There’s one thing I want to bring up that caught my eye regarding the Security Intelligent Report — volume 8 and that is a graph on page 13:

http://download.microsoft.com/download/4/3/8/438BE24D-4D58-4D9A-900A-A1FC58220813/Microsoft_Security_Intelligence_Report%20_volume8_July-Dec2009_English.pdf

http://www.microsoft.com/security/about/sir/videos.aspx#1

See that blue bar of “Windows update” only?  First off I’m going to ASSume that if you are still on Windows update you are using Shavlik, or BigFix or WSUS or SOMETHING other than manually going to Microsoft update to get your updates.  You are right?  And that’s why you still have Windows update as your patch engine on those workstations and servers right?

But if there’s a server or a workstation in your domain that is still only going to Windows update and you don’t have a third party patching tool … EXCUSE ME!!!! Have you not been listening to me for the past several years beating you over the head that Windows update JUST updates Windows and Microsoft Update ensures that it scans for all other Microsoft platforms?  That you need to go to Windows update and flip yourself to Microsoft update!

Microsoft offers an extension to Windows Update called Microsoft Update. This service allows you to get updates for other Microsoft products, as well as receive notices of new Microsoft software that you can download and install for free. Here’s how to get updates and notices about new software:

1. Open Windows Update by clicking the Start button Picture of the Start button. In the search box, type Update, and then, in the list of results, click Windows Update.

2. If you’ve never checked for updates before, in the left pane, click Check for updates. Wait for Windows Update to finish checking for updates.

3. In the Windows Update dialog box, click Find out more under Get updates for other Microsoft products. Follow the steps on the screen to start using Microsoft Update.

4. In the left pane, click Change settings.

5. Under Microsoft Update, select the Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows check box.

6. To get notifications of new Microsoft software, select the Show me detailed notifications when new Microsoft software is available check box.

7. Click OK. Administrator permission required If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.

</QP>
Source:
http://windows.microsoft.com/en-us/windows7/Change-how-Windows-installs-or-notifies-you-about-updates

Also see Tip #1 at the bottom of this page: http://windows.microsoft.com/en-us/windows7/How-can-I-tell-if-my-computer-is-up-to-date 

But wait… I ain’t done raking you over the coals just yet.  I want you to ask yourself about the other stuff.

You’d better have a means to update Adobe Acrobat, Adobe Flash, Sun Java, Quicktime, ITunes and your iPhones, iPads and iWhatevers these days.

If all you are caring about is Windows update and not all the other third party stuff that is on your workstations, man you are a ticking time bomb.

Windows update is not enough.  WSUS is not enough.  Look for a third party patching platform to help you identify all of the software that needs updating these days.

 

2 Responses to You are still using Windows update? Say what?

  1. Dean says:

    I’m really confused on this. With all of the zero day exploits and 60,000 new versions of malware being released PER DAY does it really matter anymore? I don’t know. Does it ?

    It seems to me that we need more local control over this stuff these days than just relying on patches because the one thing that I am not confused on is that we are not winning the patch war.

  2. bradley says:

    To me this is base. You have to have this as a foundation otherwise you can’t even begin to start dealing with zero days.