Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Please do NOT advise your users to turn off automatic updates because of *one* problem update

February 13th 2009 in Uncategorized

The latest “Rollup for ActiveX Killbits for Windows” (KB960715) is causing problems for some third party applications that are dependent on the disabled controls.

One application that has problems, “Office Tools Professional”, is advising its users to not only uninstall the Killbit patch (thereby restoring the broken functionality), but also to “turn off automatic updates”.  Please do not turn off automatic updates.  Simply uninstall the problem patch.

Office Tools Professional is wrong to tell its customers to “turn off automatic updates” just because *their* program has been negatively impacted by *one* patch.  Yes, they should tell their customers warn them of the problem and to uninstall 960715 until OTP has been updated to resolve the problem – yes they should put an alert up on their support site and a new article in their Knowledge Base about the issue – BUT THEY SHOULD ALSO tell their clients to read the relevant Security Advisory so that their clients understand what they are doing, are aware of the impact that removing the update will have, and are aware of any available workarounds that can be used in place of the patch.  They should also make sure to tell their clients that if they “turn off automatic updates” they may be exposed to elevated risk because future security updates will not be installed unless their clients remember to go out and get them manually.

I can understand that OTP may be worried that users who have set their systems to automatically download and install patches may be impacted again next month, but there is no reason why they cannot supply step by step instructions to their customers to show them how to change their patching protocols to “download but do not install” and then selectively install all but the problem patch.

What happens to their customers next month if/when the next round of security patches come out if automatic updates has been turned off completely?  What if there is a patch for a show-stopper security vulnerability that is actively being exploited?  What if their clients don’t install *that* patch because of OTP’s advice, and they then get hit by a nasty?  Historically, I have seen plenty of software companies tell customers to “turn off automatic updates” when a problem with a particular patch is discovered that affects their software, but I cannot remember a single time when the same company has sent out another email later saying “ok, problem fixed, turn AU back on again”.  Nor have I seen software companies send out emails to say “we told you to turn off AU last month; please make sure you manually download and install this months patches but don’t install patch X”.


3 comments to...
“Please do NOT advise your users to turn off automatic updates because of *one* problem update”

Maik
wrote on February 14th, 2009      

Office Tools UNProfessional?



Ryan
wrote on February 18th, 2009      

Are you kidding me?  Automatic Updates has historically been known to break more things than it fixes.  I cringe and hide under my desk every Patch Tuesday.

XP SP3, Office 2003 SP3, kb960715, kb905915, kb904706, kb902400, kb830846…. the list goes on.  I mean, we can’t forget the DCOM RPC patches in kb823980 and kb824146, that were so successful that we ended up with the Blaster worm a month later.

Oops.

OTP wasn’t wrong in this.  Disable AU, get a good third-party protection package from F-PROT, Kapersky, or avast!, and move on.  Microsoft’s offerings are fundamentally broken if the kill bits that are meant to protect IE are instead disabling ActiveX controls that are referenced in full-fledged VB6 or pre-2007 Office applications.  

Many small businesses can’t afford to port legacy applications to .NET, and having controls like WinSock or FlexGrid wantonly disabled can utterly cripple otherwise-functional applications.  Even worse, if you perform the registry workaround just for the objects you need, AU will reinstall kb960715 again.

Leaving AU on in a production environment is the surest way to bring things to a screeching halt.



sandi
wrote on February 18th, 2009      

Your comment “Disable AU, get a good third-party protection package from F-PROT, Kapersky, or avast!, and move on” indicates that you are not even remotely familiar with the current threat environment facing every internet user. Every day, nay many times a day, I encounter malware and malicious web sites that are not detected and not blocked by antivirus. And, the stuff that is getting through is not kids play. Once on a system it can be extremely difficult to remove, and the security implications are terrifying – keyloggers, rootkits, backdoors – the worst of the worst.

My alternative to your brickbat advice is this – the businesses should get themselves a good patch management program, test and deploy high risk patches, and only block the installation of the individual patches that may cause problems on their network.

My advice stands – do not disable automatic updates.


The Google Anti-Malvertizing Team have created a “custom search engine intended to help ad network customers conduct quick background checks on prospective partners” that can be seen here:

Google Malvertizing Research

The search engine pulls content from various dedicated forums and blogs, including Spyware Sucks.  It can certainly help reduce the “signal to noise” ratio that can […]

Previous Entry

Filed – Consent motion to withdraw motion to dismiss for lack of personal jurisdiction of defendants James Reno and ByteHosting Internet Services, LLC – 12 February 2009 “By agreement of the Plaintiff the Federal Trade Commission and Defendants James Reno and ByteHosting Internet Services, LLC, and in anticipation of […]

Next Entry

Archives