|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
I spotted this post the other day. And the big big takeaway of the article is that a key issue with feature updates is driver updates. As we’ve discu
[See the full post at: Patch Lady – how do you handle drivers?]
Susan Bradley Patch Lady/Prudent patcher
I’m confused. Firmware and drivers are two different animals yet you seem to be mixing them up in your post. Also, what is a “vendor firmware updating tool”? I’ve never heard of such a thing before although I know about vendor tools that scan your computer to see if various drivers need updating. (IMO those should always be ignored and one should go directly to the software vendor(s) for any driver updates. One should NEVER allow Microsoft to botch a driver update via Windows Updates! Plus, never, ever do bios updates unless done by the vendor’s representative who takes full responsibility for the possible bricking of your computer. I am speaking, of course, as an individual user not as an IT person managing a number of seats that need firmware or driver updating and it is not clear if your post is aimed only at small business IT folks or at ordinary computer users or both.
So, I am puzzled by your comment about needing to be “proactive about finding updates” for …drivers or firmware….you are not clear which you are talking about, but if you mean drivers I am not at all proactive in finding updates for drivers whether it is on my Windows 10 Pro machine or my superior Windows 8.0 Pro machine. Plus, how can you update drivers that will only work with a newer version of Windows 10 Pro than the one you have BEFORE you get the newer version of windows 10 installed?
Link fixed. 
Because there is an ‘urgent’ update on Dell update page for my machine. Plus I am on Windows 1803 and one of the suggestions I saw said to ensure your drivers & BIOS are updated to help prevent any potential issues. I’d rather not update the BIOS, (I agree, if it ain’t broke…..) but I think/feel it would be advisable given my need to update Windows soon. And then I hope I can leave it alone!!! Go make better use of the time & energy I’ve been wasting on all this!! There will be instances where I have to update – security issues probably being the most critical, but I agree that most of the time, the updates are not anything I want, need or care about and it can cause more harm than good, for me average, non-tecchie user.
As a home user with two unconnected desktop PCs, my policy on firmware and driver updates remains as it has always been.
I don’t touch firmware updates because they carry an enormous risk of bricking the machine and rarely if ever offer any significant benefit whilst often being impossible to undo if things go wrong. Any supposed security benefit from such updates cannot usually be quantified in any meaningful way and is not in my view worth the performance threat – as we saw with some such updates a while ago which slowed machines down considerably. I’ve not seen any indication that those who failed to install those updates have suffered any issues as a result.
As for driver updates, I stick to the “If it ain’t broke, don’t fix it” rule. Although I’m a gamer, I don’t play the type of game where a benchmark improvement of 0.0001% cannot be missed out on, so with graphics and sound drivers etc I stick to the ones that are running everything smoothly and don’t go looking for trouble! I’m convinced that one of the reasons why my games run so well compared to a lot of complainers on forums is because they’re installing unproven beta drivers every few weeks while I’m sticking with the ones from several years ago that have never given me any problems. Very occasionally I’ve had reason to update a graphics driver but I don’t recall ever having updated a sound or mouse driver, for example.
An additional reason for rejecting new drivers would be where they introduce a new feature that I don’t want or need but which increases the chances of something going wrong, not least given the abysmal level of pre-release testing these days. I just want the basics to work. I apply the same approach to things like washing machines where I avoid the ones with all the complicated extra features and buttons that light up like an airplane cockpit display! Keep it simple and the chances are it will prove to be more reliable.
If, however, there were ever compelling reasons to install a particular driver update then I would do so through the manufacturer’s website and not through Windows Updates. A machine would probably have to stop working for me to consider a firmware update in which case I’d drop it into my local repair shop and get them to deal with it, probably having some sort of component upgrade done at the same time.
Obviously my perspective will differ from that of many others, and I don’t have the sort of responsibilities that a company IT manager would have. It’s in the light of this sort of approach, of course, that I find the whole “need” to upgrade from Windows 7 to Windows 10 so frustrating – a classic case of “If it ain’t broke, don’t fix it”!
This advice flies in the face of decades of experience. Precisely the opposite of the advice I give.
Microsoft Update is the worst possible source for Windows Updates, followed closely behind by the myriads of “driver update” web sites.
My advice which I have give time and again and I believe this is the same advice offered by numerous tech advisers:
NEVER update drivers unless you have a specific driver that is causing a problem. Then, update that driver and no others. Your only source of drivers is the OEM of the equipment. Further, the same advice applies to firmware.
The key is this kind of updating should be based on problem solving.
