To update or not to update...

[Nuclear Krusader]

Recently, I've seen a barrage of problems stemming from Windows updates, from machines that ran fast and then like snails after the updating, to BSODs.

Other than the service packs, are there updates that are not really needed? Honestly, I've started recommending customers to not update at all.

Any input on this?

[pam123]

It won't hurt to wait a few days to see what's what but my general rule is :
Critical security updates, always.

It doesn't mean Microsoft can't mess those up it means that the penalty for not installing them can be dire.

Anything else at the owners' discretion.

[Force Flow]

I usually wait a couple weeks before applying updates to see if any issues crop up. Otherwise, I always install them.

Can't say I've ever seen any major issues that weren't cured with a driver update.

[Nuclear Krusader]

I was wondering the same thing... So, if you don't install one of the security updates, does that mean your PC's security can be compromised even behind a firewall?

I seldom install updates on my machines. I have the Windows Updates turned off. When I feel like updating, I turn it on, update, and then turned it off again. Last time I updated my Win7 and Vista systems was a couple of weeks ago. The time before that one was way back in January, I think.

[Force Flow]

Quote:

Originally Posted by Nuclear Krusader I was wondering the same thing... So, if you don't install one of the security updates, does that mean your PC's security can be compromised even behind a firewall?

In some cases, yes.

Case in point: A few weeks back, there was an exploit with the Help system that could allow an attacker to gain access to your computer. I think it may have been featured at one of the hacker conferences, although I could be mistaken. Either way, it is now patched.

[HAL9000]

Never had an issue with updates and I let it update automatically.

[Statica]

I usually update once every 6-8 months or so. I know it's not the recommended way of doing things, but I try to keep squeaky clean browsing and email habits .. given Microsoft's "patch for a patch" way of breaking things .. I just dont trust them. I'd rather have an updated antivirus and hold on to a steady system than let them muck it up.

[David M]

The bad guys are always looking for exploits and there are hundreds of thousands of them out there. Absolutely update.

I let them download automatically, but I choose when to install them since it always seems the update installations occur at the worse times.

[rwest]

Quote:

Originally Posted by Nuclear Krusader Recently, I've seen a barrage of problems stemming from Windows updates, from machines that ran fast and then like snails after the updating, to BSODs.

Never seen a BSOD from an update, but service pack 2 for XP crippled many machines. Although I would consider it a necessary update.

Service pack 3 for XP was also huge , but not as bad.

Really, it depends on your computer. My sytstem in my sig. I let autoupdate.

My rule is, if the system can handle it, then let it do it. You'll get the necessary security updates. If the system has been upgraded to run the OS then load an earlier OS and let it update, or stay off the internet with it.

I had one system I specifically chose which updates to install. The system had been fully upgraded and too many updates from MS did slow her down. Primarily SP3 for XP. Understand-this was a maxed out P3.

[thefultonhow]

Quote:

Originally Posted by Statica I usually update once every 6-8 months or so. I know it's not the recommended way of doing things, but I try to keep squeaky clean browsing and email habits .. given Microsoft's "patch for a patch" way of breaking things .. I just dont trust them. I'd rather have an updated antivirus and hold on to a steady system than let them muck it up.

An updated antivirus is no guarantee that it will fix or even find all virus problems. And I've never had an issue on my personal systems with instability caused by Windows Updates, and the few times I've seen instability on other systems that coincided with an update, a hardware component (e.g. the hard drive) had begun to fail concurrently with the update being installed. That's not to say Windows Updates have never caused problems -- but waiting two weeks should be more than enough time, if you're worried about that. I'm personally not, and I keep automatic updates on because I know I won't do them otherwise.

[Nuclear Krusader]

There were two concrete cases here at the shop: one customer brought her machine, a laptop, which was slow to the point of being unusable. She said that the PC ran fine until she got on the Internet and downloaded and installed Windows updates. Only way to help this XP system was to up the RAM from 256 to 512 MB and it still ran slow, although she said it was a mite better, as in workable. I enquired about her browsing habits: she practically does no web browsing at all, all she needs the Internet for is e-mail. And first thing she did before going online was to install AVG.

