivirus. We use Microsoft's Security Essentials. All computers have GPOs installed with white-listing of applications that are allowed to run. The default web browser, IE, is configured not to play Flash, and most of its plug-ins are disabled. PDFs are opened via Google Chrome browser. All employees are instructed not to open emails with attachments or click links in the emails.

I have never gotten a virus on my iPhone or iPad.

So what is the chance that a zero-day vulnerability will affect an average Joe vs. the inconvenience, lost time, and monetary cost involved in fixing damages caused by updates? Does the former really outweigh the latter?

 

[Stevekir]

I have AVG CloudCare (free with my new computer, 8 months old - I will get something different soon). I got a big black window warning of a MSIL trojan which was neutered. I think that if I did not have the antivirus on I could have been in trouble.

I have had trouble, once, immediately after installing a Windows update, about 2 months ago. But I don't think I want to skip them, nor go without malware protection. I'm too cautious.

 

[jonnyhillow]

You should ALWAYS download important "security related" updates , i don't think anyone would disagree with that .

As for other updates like recommend and optional thats up to you but recommend can also be important . Win 10 stuff has made people think twice about that though.

 

[Layback Bear]

The choice is up to the owner/operator of the computer.

I personally get Windows 7 Updates. Note please, with the games Microsoft is playing after the release of W-10 I have to do research on the Updates before installing them.
Again that is the choice of the owner/operator of the computer.

Any body can get hit with a zero day infection but that doesn't mean one shouldn't be protected from older infection. So yes I do believe in security protection programs for my systems. I do update them several times a day, manually.

Is the time spent trying to keep my computer safe worth it.
The question will answer it's self once one gets infected and spends the time to disinfect their system. Not counting the loss of data that might of happened.

Computer security is not something I recommend taking lackadaisical.

 

[AddRAM]

I have AVG CloudCare (free with my new computer, 8 months old - I will get something different soon). I got a big black window warning of a MSIL trojan which was neutered. I think that if I did not have the antivirus on I could have been in trouble.

I have had trouble, once, immediately after installing a Windows update, about 2 months ago. But I don't think I want to skip them, nor go without malware protection. I'm too cautious.

You only got the Trojan because you downloaded something.

Personally, I think AVG is garbage

 

[Clairvaux]

You should ALWAYS download important "security related" updates , i don't think anyone would disagree with that.

Actually, Woody Leonhard, who carved out a niche for himself keeping watch on bad Windows Updates, disagrees with that. He says that some of the worst WU disasters have been with "security" updates. That's the whole point of his MS-DEFCON warning system.

He doesn't say you shouldn't install them. Just that you shouldn't do so right away, but wait for his green light (depending on your situation), which he gives (or not) after feedback from users (and his own research).

Basically, right now, he says there's no clear-cut option. You're caught between a rock and a hard place. The old days of blindingly trusting Microsoft are gone (for now).

His last two MS-DEFCON advisories are here and here. He has just warned about a catastrophic "security" update which broke Outlook and access to the network, yesterday or the day before. MS silently issued a patch to the patch a few hours later, but as if to confuse everybody, it had the same KB number. And some users still report it breaks their systems.

 

[dc2000]

Thanks, guys. What I'm saying is that for the last 5 years or so, I had to fix or sustain damage caused by multiple updates (that would either break stuff or take away features) while I had no damage that was caused by viruses or malware. That's all that I'm saying.

As for effectiveness of AVPs, they are ALL useless. The difference is in marketing and customer service. As for their effectiveness, then they have about 60% "catch rate" for older malware and almost 0% for new malware. And if you go with the free ones (like AVG and such) they harvest your data for their "whatever" purposes. (Mostly to sell to advertisers to recoup the cost of "free" AVP.) So, my answer to that is, "No, thank you!"

 

[jonnyhillow]

You should ALWAYS download important "security related" updates , i don't think anyone would disagree with that.

Actually, Woody Leonhard, who carved out a niche for himself keeping watch on bad Windows Updates, disagrees with that. He says that some of the worst WU disasters have been with "security" updates. That's the whole point of his MS-DEFCON warning system.

He doesn't say you shouldn't install them. Just that you shouldn't do so right away, but wait for his green light (depending on your situation), which he gives (or not) after feedback from users (and his own research).

Basically, right now, he says there's no clear-cut option. You're caught between a rock and a hard place. The old days of blindingly trusting Microsoft are gone (for now).

His last two MS-DEFCON advisories are here and here. He has just warned about a catastrophic "security" update which broke Outlook and access to the network, yesterday or the day before. MS silently issued a patch to the patch a few hours later, but as if to confuse everybody, it had the same KB number. And some users still report it breaks their systems.

OK, i see what your talking about, that has never happened to me or anyone i know but never say never.

I still would never advise against installing important security updates to anybody , if they want to wait thats up to them as it's their computer .

