Chapter 8: Automatic Updates as Security

IN THIS CHAPTER

Using automatic updates

Activating automatic updates

Configuring updates

Using Data Execution Prevention (DEP)

Internet security is a never-ending cat-and-mouse game between the security experts and the hackers who seem to have endless amounts of time to search for new ways to exploit the basic programmability of PCs. It seems that every time the good guys find a way to patch some security hole that the bad guys have learned to exploit, the bad guys find two more holes to exploit.

Windows 8.1 is certainly the most secure Windows version ever, by a long shot. But there is no such thing as a 100 percent secure computer because people can always find a way to take something good and turn it into something bad. So, in addition to the security features discussed in the preceding chapters, you need to keep your computer up to date with security patches as they become available. That's what Windows Update and this chapter are all about.

Understanding Automatic Updates

Many people are afraid of Windows Update — they're afraid that the updates will break something on their system that they can't fix. It's certainly true that any change to your system could create a problem. But it's unlikely that keeping up with updates will cause any significant problems — certainly nowhere near as many problems as you expose yourself to by not keeping up with updates. In addition, Windows Update creates restore points before installing many updates (but not for all updates), so you have the added security of being able to restore the system to a point prior to the update.

Other people fear that Microsoft will somehow exploit them through automatic updates. That's not the way it works. Microsoft has tens of millions of customers and tens of billions of dollars. It doesn't need to exploit anybody to be successful. Desperate people (and companies) do desperate, exploitive things. Microsoft is as far from desperate as you can get. Microsoft is also a publicly held company on the stock exchange, which means it's subject to constant scrutiny. Such companies aren't the ones that distribute malware. Most malware comes from e-mail attachments and free programs from unknown sources. When it comes to knowing who to trust and who not to trust, large publicly held companies are by far the most trustworthy, if for no other reason than that they can't afford to be untrustworthy.

A third common fear of automatic updates centers around the question “What's this going to cost me?” The answer to that is simple: Absolutely nothing. This brings us to the difference between updates and upgrades.

Updates versus upgrades

People often assume that the terms update and upgrade are synonymous. We certainly use the terms interchangeably in common parlance. But in the computer world, there is a big difference. Upgrades usually cost money and involve a fair amount of work. For example, upgrading from Windows 7 to Windows 8.1 will cost you some money and take some time. You might even need to hire someone to verify that the upgrade will work and do the upgrade for you.

Updates are much different. Updates are small, simple, and free of charge. Some people turn off automatic updates because they're afraid they'll get some mysterious bill for something they downloaded automatically without realizing it. That will not happen. Turning on and using automatic updates won't cost you a penny.

Why updates are important

Automatic updates are an important part of your overall security. Many forms of malware, especially viruses and worms, operate by exploiting previously unnoticed flaws in programs. The term exploit, when used as a noun in computer science, refers to any piece of software that can take advantage of some vulnerability in a program in order to gain unauthorized access to a computer.

Some hackers actually publish, on the Internet, exploits they discover, which is both a good thing and a bad thing. The bad thing is that other hackers can use the exploit to conjure up their own malware, causing a whole slew of new security threats. The good thing is that the good guys can quickly create security patches to prevent the exploits from doing their nefarious deeds. Automatic updates keep your system current with security patches that fix the flaws that malware programs attempt to exploit.

Enabling Automatic Updates

Automatic updates are the best way to keep up with security patches. In fact, chances are, they're already enabled on your system. To find out, open Windows Update. As you know from previous chapters, you can use any technique that follows to open Windows Update:

• At the desktop, press Windows + X and choose Control Panel ⇒ System and Security ⇒ Windows Update.
• At the Windows Start screen, show the Charms Bar and choose Search, and type Control Panel in the text box. Click Control Panel ⇒ System and Security ⇒ Windows Update.

Figure 8.1 shows the Windows Update applet. To determine Windows Update's status, click the Change Settings link in the left pane. The Important Updates drop-down list shows the current setting.

If automatic updates are turned off, seriously consider turning them on. To do so, click the Change Settings link in the Windows Update applet, and then choose from one of the four options that enable Windows Update.

Managing Updates

Automatic updates related to security require little or no effort on your part. But sometimes you may be faced with optional updates. These updates aren't security related. Instead, they're new versions of drivers, fixes for minor bugs, or some other type of update. They're optional because your computer is secure whether you install the update or not.

Managing optional updates

To manage optional updates and tweak some settings, use the Windows Update applet in the Control Panel. To get to that applet, do one of the following:

• At the desktop, press Windows + X and choose Control Panel ⇒ System and Security ⇒ Windows Update.
• At the Windows Start screen, show the Charms Bar and choose Search, and type Control Panel in the text box. Click Control Panel ⇒ System and Security ⇒ Windows Update.

Figure 8.1 shows the Windows Update applet.

If there are any optional updates, click the Optional Updates link to see what they are. The name of each will be listed next to an empty check box (see Figure 8.2). You have three options for dealing with each one:

• If you want to download and install the update, select its check box.
• If you want to hide the item so it doesn't show up in the future, right-click it and choose Hide Update. (It won't go into hiding until you leave the current window.) Right-click and choose Restore Update to restore a hidden update.
• If you want to get more information about the item before you decide, click its name and view more information about the update in the right pane.

If you selected optional updates to install, click Install to return to the Windows Update window and start the download and installation process. If you don't want to install any optional updates, simply close Windows Update.

Changing how updates work

You can modify the times when Windows updates are downloaded to your computer. For example, what if your computer isn't turned on and online at 2:00 in the morning? Will you miss out on something important? Not at all. For one thing, there is no time limit on updates. After an update is posted, it stays posted forever, so you can download and install it at any time.