CT
1980’s thinking sees firmware and drivers as “black box” technology.
If you understand that it’s all software, with the same propensity for bugs and vulnerabilities as any other package, you realize that it’s worthy of patching as well. (You update your firewall firmware for the same reasons, don’t you?)
If you believe good habits and an antivirus package will protect you against all outside interference, and you don’t ever patch anything, well… bless your heart.
Btw, CT – why do you bother patching Windows 7 up to the level that you do? Why not just have a “completely clean” SP1 install and leave it there? If the “don’t touch it” strategy is the best, why not save as much time as possible?
As for Spectre, there is something that bothers me with the comment that keeps coming back that it is overblown and there is no attack. Maybe I am wrong, but from what I understand of Spectre, it is a clever technical way to have access to all your RAM. You go to an infected website, some javascript magic deduct the content of your RAM using the delay it takes to respond based on predictive CPU instructions having put the content in cache if present or not, thus the difference in timing. How long it takes to read a lot or all RAM, some say it might not be that long.
There are a lot of eyes out there that are looking for just this kind of thing, and all it would take would be for one individual to discover a Spectre attack in the wild for it to hit the world press. It would provide an instant boost to fame and credibility for any given researcher who found it, and I’d have to think they know what to look for and how to find it. Even with all the eyes out there looking for the elusive Spectre malware, the threat remains as elusive as Bigfoot. If and when an actual exploit is discovered, it will be dealt with… malware signatures will be created, mitigation strategies will be devised. Until then, we’re trying to protect against a phantom.
While it’s quite obviously possible that it is out there in the wild, trying to catch something randomly that may be of use in some random passerby’s RAM, the odds are that it isn’t. If the malware that can do this exists anywhere in the world, it’s almost certainly not being deployed to read bits of the RAM of random visitors to a site. The more people that are exposed to the malware, the more likely detection becomes, so why waste such a valuable thing on random people? The odds of getting anything worthwhile to the attacker (which would depend on what he is looking for) are not great, and with all of the hoopla over this, nearly everyone who just gets whatever patches Microsoft or Apple or Google throws out there is already patched, so it’s that much less likely that anyone would bother if the intended victims are random people.
If there is a Spectre malware anywhere out there, it almost certainly belongs to someone waiting to use it for a truly special target… probably someone at a nation-state level. To use it to try to entrap random people is high risk (of having the exploit discovered) with low potential value compared to more mundane, conventional malware techniques.
We’re trying to defend ourselves from the rare to nonexistent but spectacular threat that has no known victims to date, while the known victims of more boring threats (the kind that don’t have logos!) continue to grow. If you’re trying to use malware to make money or steal identities, there are far better choices that deliver a lot more bang for the buck. Good old phishing is still a much more productive way to get sensitive data… just ask for it, and a certain percentage of people will just hand it right over.
As for my own approach to Spectre… things that incur little performance penalty would be left enabled, but the things that cause a noticeable hit to performance will probably remain off until the threat becomes less Bigfoot and more brown bear.
I haven’t turned off multithreading on my one PC (my Dell G3) that has that feature, but I haven’t bothered to turn off most of the Spectre mitigations that came automatically with kernel and microcode updates, as the G3 is already my fastest PC overall, so it can absorb the damage without annoying me more effectively. On my Acer Swift, which is actually not swift at all, I have several of the mitigations in the Linux kernel (some of which work in conjunction with microcode updates) turned off.
As I see it, the odds of me encountering a working Spectre script out there are slim, but the odds of me having performance penalties are not. Everything in life has some degree of risk, and if we were to be totally risk averse, it would be impossible to ever do anything.
I have my own mitigation strategy that don’t involve slowing my PC down, though it’s not really about Spectre as much as scripts in general. I use uMatrix to ensure I don’t run every script a web site throws at me, and the script hosts I do whitelist are the ones I think are relatively trustworthy, given the circumstances. Google is not trustworthy in terms of keeping my private data private, but I don’t think they are a threat in terms of using Spectre. I cannot guarantee that the scripts I greenlight will never contain a Javascript malware, but it improves the odds (which are already in my favor) quite a lot.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)
I was recently given a “broken” ASUS laptop by a neighbor. It had failed back in early 2017 so was Win 10 Home 1607 with all the original drivers and bios from 2015/2016.
After replacing the keyboard (neighbor had obviously spilled a drink on it) it worked fine. I used Windows Update to install available 1607 Cumulative Updates (after hiding drivers, meltdown fixes and telemetry updates via wushowhide). I then used my 1809 iso for an offline upgrade.