When i first started with computers it was always pounded into my head to install all important windows updates immediately and this was told to me by Shane . the owner of PC Win tech and Tweaking.com , Wilder's security forum helpers and mods , two separate moderators at Gizmo's freeware , Chaslang from Majorgeek's , Geeks to Go malware and tech support and quite a few people at Bleeping Computer .

This was of course before what you linked to but again mishaps can happen at anytime , do i feel people should skip installing patches for serious security vulnerabilities and wait it out , i do not , if people feel differently i understand and respect their opinion.

I don't doubt some windows users have problems with updates but there is also a ton of people who have not experienced any issues at all .

Thanks for your links and comments .

 

[Clairvaux]

We use Microsoft's Security Essentials.

That's what I used to do for a long time, following widespread advice. Then, a few weeks ago, because I had to reinstall, I did some fresh research, and realised that MSE got catastrophic results from several reputable anti-virus benchmarks, to the point that Microsoft had asked them to please not rate it anymore against its competitors. However...

All computers have GPOs installed with white-listing of applications that are allowed to run.

Might not that be the main reason why...

Have we ever gotten a virus or a malware on our Windows 7 desktops at work? Nope. Not a single one for the last 5 or so years that Win7 was out.

Whitelisting applications seems a pretty radical method to me. Not saying that it's wrong in your case, but isn't that an approach best suited to corporate environments ? The individual user, especially if he's a geek always experimenting with software, cannot do that. And Windows 7 Home Premium doesn't have Group policy anyway.

That being said, modern free anti-virus has to be taken with a grain of salt. I have installed Avast, and, regardless of the core qualities of the product (which scores very well in specialised benchmarks), you need to keep a healthy dose of disbelief when it throws certain alarming warnings at you : YOUR COMPUTER IS SLOW ! WE'VE DISCOVERED 237 USELESS PIECES OF SOFTWARE ON IT ! CLICK HERE NOW TO GET RID OF THEM ! That, on a squeaky clean fresh install of Windows. Of course, that's how they can bully you to opt into the the paying version, whose extra "features" seem rather useless to me.

Having your own anti-virus using malware developers' methods against you is unsettling, to say the least.

However, the scale and nastiness of the malware industry is vastly bigger than what it was one or two decades ago, and having read Microsoft's Security Essentials comically bad benchmark reports, I don't feel safe anymore trusting my PC to it.

 

[jonnyhillow]

We use Microsoft's Security Essentials.

That's what I used to do for a long time, following widespread advice. Then, a few weeks ago, because I had to reinstall, I did some fresh research, and realised that MSE got catastrophic results from several reputable anti-virus benchmarks, to the point that Microsoft had asked them to please not rate it anymore against its competitors. However...

All computers have GPOs installed with white-listing of applications that are allowed to run.

Might not that be the main reason why...

Have we ever gotten a virus or a malware on our Windows 7 desktops at work? Nope. Not a single one for the last 5 or so years that Win7 was out.

Whitelisting applications seems a pretty radical method to me. Not saying that it's wrong in your case, but isn't that an approach best suited to corporate environments ? The individual user, especially if he's a geek always experimenting with software, cannot do that. And Windows 7 Home Premium doesn't have Group policy anyway.

That being said, modern free anti-virus has to be taken with a grain of salt. I have installed Avast, and, regardless of the core qualities of the product (which scores very well in specialised benchmarks), you need to keep a healthy dose of disbelief when it throws certain alarming warnings at you : YOUR COMPUTER IS SLOW ! WE'VE DISCOVERED 237 USELESS PIECES OF SOFTWARE ON IT ! CLICK HERE NOW TO GET RID OF THEM ! That, on a squeaky clean fresh install of Windows. Of course, that's how they can bully you to opt into the the paying version, whose extra "features" seem rather useless to me.

Having your own anti-virus using malware developers' methods against you is unsettling, to say the least.

However, the scale and nastiness of the malware industry is vastly bigger than what it was one or two decades ago, and having read Microsoft's Security Essentials comically bad benchmark reports, I don't feel safe anymore trusting my PC to it.

Wow, i am not used to hearing that , all i have heard over the years is how great MSE is , good to know thanks.

Many are claiming the new Defender for Win 10 is superior but when asked why i have not received responses.

 

[Brds7t7]

My advice, install security updates but wait a few days to see if there are any issues. I've always had WU set to check for updates but never install since Windows XP.

The other updates recommended/optional are completely up to you. They'll be different for each users needs.

 

[dc2000]

Yes, it seems to be the consensus -- to review all updates and install only the critical ones. It just takes so much time. Those updates are poorly labeled and their description is such a Microsoft-speak. It's almost like you need a designated person to do all that.

I did some fresh research, and realised that MSE got catastrophic results from several reputable anti-virus benchmarks, to the point that Microsoft had asked them to please not rate it anymore against its competitors.

Do you have any links to such research/claim?