There was another customer with the infamous IRQ_LESS_THAN_EQUAL error. The cause? Updating to IE 8 via Windows Updates. Strange, since such error is usually related to hardware. What in that machine's particular hardware configuration wasn't liked by M$ is known to God alone. I advised the customer to set the updates to "notify me but don't download or install" and then to use the Custom option in order to see the list of updates and select from them only the ones that were needed. Now, HOW to know which ones are really needed and which ones will break down the system is the hard part. This customer relies on the machine for business and cannot be risking a trial and error and potential loss of data in case a nuke and pave is the only way to fix a broken OS.

There was another laptop which was restored back to factory defaults, this was a Vista system, ran fine until they loaded the drivers for their HP printer, which installed lots of bloatware from HP of which the HP updater was a piece. The machine now takes more than 5 minutes to even display the desktop. Are updates from HP really necesary? IMO, no; if the printer works fine with the current drivers then just let it be, but of course most customers don't know a lot anent computers and choose the Typical install of everything (Express in the case of Windows Updates), which pretty much grants M$, HP, [insert company here] control of their systems.

[thefultonhow]

Quote:

Originally Posted by Nuclear Krusader There were two concrete cases here at the shop: one customer brought her machine, a laptop, which was slow to the point of being unusable. She said that the PC ran fine until she got on the Internet and downloaded and installed Windows updates. Only way to help this XP system was to up the RAM from 256 to 512 MB and it still ran slow, although she said it was a mite better, as in workable.

You can't actually expect XP SP3 to run well on a system with 512 MB of RAM, let alone 256. People have known 256 is too low since like 2002. 512 was acceptable until SP2 came out; the extra services that SP2 added made 512 insufficient. And staying on SP1 is a death sentence to any security you might have thought you had.

BTW, if you think 512 on a normal computer is slow, try it on a computer on a domain. Yikes! It's all but unusable. Takes like 15 minutes to boot and log in.

Quote:

Originally Posted by Nuclear Krusader There was another customer with the infamous IRQ_LESS_THAN_EQUAL error. The cause? Updating to IE 8 via Windows Updates. Strange, since such error is usually related to hardware. What in that machine's particular hardware configuration wasn't liked by M$ is known to God alone. I advised the customer to set the updates to "notify me but don't download or install" and then to use the Custom option in order to see the list of updates and select from them only the ones that were needed. Now, HOW to know which ones are really needed and which ones will break down the system is the hard part. This customer relies on the machine for business and cannot be risking a trial and error and potential loss of data in case a nuke and pave is the only way to fix a broken OS.

That's usually a driver or memory issue; the IE8 upgrade may have exacerbated either issue, but doubtful that it caused the problem. Sounds like you're putting a band-aid on a potential tumor. You should find the root cause of the problem.

Quote:

Originally Posted by Nuclear Krusader There was another laptop which was restored back to factory defaults, this was a Vista system, ran fine until they loaded the drivers for their HP printer, which installed lots of bloatware from HP of which the HP updater was a piece. The machine now takes more than 5 minutes to even display the desktop. Are updates from HP really necesary? IMO, no; if the printer works fine with the current drivers then just let it be, but of course most customers don't know a lot anent computers and choose the Typical install of everything (Express in the case of Windows Updates), which pretty much grants M$, HP, [insert company here] control of their systems.

HP updates are in no way comparable to Windows Updates. Windows Updates are, by and large, security and bug fixes (service packs do often include increased functionality, but they are imminently necessary and all the updates in them have been pre-vetted before being packaged in). In contrast, any HP software, in my experience, is bloatware. ANY HP software. That includes the apps they're now including with printer and scanner drivers. If you can get just the driver without the app, you'll be much better off.

[Nuclear Krusader]

It's such a chore to install just the drivers without the bloatware. I designed a guide for it but not all customers have been successful with the Custom install.