Post upgrade, winver still showed the build as 1607! Also, I experienced odd bugs and behaviors so I restored the Reflect image I’d made and started over.
The second time, I went to the ASUS support site for the specific laptop model and downloaded all the current drivers for the laptop, including the latest BIOS and bios flashing software. Also, I used the Intel Drivers and Support Assistant which said I was fully patched. Of course this utility does NOT cover chipsets and many other drivers [see: https://www.intel.com/content/www/us/en/support/articles/000032252/software/software-applications.html ].
But, before any newer drivers, I used the ASUS bios flashing software to update the bios. ASUS has very good update software that made it painless. Other manufacturers, ymmv. I also had little to lose except the cost of the keyboard.
I then compared the installed driver versions with those download from ASUS, those offered by Microsoft and those offered by Intel. In nearly every case I used the ones obtained from ASUS support.
Bottom line, I then upgraded to 1903 with everything working just fine. Sometimes getting things current does work out for the best.
Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.
I am individual user too. I have to update my BIOS soon. Who is the vendor’s representative??? I don’t have anyone but me. I have a Dell and will get the update from their website.
You are aware of Dell’s official position on updating bios (actually their legal “cover my butt position”)? I have had Dells only (XPS line) from my first computer with Windows 98. By “vendor representative” I meant Dell official support. (I always buy 5 years if offered but since Windows 8 Dell has only offered 4 years unless you are Enterprise). Currently I have both hardware and software support by Enterprise techs (even though I have Windows 10 Pro. It’s a free upgrade courtesy of the Dell salesperson I called when I was ready to purchase this machine).
I was not aware of Dell’s official policy regarding BIOS updates and allowed Dell tech to do one BIOS date shortly after I got the computer and had a problem that necessitated that I call Dell Pro Support Plus and while helping with the problem I called about (hardware) the tech made me install (after I had uninstalled it when I got the machine) that awful junk program they have for keeping drivers, etc up to date (so I wasn’t affected when Dell had that major security breach with it). After installing and running it, the tech noticed I didn’t have the bios update and I reluctantly installed it as he directed while he was on the phone with me. Nothing went wrong but I got a substantially slowed system because the update was from intel (to mitigate basically non existent security threats) and I was a fool to allow it and subsequent bios updates are for the same thing. I spent a lot of money on this system yet my Dell XPS with Windows 8 Pro (not 8.1) is much faster and a far better machine in every way yet both have SSDs as the primary drive. The Windows 8 machine got no bios updates (that I recall and certainly no Intel ones as those are only for 8.1 not 8.0) and it still is running fine in a hostile environment (on the ocean with no airconditioning) beginning its eighth year now.
Anyhow, Dell’s official position on bricking a machine from a BIOS update is available in the Dell forums. But it is not something told to buyers when they buy a Dell and should be. The main Dell forum mod (who has been there a LONG time) says to not update the BIOS unless you have Dell do it and you get the name of the tech and his/her badge number in writing beforehand. There are a number of threads in the Dell forums (especially in the XPS desktop forum) asking about why there are so many “urgent” Bios updates now and how risky are they. I remember when it was extremely rare to need to update a computer’s Bios ever during its life span and now, every time you turn around, it seems, there is another Bios update almost always from Intel.
Each of us has to make our own decision regarding Intel based Bios updates. I lost speed with the one Bios update I allowed and I spent a LOT on my CPU and do not want further crippling. Further warning, do NOT update Bios because Dell Support Assist (if you didn’t get rid of that garbage) tells you that you should or because you went to your Dell support pages/drivers and are told there to install the newer “urgent” Bios. If you are still in warranty, you will be covered for ONE ONLY FOR THE LIFE OF THE COMPUTER replacement mobo but if you only got a standard one year warranty, and you are out of warranty, and you update the Bios because Dell’s support page for your computer said it was “urgent” or for whatever reason EXCEPT FOR A DELL TECH DIRECTING YOU TO UPDATE THE BIOS UNDER THEIR SUPERVISION and that breaks the motherboard’s CMOS you will have to pay for a new mobo and install it yourself. Even if a Dell tech instructs you and guides you in updating Bios, if you are out of warranty, you will be sent a replacement mobo but you are on your own to install it.
IMO, even today, the ONLY reason to EVER upgrade a Bios is if the vendor tells you to do so because the new Bios fixes a serious bug.
when it comes to device drivers, Windows 10 uses the “Device Driver Retrieval Client” module (not the WU client module) to silently download and install certain hardware driver updates without any user consent or user input.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Notifications
