Friday, June 18, 2010

a whitelist user's perspective on windows update

as i may have mentioned before, i use whitelists - for web content (via noscript), for basic network traffic (via my router's port forwarding functionality), and also for traditional applications (via the application launch control functionality of my software firewall). whitelisting is an important part of my security strategy but if there was one thing that made me wish i didn't use application whitelisting it would be windows update.

you see, i don't add the programs involved in software updates to my whitelist. in fact, i don't add the majority of programs on my system to the whitelist. i don't want them being able to run without my knowledge or authorization, especially those that give no indication that anything is running in the first place, and even more so for components that have any role in installation/update. i'm not about to enable silent installs using existing components. and frankly i expect updates to be new anyways so there's little point adding those. for the most part that's not a big deal, i just take note of what program is trying to run (so that i can catch anything that looks suspicious) give a one-time authorization and let the program do it's thing. even for updating most software that's not a big deal, but when it comes to windows update it's a very big deal.

microsoft, for reasons that i can't begin to fathom, are clearly cobbling the update procedure together from as many bits and pieces as they can. i know this because of the number of program executions i need to permit (it's a lot) and how big of an interruption it is. on my older, slower system that i only power on on the weekends i started permitting various parts of windows update on saturday. i don't really have the time (or patience) to sit around clicking every couple of minutes for hours on end so the confirmation dialog only gets clicked when i have to time to go back and check on it's progress (and i sit there for a little bit, clicking here and there until i have to leave again). as of tuesday morning the update was still going. it took until monday just to get to the point of saying "there are updates ready to install". i can only hope that by the time this post is published the update will finally be finished and i can power the machine down.

some people might consider this a failure of application whitelisting, but i don't.  microsoft has designed their update procedure to involve far, far too many invocations of far, far too many separate executables. they need to stop expecting that they can run whatever system components they want, whenever they want, however many times they want with impunity. it's wasteful of resources and it's wasteful of my time.


Bontchev said...

Well, it would have been useful if you could tell the whitelisting software to whitelist everything digitally signed by Microsoft...

kurt wismer said...

even if that were possible i still wouldn't do it for the same reason i haven't added the lion's share of applications on my system to the whitelist.

if i whitelist applications that give no indication as to when they are running then i'll no longer know when they are being run - especially if they're being run by something malicious which doesn't itself trigger an application whitelisting alert because it's not recognized as an application.

applications that run silently, and especially those that are involved in the installation of software, are those that i would never add to my whitelist regardless of whether they're signed by microsoft because doing so would allow them to be reused maliciously without my knowledge.

generally speaking i whitelist the things that need to run as part of the bootup process as well as the applications i use everyday just for the sake of convenience.