Whitelisting applications seems a pretty radical method to me. Not saying that it's wrong in your case, but isn't that an approach best suited to corporate environments

Why is it wrong in my case? And, yes, I am using it in our office, so yes, it is kinda like a corporate environment. The idea is that you should not be installing anything new on your work system. In case of computer enthusiasts (which I include myself as well) I always install stuff into Virtual Machines. I use VMWare Workstation, but there's a free version of Virtual Box from Oracle that can do that. So the rule of thumb is that NOTHING is installed on my main machine (after I install the initial software during its installation) and all experiments go into VMs.

That being said, modern free anti-virus has to be taken with a grain of salt

Like I said before, they all SUCK. None of them are worth the money you pay for them, and free ones are using you to harvest your data. I know, it's a Windows forum, but what I do for my Mom or anyone who is not good at monitoring computer security, I get them (or advise them to get) an iPad or a MacBook. I know that OS X can also get malware, but just by being less popular than Windows, hackers are less interested in it. Plus the new OS X has a nice set of features to lock down any installation of software that is not in the store, which I always do for a person who "doesn't know what they are doing"

And Windows 7 Home Premium doesn't have Group policy anyway.

You know I don't have home premium at hand so you may want to check. I know that you can still use local GPOs even on non-domain connected systems. Do Windows Key + R and then type in gpedit.msc and see if it opens up. If it does, then you can configure some basic group policies for your local system too. It won't use App Locker on a non Enterprise/Ultimate system because it won't have a needed service, but you can still use a more primitive/basic whitelisting by going to Local Computer Policy -> User Configuration -> System -> Run only specified Windows applications. It will allow to configure processes by name, which is less secure but is better than nothing for a more-or-less static system where you don't install new software every day.

 

[Clairvaux]

I did some fresh research, and realised that MSE got catastrophic results from several reputable anti-virus benchmarks, to the point that Microsoft had asked them to please not rate it anymore against its competitors.

Do you have any links to such research/claim?

I do not have my whole documentation handy because my user data is not restored yet, but you can start here :
www.av-comparatives.org
www.av-test.org

Whitelisting applications seems a pretty radical method to me. Not saying that it's wrong in your case, but isn't that an approach best suited to corporate environments

Why is it wrong in my case ?

That's a complete misunderstanding. I was stressing, on the contrary, that I did not mean to imply, in any way, that the whitelisting route was a wrong strategy on your part.

That being said, modern free anti-virus has to be taken with a grain of salt

Like I said before, they all SUCK.

A bit extreme, maybe ?... The aforementioned testing institutions don't seem to trash them the way you do.

And Windows 7 Home Premium doesn't have Group policy anyway.

Do Windows Key + R and then type in gpedit.msc and see if it opens up.

Thanks... nothing there, unfortunately.

 

[dc2000]

I do not have my whole documentation handy because my user data is not restored yet, but you can start here :
www.av-comparatives.org
www.av-test.org

Sorry, my friend, giving a home page for a web site would not qualify as evidence for the claims you made. Please stop spreading rumors.

 

[jonnyhillow]

I checked out those links and i was surprised by some of the results.

Windows Sevens built in firewall seems to score as high as the best paid firewalls which is good news for me , i never had a problem with it. Seems Windows 10 Defender scores in the middle of the pack but it appears it is never directly compared to the others for comparison . I don't think it got terrible results but average results it seems .

The one thing i was surprised at though was Microsoft's AV is shown to be in the middle of the pack as far as system impact performance , i always thought of it as being the least resource hungry but thats because i am rarely if ever correct so it makes sense i got that one wrong .

 

[ThrashZone]

Hi,
Yep just get your windows update settings in order so Important updates are clearly separated from recommended and optional ones
Then always wait a few days/ weekend for rejects to be removed or fixed.

 

[Clairvaux]

I do not have my whole documentation handy because my user data is not restored yet, but you can start here :
www.av-comparatives.org
www.av-test.org

Sorry, my friend, giving a home page for a web site would not qualify as evidence for the claims you made. Please stop spreading rumors.

I certainly did not try to provide any "evidence" to you.

I assumed you were asking a question in good faith, that's why I took upon my time to help you, and provide starting points from where you could make your own research.

I now realise you think of yourself as a policeman, you presume everybody else is guilty, and they have to provide "evidence" to you that they are innocent. I don't know what sort of delusional, fantasy world you live in. Please do not ask any more questions from me.

 

[dc2000]

Well, guys. It's not even funny anymore...
Microsoft pulls botched patch KB 3114409 that triggered problems with Outlook 2010 | InfoWorld

 

[Layback Bear]

MSE must be doing something right. A lot of people seem to think so.

https://www.opswat.com/resources/reports/antivirus-and-compromised-device-january-2015

 

[Ztruker]

Well, guys. It's not even funny anymore...
Microsoft pulls botched patch KB 3114409 that triggered problems with Outlook 2010 | InfoWorld

Why not have one system that you use as a Guinea Pig. Apply updates then run it for a week or two. If ok, update the rest. If not, find the problem, hide the update then do the same for the rest.

Not perfect but a workable solution.