Feeds

Post Blaster, MS floats default auto updates for Windows

It's an ill Win... d'oh

  • alert
  • submit to reddit

3 Big data security analytics techniques

Never happier than when making things compulsory, Microsoft is floating the notion of making home versions of Windows download and install software updates automatically by default. You'll be able to switch it off, of course (for a while), but the joy of shipping things to home users is that most of them leave the system's default settings as is, either because they don't know any different or because (grief) they trust software vendors.

Seamless, auto-updating without user intervention is something that Microsoft has wanted for a long time, as The Reg has frequently pointed out, sometimes without even using words like "evil", "bunch of" and "control-freaks". But it's not something the company has been able to achieve in the past, and the last serious flotation of the notion, at the time of XP's rollout, engendered significant adverse reaction to the possibility of Microsoft 'controlling' your machine.

But that was then, and this is now. The Blaster plague of boils ripped through the user base, and Microsoft's security people are now suggesting that customers want their systems to update automatically. We have a healthy disrespect for that old Microsoft marketing catch-all, "customer demand", but we're inclined to trust the security mob a tad more than the rest, so maybe some customers do want it. Not that we entirely grasp why they don't just switch the bleeding thing on then, if they do.

The slightly higher trustworthy rating of the security people is not however reflected elsewhere in The Beast's command structure, which brings us why you don't want this to happen, reason number one. You'll note the Washington Post's report gives Microsoft's justification of XP SP1 control-freak licence as a 'clarification' of the company's "ability to verify product information and provide accurate updates." Whoever told them this black lie has a trustworthiness rating somewhere south of duplicitous snake; any security implications of the new licence terms were merely a happy side-effect of Microsoft's paving the road to DRM.

There's a clear tension here, in that the security side of MS is pushing to secure Windows from a relatively genuine perspective, while the bean-counter driven side of the company is pushing ROI. The efforts of the latter frequently undermine the ability of the former to achieve their goal, by maintaining the essentially untrustworthy status of the company, and you can never be sure whether, or to what extent, the latter are overruling the former.

It may however be that you're confident that all your software, including all of the entertainment content of your system, is legal, and you fully agree that Microsoft has a right to audit you, and to install patches to keep your/their software secure. Do you then trust Microsoft to automatically download and install those patches without asking you first?

Next reason - of course you don't. Microsoft has a long and inglorious record of producing updates that break more things than they fix, patches cause unexpected failures of other software components, and some updates (thank you, Redmond Duplicitious Snake Division) switch off useful old stuff that somebody in there wants you to stop using. Do you honestly believe that anybody within Microsoft responsible for producing patches is going to wager their grandemother's life on their latest effort not breaking anything? Of course you don't, so they don't entirely trust themselves either.

Which brings us on to a reason for Microsoft not going the whole way initially. It's currently just about conceivable that Microsoft could clean up its security update operation to the extent where they largely did what they said on the tin, and where breakages were largely isolated and minor, and to be fair this is mostly the case already. But it's not when it comes to more general updates, and sane souls within Microsoft will point to the potential PR disaster of crippling ten of millions of machines in one night and argue for the procedure to be ringfenced at security updates. Personal security updates.

But doing that properly isn't just a matter of Microsoft solemnly binding itself to security, and promising not to happily ski down the slippery slope at some point in the future when it thinks the coast is clear. We've heard from Solomon Binding in the past, and don't trust him either. We're probably talking about a free-standing security update system here, nothing to do with Windows Update, nothing to do with shotgun licence changes and nothing to with Microsoft's financial security. And - here's a novel one - it ought to be accompanied by a sort of green kryptonite licence, where rather than establishing its rights over you and the software it turns out you only thought you bought, Microsoft establishes rights for, and makes guarantees to, you.

Nah, couldn't happen. And even if it did we probably wouldn't trust them anyway. But we're like that. ®

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.