Do I need the Windows2000 critical updates?

[eXistenZ]

Windows2000
Service Pack 4
_____________

Posted to win2000 windows_update
but I will try here also.

I have recently reinstalled Windows2000
I have Service Pack 4 on my machine.
I have good anti virus and firewall installed.
I have totally disabled Windows Update.

Do I really need all the critical updates?
How vulnerable am I without them?

Any help or advice appreciated.
eXistenZ

 

[walter666]

Use this answer at your own risk. All I claim is that it works for me.

I have an AMD Athlon 2000+ with Windows 2000 SP4. I also have an install
Rollup 1.

Like you, I do not install any critical (or other) updates. In addition to
the inconvenience of dozens of updates, they break my system. E.g. MSI no
longer works after certain update(s). This makes it impossible to install
certain programs that depend on .MSI files.

Given these hassles, I decided to stop installing any Windows Updates. This
is where the USE AT YOUR OWN RISK counsel applies:

I never go to any risky sites. In fact, I generally go only to trusted
sites. I never let any site install software. Any software that I download,
I virus-check before installing. I do not open email attachments until I
check them and unless I know the sender. I do not install "free"
screensavers (*.scr) or any .exe/.com/etc files. I also turned off Windows
Update. I won't let it run.

In short, I am extremely cautious.

My security suite presently consists of:

o AVG Antivirus
o Filseclab Personal Firewall
o Ad-Aware
o Spybot Search & Destroy
o Spyware Blaster
o Spyware Guard

I check these for updates *every day*.

If you are willing to do all these things, and if you can intuitively smell
a rat in proffered "free" software, then you might get away with my
approach. It sounds like you are headed in that direction, which is why I
bothered to reply.

I have been using this for several years now with no (zero) problems.

 

[walter666]

Forgot to add: I *never* use Internet Explorer. Currently I use Firefox
(Windows/Linux) or Konqueror (Linux).

Sentence about Rollup1 should read "I also have installed Rollup 1," which
is another Windows security fix collection. And I have installed the IE6
update/security CD, although I do not use IE.

 

[eXistenZ]

Use this answer at your own risk. All I claim is that it works for me.

I have an AMD Athlon 2000+ with Windows 2000 SP4. I also have an install
Rollup 1.

Like you, I do not install any critical (or other) updates. In addition to
the inconvenience of dozens of updates, they break my system. E.g. MSI no
longer works after certain update(s). This makes it impossible to install
certain programs that depend on .MSI files.

Given these hassles, I decided to stop installing any Windows Updates. This
is where the USE AT YOUR OWN RISK counsel applies:

I never go to any risky sites. In fact, I generally go only to trusted
sites. I never let any site install software. Any software that I download,
I virus-check before installing. I do not open email attachments until I
check them and unless I know the sender. I do not install "free"
screensavers (*.scr) or any .exe/.com/etc files. I also turned off Windows
Update. I won't let it run.

In short, I am extremely cautious.

My security suite presently consists of:

o AVG Antivirus
o Filseclab Personal Firewall
o Ad-Aware
o Spybot Search & Destroy
o Spyware Blaster
o Spyware Guard

I check these for updates *every day*.

If you are willing to do all these things, and if you can intuitively smell
a rat in proffered "free" software, then you might get away with my
approach. It sounds like you are headed in that direction, which is why I
bothered to reply.

I have been using this for several years now with no (zero) problems.

Thankyou for your detailed reply.
I asked this question because my computer
got into all sorts of trouble from allowing all
updates from Microsoft.
In addition to my firewall and anti-virus
I too use Ad-Aware and Spybot Search & Destroy.

eXistenZ

 

[walter666]

Dear eXistenZ,

Glad I could help.

My short answer would have been:

If you are very careful and know what you are doing, you do not need those
wretched updates.

 

[Pegasus \(MVP\)]

My clients (who are mostly accountants) are a careful bunch.
They too tend to stay away from risky sites. After providing their
IT support for several years I have come to realise that running
automatic updates breaks more machines than not running it.
I therefore disable it on those machines I consider low risk PCs.
Having a "natural" firewall in the form of an ADSL modem/router
helps to keep out hackers.