To change how automatic updating works, follow these steps:

1. In the left column of the Windows Update page, click Change Settings. The Choose Your Windows Update Settings page appears, as shown in Figure 8.3.
2. Click Updates Will Be Automatically Installed during the Maintenance Window link to see when automatic updates are downloaded. Figure 8.4 shows the preferred time, which has Windows checking for critical updates daily at 2:00 a.m.
3. Use the Run Maintenance Tasks Daily At drop-down list to select a different update time.

   If your computer isn't online at 2:00 a.m.:

   • Your computer will check for updates and download them in the background (in other words, without interfering with whatever you want to do yourself) as soon as you do go online.
   • If you shut down the computer before the scheduled time, Windows will offer to check for updates before you shut down. So, you don't have to worry about missing out on anything important.

     

   • You also can click the Allow Scheduled Maintenance to Wake Up My Computer at the Scheduled Time option, which will turn on your computer and download the updates automatically.
   • You can choose a different schedule if you prefer, such as weekly at noon.
4. Click OK after you make changes to the Automatic Maintenance options and to return to the Change Settings screen.

On the Change Settings windows, you can modify the types of updates that are downloaded. As an alternative to fully automatic updates, you can choose one of the other options shown on the Important Updates drop-down list. For example, you can:

• Have Windows download the updates but ask your permission before actually installing them.
• Have Windows alert you to available updates. You can then choose whether you want to download or install them.
• Turn off automatic updating altogether. If you choose that option, the only way to get updates is to click Check for Updates at the left side of the Windows Update page.

By default, important and recommended updates are downloaded and installed. An important update is one that's needed to protect your computer against current Internet threats. Choosing Give Me Recommended Updates the Same Way I Receive Important Updates on the Change Settings screen extends that to less-critical updates that aren't directly related to security. Recommended updates are usually things such as minor bug fixes or improvements to Windows and other Microsoft products.

Click OK after making any changes to your settings, or click Cancel to leave all settings in their original state.

Reviewing and removing updates

The fact that well over 200,000 hardware and software products are available for Windows means that, once in a while, an update could cause problems with a particular device or program. Typically, you fix that problem by going to the product manufacturer's website and finding out what it recommends. If the manufacturer hasn't fixed the problem yet, and you need immediate access to the device or program, you might want to temporarily remove the conflicting update, especially if it isn't a critical security update.

To review your history of installed updates, follow these steps:

1. Click View Update History in the left column of the Windows Update window.
2. If you need to remove any installed updates, you can do so through the Uninstall A Program item in the Control Panel. Open the Control Panel and click Uninstall A Program.
3. Click View Installed Updates.
4. Right-click the update you want to remove and then click Uninstall.
5. If necessary, you can reinstall the update later by clicking Check For Updates in the left column of the Windows Update page.

Thwarting Exploits with Data Execution Prevention

Thwarting malware attacks that exploit software vulnerabilities is the most important element of automatic updates. But Windows 8.1 offers a second way of thwarting such attacks. It's called Data Execution Prevention (DEP). You don't want to use DEP as an alternative to other techniques described in this part of the book. Instead, you want to use it in addition to other techniques.

Many malware attacks use a technique called buffer overflow (or buffer overrun) to sneak code (program instructions) into areas of memory that only the operating system (Windows) should be using. Those areas of memory have direct access to everything on your computer. So, any bad code that sneaks into that area can do great damage.

DEP is a security antidote to such attacks. It monitors programs to make sure they use only safe and appropriate memory locations. If DEP notices a program trying to do anything sneaky, it shuts down that program before it can do any harm.

By default, DEP is enabled for essential Windows programs and services only. When coupled with antivirus protection, that setting is usually adequate. You can crank it up to monitor all programs and services. But if you do, you might also have to individually choose programs that are allowed to bypass DEP. Knowing when that's okay may require technical expertise that goes beyond the scope of this book.

To get to options for DEP, follow these steps:

1. Open the System window. Or at the desktop, press Windows+X and choose System. You end up in the System window.
2. In the left column, click Advanced System Settings. That takes you to the System Properties dialog box.
3. Select the Advanced tab, click the Settings button on the Performance heading, and then select the Data Execution Prevention tab. At last, you see the options shown in Figure 8.5.

   

4. By default, the option to apply DEP only to essential Windows programs and services is selected. For stronger protection, you can turn on DEP for all programs and services. If you choose that option, DEP may sometimes shut down a program to prevent it from running.

If DEP does shut down a program you need, you have a couple choices:

• Contact the program manufacturer to find out whether there's a version of the program that runs under DEP.
• If you trust the program, you can add it to the list of programs that are allowed to bypass DEP. To accomplish that, you need to click the Add button and then navigate to and double-click the executable file (typically, such a file has the extension .exe) that DEP is shutting down.

Wrap-Up

When it comes to general computer security, the “big three” items are a firewall, malware protection, and automatic updates. Chapters 7 and this chapter cover those topics. Comprehensive malware strategy is beyond the scope of this book. But don't forget that running under a Standard user account (see Chapter 4) counts, too. Furthermore, you have less technical “social” threats to consider, such as phishing scams and pop-up ads.

The main points for this chapter are as follows:

• Automatic updates provide a quick and simple way to protect your computer against current software exploitation malware.
• Unless you have some compelling reason to do otherwise, you should allow Windows 8.1 to automatically download and install updates daily.
• Data Execution Prevention (DEP) offers another layer of protection against threats that work by sneaking errant code into sensitive parts of system memory.