CHAPTER 7
Automatic Updates as Security
Internet security is a never-ending cat-and-mouse game between the security experts and the hackers who seem to have endless amounts of time to search for new ways to exploit the basic programmability of PCs. Every time the good guys find a way to patch some security hole that the bad guys have learned to exploit, the bad guys find two more holes to exploit.
Windows 10 is the most secure Windows version ever, by a long shot. But no computer is 100 percent secure because people can always find a way to turn something good into something bad. So, in addition to the security features discussed in Chapter 6, you need to keep your computer up to date with security patches as they become available.
Windows Update in Windows 10 builds on one of the most essential components in the OS engine: its self-healing and self-patching ability. An operating system can never be defect-free, and when a defect is discovered that must be “fixed” quickly, Windows Update kicks in. In Windows 10, Microsoft has installed the technology that may once and for all end the idea of an “upgrade.” That's what Windows Update and this chapter are all about.
Understanding Automatic Updates
Many people are afraid of Windows Update—they're afraid that the updates will break something on their system that they can't fix. It's true that any change to your system can create a problem. But keeping up with updates is unlikely to cause any significant problems—certainly nowhere near as many problems as you expose yourself to by not keeping up with updates. In addition, Windows Update creates restore points before installing many updates (but not for all updates), so you have the added security of being able to restore the system to a point prior to the update.
Other people fear that Microsoft will somehow exploit them through automatic updates. That isn't the way updates work. Microsoft has tens of millions of customers and tens of billions of dollars. It doesn't need to exploit anybody to be successful. Microsoft is also a publicly held company on the stock exchange, which means it's subject to constant scrutiny. When you're making up your mind about which companies to trust, large, publicly held companies are by far the most trustworthy, if for no other reason than that they can't afford to be untrustworthy.
A third common fear of automatic updates centers around the question “What's this going to cost me?” The answer to that is simple: Absolutely nothing. This brings us to the difference between updates and upgrades.
Updates versus upgrades
People often assume that the terms update and upgrade are synonymous. We certainly use the terms interchangeably in common parlance. But in the computer world, there is a big difference. Upgrades usually cost money and involve a fair amount of work. For example, upgrading from Windows 8.1 to Windows 10 costs you some money and takes some time. However, updating your existing version of Windows 10 to Windows 10 Anniversary Edition is actually a free upgrade (for at least a year after it's released) and your previous version simply morphs into Windows 10. You don't even need to hire someone to verify that the upgrade worked.
Why updates are important
Automatic updates are an important part of your overall security. Many forms of malware, especially viruses and worms, operate by exploiting previously unnoticed flaws in programs. The term exploit, when used as a noun in computer science, refers to any piece of software that can take advantage of some vulnerability in a program in order to gain unauthorized access to a computer.
Some hackers actually publish, on the Internet, exploits they discover, which is both a good thing and a bad thing. The bad thing is that other hackers can use the exploit to conjure up their own malware, causing a whole slew of new security threats. The good thing is that the good guys can quickly create security patches to prevent the exploits from doing their nefarious deeds. Automatic updates keep your system current with security patches that fix the flaws that malware programs attempt to exploit.
Enabling Automatic Updates
Administrators now can have more control over updates by altering the update deferral increment from weeks to days. Changes can be made to the following updates:
- Quality updates can be deferred up to 30 days and paused for 35 days.
- Feature updates can be deferred up to 180 days and paused for 60 days.
- Update deferrals can also be applied to both Current Branch (CB) and Current Branch for Business (CBB). Further explanation of branch management is beyond the scope of this book.
- Drivers can be excluded from updates.
Automatic updates are the best way to keep up with security patches. In fact, chances are, they're already enabled on your system. To find out, open Windows Update. As you know from previous chapters, you simply click Settings to launch the Settings applet. Then click the “Update & security” image. Figure 7.1 shows the Update & security applet.
FIGURE 7.1 The Settings applet showing the Windows Update & security option.
Managing Updates
When you open the Update & security applet, you see the status of your updates. To see if updates are available for download, click the Check for updates button as shown in Figure 7.2. The system searches for updates as shown in Figure 7.3.
FIGURE 7.2 The Windows Update & security applet showing update status.
FIGURE 7.3 The Windows Update & security applet check-ing for updates.
But sometimes you may be faced with optional updates. These updates aren't security related. Instead, they're new versions of drivers, fixes for minor bugs, or some other type of update. They're optional because your computer is secure whether you install the update or not. To see how windows will update other Microsoft products, click Advanced options. This is shown in Figure 7.4.
FIGURE 7.4 The Windows Update & security applet showing how it will update other Microsoft products.