That's interesting, the IRQ error. Too bad that I won't be in to-morrow and won't be able to suggest that the memory is thoroughly tested. Hmm, maybe a phone call... The machine was declared fixed to-day and it's going back to another city, prolly to-morrow.

I do remember running XP with only 256 MB and being able to do heavy gaming with that configuration. Then again, I had just SP1. That's interesting, as some of the machines brought in are old P4 systems for which memory is no longer available (as in the shop won't get it in). I'm thinking of stopping just at SP2 and forgetting about SP3 for some of these systems. True, they may be open to attack, but the user should be sensible to the fact that these are very old PCs and it's really time to invest in a new one; of course, many of them don't want to spend. What to do is the rhethorical question.

[thefultonhow]

Not installing service packs is asking for trouble. Seriously. That makes the problem 100 times worse than a slow computer. SP3 isn't a big system resource upgrade over SP2 anyway; it's mostly bug fixes. If you need RAM for an older system, go to crucial.com and use the configurator -- they guarantee compatibility. I've never purchased RAM for an older system from Crucial that didn't work perfectly. You may pay a lot, though.

[Statica]

Quote:

Originally Posted by thefultonhow An updated antivirus is no guarantee that it will fix or even find all virus problems. And I've never had an issue on my personal systems with instability caused by Windows Updates, and the few times I've seen instability on other systems that coincided with an update, a hardware component (e.g. the hard drive) had begun to fail concurrently with the update being installed. That's not to say Windows Updates have never caused problems -- but waiting two weeks should be more than enough time, if you're worried about that. I'm personally not, and I keep automatic updates on because I know I won't do them otherwise.

As with most things Microsoft, I would say that .. It is something that varies from system to system. My claim of patches hosing systems is not something as arbitrary as u would make it out to be. For example .. Nearly half of Microsoft's 2010 security patches have known problems | NetworkWorld.com Community
Take a look at the actual statistics of what is actually a patch for something catastrophic ... Again, I am not willing to take my chances of whether I am in the 32% range of not having a broken system.

Yes an antivirus is not the ideal solution, but neither is blindly trusting a patch process that has definitely not got enough testing cycles to be crash proof. Personally, as I said, I'm putting my faith in my habits and the knowledge of the services that I have running, and the possibilities of being exploited ... Instead of doing software installations and upgrades whenever someone else wants me to.

Addendum... list of Microsoft patches causing problems - Google Search .. I'm sure that all these forum postings are just poor unfortunate saps .. And Microsoft has infallible patch releases.
It's a simple statistical reasoning for me .. Chances that I'm going to encounter something truly nasty because of an in-the-wild vulnerability that only a patch has cured ... Vs a quickly released solution that has been sent out that may not have been tested to the full extent that the base OS has been.
I also think that it is conditioning .. The feeling that every patch out there is to address a vulnerability that some hacker is waiting to exploit ..no a lot of patches merely address very specific issues .. Andif i don't have the issues then am not just blindly fixing an unbroken system.

Comes to personal choice .. For me, there is no way that am trusting Microsoft enough that i just keep getting software patches from them without checking first .. There isn't any way that I would do an auto d/l and install scenario ... I am not even interested in an auto d/l and install later method (why waste space if I'm not installing right away)

[thefultonhow]

Wouldn't all these problems be solved by waiting for a couple of weeks rather than half a year? I personally update right away, but waiting a couple of weeks isn't a bad idea if you want to. I think waiting 6 months is a little bit too long, though.

[raftero]

i am no expert but i manually custom dl and install updates that concern security and also update all my other security software every sunday, i don't dl or install hardware updates etc, have done this for several years with no problems.

[Statica]

IMO .. 6 months is not a long time .. heck, I have no idea what a couple of weeks does. Keep in mind that Microsoft rarely breaks its schedule for patch releases .. an out of band patch is a rarity and yes it makes enough press in anticipation of the patch that I, or any responsible person, would look into it (CVE-2010-2568 was the most recent one to address LNK vulnerabilities). Which means that Microsoft will only release a "patch batch" on the 2nd Tuesday of a month.