 

[Lanwench [MVP - Exchange]]

In

Windows2000
Service Pack 4
_____________

Posted to win2000 windows_update
but I will try here also.

Hi - in the future, you should crosspost to multiple groups in a single
message, rather than multiposting individual messages, to save people some
work....that way everyone can follow the thread.

I have recently reinstalled Windows2000
I have Service Pack 4 on my machine.
I have good anti virus and firewall installed.
I have totally disabled Windows Update.

Do I really need all the critical updates?
Probably.

How vulnerable am I without them?
Depends.


Any help or advice appreciated.

I don't recommend leaving your computer unpatched, because there is a reason
an update is marked 'critical' - if you don't know what it's going to do,
research it first before installing it. However, I use WU to update all my
workstations - all of them, not just Win2k/XP - and have rarely run into
problems. If you do, you likely have underlying OS or software or malware
problems. It's your choice whether you choose to patch - but I think it's
unwise not to, even if you've got your firewall & AV up and practice safe
hex.

 

[Frank Booth Snr]

Windows2000
Service Pack 4
_____________

Posted to win2000 windows_update
but I will try here also.

I have recently reinstalled Windows2000
I have Service Pack 4 on my machine.
I have good anti virus and firewall installed.
I have totally disabled Windows Update.

Do I really need all the critical updates?
How vulnerable am I without them?

Any help or advice appreciated.
eXistenZ

I think only the SP4 rollup 1 which is a collection of patches for more
obscure security issues might be helpful. Other than that a decent
tested brand name firewall provides all the protection I need.

 

[Andrew Rossmann]

Use this answer at your own risk. All I claim is that it works for me.

I have an AMD Athlon 2000+ with Windows 2000 SP4. I also have an install
Rollup 1.

Like you, I do not install any critical (or other) updates. In addition to
the inconvenience of dozens of updates, they break my system. E.g. MSI no
longer works after certain update(s). This makes it impossible to install
certain programs that depend on .MSI files.

I have access to numerous Win2K computers, and have NEVER had an MSI
issue with all updates installed. Did you ever stop and think that one
of your 'guard' programs could be messing things up and not working with
one of the updates? Try installing Windows and all updates, THEN install
all the condoms.

I never go to any risky sites. In fact, I generally go only to trusted
sites. I never let any site install software. Any software that I download,
I virus-check before installing. I do not open email attachments until I
check them and unless I know the sender. I do not install "free"
screensavers (*.scr) or any .exe/.com/etc files. I also turned off Windows
Update. I won't let it run.

Just what is a 'trusted' site? More and more sites often pull data from
other sites. More and more sites have been hacked and had malware
installed on them. More and more 'zero-day' hacks are coming out. It can
take days before a new threat is identified and virus/adware scanners
updated. Even staying away from IE is no panacea. Firefox has several
nasty bugs of it's own.

 

[David H. Lipman]

From: "eXistenZ" <[email protected]>

|
| Windows2000
| Service Pack 4
| _____________
|
| Posted to win2000 windows_update
| but I will try here also.
|
| I have recently reinstalled Windows2000
| I have Service Pack 4 on my machine.
| I have good anti virus and firewall installed.
| I have totally disabled Windows Update.
|
| Do I really need all the critical updates?
| How vulnerable am I without them?
|
| Any help or advice appreciated.
| eXistenZ
|

Do you change the oil in your car ?
Do you check the air in your tires ?
Do you do a periodic tune-up ?

Well the automobile is a mechanical system and it requires maintenance.

A computer with associated OS is an electronic computing system and it too requires
maintenance.

 

[Pegasus \(MVP\)]

From: "eXistenZ" <[email protected]>

|
| Windows2000
| Service Pack 4
| _____________
|
| Posted to win2000 windows_update
| but I will try here also.
|
| I have recently reinstalled Windows2000
| I have Service Pack 4 on my machine.
| I have good anti virus and firewall installed.
| I have totally disabled Windows Update.
|
| Do I really need all the critical updates?
| How vulnerable am I without them?
|
| Any help or advice appreciated.
| eXistenZ
|

Do you change the oil in your car ?
Do you check the air in your tires ?
Do you do a periodic tune-up ?