From the Windows Update & Security applet Advanced options, you can choose from these values for the option Choose How Updates Are Installed:
- Give me updates for other Microsoft products when I update Windows. By enabling this option through the check box, you are essentially letting Microsoft decide which of its other products, such as Microsoft Office, it will update.
- Defer feature updates. If you defer updates, you will not have the newest Windows features when they are available. It could be a few months before they are downloaded.
- Use my sign in info to automatically finish setting up my device after an update. This option allows you to not have to sign in to finish the setup process for an update to your device. If you enable this option, Windows 10 finishes the process without the need for you to enter your password.
Note that when checking for other updates, Windows Update might update itself first.
Updates won't download over a metered connection. On a metered connection, charges may apply, as shown in Figure 7.5.
FIGURE 7.5 The Windows Update & security applet setting for automated updates.
You now can decide when you want to have your computer restart after an update. With the ability to set your active hours; this prevents Windows update from restarting your computer and installs the updates while you are using your machine.
If you want to able to schedule a time when you want a restart to finish installing updates, click Restart options, shown in Figure 7.5. This option temporarily overrides the active hours setting. The computer must be turned on for this feature to run at the scheduled time. This is shown in Figure 7.6.
FIGURE 7.6 The Windows Update & security applet in prompt to restart mode.
Also on the applet is a link that allows you to view your update history. When you click this link, the applet opens the pane shown in Figure 7.7 and provides a list of your recent updates, successes, and failures.
FIGURE 7.7 Windows Update & security applet showing update history.
You can also select the option “Choose how your download updates.” The applet pane for choosing these options appears, as shown in Figure 7.8.
FIGURE 7.8 The Windows Update & security applet provides choices for downloading updates.
Here you can toggle the option on to get the updates faster by getting them from other machines on your network, or from either other machines on your network or the Internet.
The applet displays the following message: “Getting builds faster means you'll see new things sooner. Getting builds slower could mean more solutions are available for issues.”
Additionally, you can select the option to get Insider builds. Insider is like a beta tester group at Microsoft that you can join to preview new software that has not yet been released to manufacturing (RTM).
Thwarting Exploits with Data Execution Prevention
Thwarting malware attacks that exploit software vulnerabilities is the most important element of automatic updates. But Windows 10 offers a second way of thwarting such attacks. It's called Data Execution Prevention (DEP). Don't use DEP as an alternative to other techniques described in this part of the book. Instead, use it in addition to other techniques.
Many malware attacks use a technique called buffer overflow (or buffer overrun) to sneak code (program instructions) into areas of memory that only the Windows operating system should be using. Those areas of memory have direct access to everything on your computer. So, any bad code that sneaks into that area can do great damage.
DEP is a security antidote to such attacks. It monitors programs to make sure they use only safe and appropriate memory locations. If DEP notices a program trying to do something sneaky, it closes that program before it can do any harm.
By default, DEP is enabled for essential Windows programs and services only. When coupled with antivirus protection, that setting is usually adequate. You can crank it up to monitor all programs and services. But if you do, you may also have to individually choose programs that are allowed to bypass DEP. Knowing when that's okay requires technical expertise that goes beyond the scope of this book.
To get to options for DEP, follow these steps:
- Open Control Panel then System and Security. The System window opens.
- In the left column, click Advanced System Settings. The System Properties dialog box opens.
- Select the Advanced tab, click the Settings button on the Performance heading, and then select the Data Execution Prevention tab. You see the options shown in Figure 7.9.
- By default, the option to apply DEP only to essential Windows programs and services is selected. For stronger protection, you can turn on DEP for all programs and services. If you choose that option, DEP sometimes may shut down a program to prevent it from running.
FIGURE 7.9 Data Execution Prevention options.
If DEP shuts down a program you need, you have two choices:
- Contact the program manufacturer to find out whether a different version of the program runs under DEP.
- If you trust the program, you can add it to the list of programs that are allowed to bypass DEP. To accomplish that, click the Add button and then navigate to and double-click the executable file that DEP is shutting down. Typically, such a file has the extension
.exe.
Wrapping Up
In general computer security, the “big three” items are a firewall, malware protection, and automatic updates. Chapters 7 and this chapter cover those topics. Comprehensive malware strategy is beyond the scope of this book. But don't forget that running under a Standard user account (see Chapter 4) counts, too. Furthermore, you have fewer technical “social” threats to consider, such as phishing scams and pop-up ads.
The main points in this chapter are the following:
- Automatic updates provide a quick and simple way to protect your computer against current software exploitation malware.
- Unless you have a compelling reason to do otherwise, you should allow Windows 10 to automatically download and install updates daily.
- Data Execution Prevention (DEP) offers another layer of protection against threats that work by sneaking errant code into sensitive parts of system memory.