So what good does it do to wait for a couple of weeks? All I'd be doing is be part of a huge testing community to determine whether the patch works on my particular set of h/w and s/w scenario. It doesn't mean that if it breaks my system, I can expect to find a fix for it .. till maybe the next patch cycle. So in essence, I'm letting a few patch cycles (about 5) to go thru and then picking up the update .. if I actually need it. This isn't the Apple world where h/w is exactly to spec and software is sandboxed for the most part .. in the PC world, I understand the challenge that Microsoft has in keeping the platform going .. trying to even out code that run through a huge probabilities of hardware and frequently ugly software.

So if I've got a stable system running, I'm not rushing out to break it .. especially if the patches arent that mission critical (given the context of my one horse stable .. the situation is, of course, different in an enterprise level). So I've got KB970430 uninstalled of yet ... why? because I dont believe that I need (I quote) "to strengthen authentication credentials in specific scenarios" .. nor do I need KB978464 right now .. why? because I rarely use IE .. and I dont think that I need to risk having an issue by updating Silverlight .. (I think I saw a Silverlight run website .. once).

Of course, your individual mileage on these things will vary .. a lot of people dont even know what they're patching because its in the system before they know it. I prefer to know whats going in .. and why its going in and how it may or may not affect me. To me, Diligence isn't just about saying yes to everything that Microsoft needs me to install .. I like to know a bit more about it.

[thefultonhow]

Quote:

Originally Posted by Statica IMO .. 6 months is not a long time .. heck, I have no idea what a couple of weeks does. Keep in mind that Microsoft rarely breaks its schedule for patch releases .. an out of band patch is a rarity and yes it makes enough press in anticipation of the patch that I, or any responsible person, would look into it (CVE-2010-2568 was the most recent one to address LNK vulnerabilities). Which means that Microsoft will only release a "patch batch" on the 2nd Tuesday of a month. So what good does it do to wait for a couple of weeks? All I'd be doing is be part of a huge testing community to determine whether the patch works on my particular set of h/w and s/w scenario. It doesn't mean that if it breaks my system, I can expect to find a fix for it .. till maybe the next patch cycle. So in essence, I'm letting a few patch cycles (about 5) to go thru and then picking up the update .. if I actually need it. This isn't the Apple world where h/w is exactly to spec and software is sandboxed for the most part .. in the PC world, I understand the challenge that Microsoft has in keeping the platform going .. trying to even out code that run through a huge probabilities of hardware and frequently ugly software. So if I've got a stable system running, I'm not rushing out to break it .. especially if the patches arent that mission critical (given the context of my one horse stable .. the situation is, of course, different in an enterprise level). So I've got KB970430 uninstalled of yet ... why? because I dont believe that I need (I quote) "to strengthen authentication credentials in specific scenarios" .. nor do I need KB978464 right now .. why? because I rarely use IE .. and I dont think that I need to risk having an issue by updating Silverlight .. (I think I saw a Silverlight run website .. once). Of course, your individual mileage on these things will vary .. a lot of people dont even know what they're patching because its in the system before they know it. I prefer to know whats going in .. and why its going in and how it may or may not affect me. To me, Diligence isn't just about saying yes to everything that Microsoft needs me to install .. I like to know a bit more about it.

You wait 2 weeks from Patch Tuesday. If the patch breaks stuff, it will come up in a Google search and you'll know not to install that one. If it doesn't, you can install it. 5 patch cycles is forever from a malware-development standpoint, as the Eastern Europeans are great coders and can whip something up to steal your bank account info in a matter of weeks. Also, you never know how things can cascade in a malware scenario -- if you somehow get infected (however unlikely that may be), the virus may take advantage of an unpatched IE vulnerability to install a rootkit or execute more malicious code, even if you never use IE. Why risk it? Why not just give the internet a couple of weeks to screen your patches for you, and then install them if everything's okay?

[glc]

The only updates that I hold off on for a while are major ones, such as service packs. I NEVER take optional hardware updates (drivers).

[ethanwaber]

Only update security and majors update, please consider that