Well the automobile is a mechanical system and it requires maintenance.

A computer with associated OS is an electronic computing system and it too requires
maintenance.

Your comparison is inappropriate.

You need to change the oil in a car because the oil deteriorates
over time and because it gets contaminated with metallic particles.
Semiconductors in a PC don't get contaminated.

You check the air in your tires because air leaks out over time.
In a PC, nothing leaks out.

You tune up your car's engine because various components lose
their optimal settings. This does not happen with PCs, and critical
updates won't "tune up" a PC.

The purpose of critical updates is mostly to strengthen the
defences of the operating system against newly discovered
weaknesses, not because of "wear, tear and leaks" as in a
car. If a Windows installation is not exposed to new threats
then it will perform as well after three years as on the day it
was loaded. And if it fails because of some malfunction then
a critical update will not fix it, only a reload.

 

[David H. Lipman]

From: "Pegasus (MVP)" <[email protected]>


|
| Your comparison is inappropriate.
|
| You need to change the oil in a car because the oil deteriorates
| over time and because it gets contaminated with metallic particles.
| Semiconductors in a PC don't get contaminated.
|
| You check the air in your tires because air leaks out over time.
| In a PC, nothing leaks out.
|
| You tune up your car's engine because various components lose
| their optimal settings. This does not happen with PCs, and critical
| updates won't "tune up" a PC.
|
| The purpose of critical updates is mostly to strengthen the
| defences of the operating system against newly discovered
| weaknesses, not because of "wear, tear and leaks" as in a
| car. If a Windows installation is not exposed to new threats
| then it will perform as well after three years as on the day it
| was loaded. And if it fails because of some malfunction then
| a critical update will not fix it, only a reload.
|

I don't think so.

Both are systems. Both conform to the "Chaos and Complex Systems" postulate.

All are maintenance factors. If you fail to perform maintenance on a system the system can
have a sub-system or complete system failure or you will derive chaos of another form.

There is chaos in the mechanical system if proper maintenance is not performed and there is
chaos in the computing platform as well.

Chaos in the mechanical system (the auto example) could exhibit itself with a broken hose, a
flat tire, misfiring, etc.

Chaos in the computing system could exhibit itself with code exploitation, lockups, memory
read failures, etc.

 

[Pegasus \(MVP\)]

From: "Pegasus (MVP)" <[email protected]>


|
| Your comparison is inappropriate.
|
| You need to change the oil in a car because the oil deteriorates
| over time and because it gets contaminated with metallic particles.
| Semiconductors in a PC don't get contaminated.
|
| You check the air in your tires because air leaks out over time.
| In a PC, nothing leaks out.
|
| You tune up your car's engine because various components lose
| their optimal settings. This does not happen with PCs, and critical
| updates won't "tune up" a PC.
|
| The purpose of critical updates is mostly to strengthen the
| defences of the operating system against newly discovered
| weaknesses, not because of "wear, tear and leaks" as in a
| car. If a Windows installation is not exposed to new threats
| then it will perform as well after three years as on the day it
| was loaded. And if it fails because of some malfunction then
| a critical update will not fix it, only a reload.
|

I don't think so.

Both are systems. Both conform to the "Chaos and Complex Systems" postulate.

All are maintenance factors. If you fail to perform maintenance on a system the system can
have a sub-system or complete system failure or you will derive chaos of another form.

There is chaos in the mechanical system if proper maintenance is not performed and there is
chaos in the computing platform as well.

Chaos in the mechanical system (the auto example) could exhibit itself with a broken hose, a
flat tire, misfiring, etc.

Chaos in the computing system could exhibit itself with code exploitation, lockups, memory
read failures, etc.

True, but Critical Updates (which is the subject of this
thread) will not fix any of these issues. If you think that
you can repair chaos-related problems with Critical Updates
then you will be sadly disappointed.

 

[David H. Lipman]

From: "Pegasus (MVP)" <[email protected]>


|
| True, but Critical Updates (which is the subject of this
| thread) will not fix any of these issues. If you think that
| you can repair chaos-related problems with Critical Updates
| then you will be sadly disappointed.
|

Going to web site that uses the VMLFill-Exploit and getting a Backdoor.Haxdoor will
undoubdetly cause chaos. Mitigated by the Critical Patch associated with KB925486 and
announed via MS06-055.

The concept here is Preventative maintenance. You don't fix the problem, you prevent it.

In this case it is installing a Critical Update such as KB925486.

With an automobile it is checking the air in the tire, changing the oil, replacing the fuel
filter, etc.

 

[walter666]

Do you change the oil in your car ?

Do you check the air in your tires ?
Do you do a periodic tune-up ?

Well the automobile is a mechanical system and it requires maintenance.

A computer with associated OS is an electronic computing system and it too requires
maintenance.

Your point--- ?

 

[walter666]

He just doesn't get it.

 

[GHalleck]

From: "Pegasus (MVP)" <[email protected]>


|
| True, but Critical Updates (which is the subject of this
| thread) will not fix any of these issues. If you think that
| you can repair chaos-related problems with Critical Updates
| then you will be sadly disappointed.
|

Going to web site that uses the VMLFill-Exploit and getting a Backdoor.Haxdoor will
undoubdetly cause chaos. Mitigated by the Critical Patch associated with KB925486 and
announed via MS06-055.

The concept here is Preventative maintenance. You don't fix the problem, you prevent it.

In this case it is installing a Critical Update such as KB925486.

With an automobile it is checking the air in the tire, changing the oil, replacing the fuel
filter, etc.

While the concept is valid, one still must be careful in what
a critical update or patch may do to an existing system. Using
the [older] automobile as an example, one does not, for example,
use any synthetic SE-grade oil to replace a "natural" SE-grade
oil just because the former is an updated version of refined
crude. As with any action dealing with Microsoft updates, test
first and then trust.

 

[David H. Lipman]

From: "GHalleck" <[email protected]>


| While the concept is valid, one still must be careful in what
| a critical update or patch may do to an existing system. Using
| the [older] automobile as an example, one does not, for example,
| use any synthetic SE-grade oil to replace a "natural" SE-grade
| oil just because the former is an updated version of refined
| crude. As with any action dealing with Microsoft updates, test
| first and then trust.

You are absolutely correct.

The most stable OS is a plain vanilla OS.

As you add and remove software, modify the settings, install updates and patches it will
move away from stability, or drift, to some degree. Malware may make that stability drift
more promionent.

Installing a new HotFix or patch *may* take a PC over the edge of stability. The
possibility of such is not accross the board. It will be dependent on the each individual
PC and how it has been maintained and/or used.

 

[John]

Your analogy has one problem. In automobile preventitive maintenance, you're
not modifying the original design of the automobile. When one installs
software updates, the original design of the operating system is altered to
prevent new dangers but those alterations can also cause other software not
to function. It would be like removing a flat tire and replacing it with
another tire that is of a different radius. The car will drive but you'll
notice the steering now pulls to one side.

 

[David H. Lipman]

From: "John" <[email protected]>

| Your analogy has one problem. In automobile preventitive maintenance, you're
| not modifying the original design of the automobile. When one installs
| software updates, the original design of the operating system is altered to
| prevent new dangers but those alterations can also cause other software not
| to function. It would be like removing a flat tire and replacing it with
| another tire that is of a different radius. The car will drive but you'll
| notice the steering now pulls to one side.
|

No not really. Take for example replacing a gasket or a hose that would have the propensity
to leak.

The analogy is quite valid. I could make the same analogy to *any* complex system. I just
chose the automobile as the easiest to understand the parallel concepts.

You said "When one installs software updates, the original design of the operating system is
altered...". No it isn't. The orginal design and implememtation reamins the same. Take
the VML in HTML Vulnerability. The ONLY thing that was changed was to correct the buffer
overflow situation that could be exploited. The whole concept of the VLM module remained
the same.