Internet security is a never-ending cat-and-mouse game between the security experts and the hackers who seem to have endless amounts of time to search for new ways to exploit the basic programmability of PCs. It seems that every time the good guys find a way to patch some security hole the bad guys have learned to exploit, the bad guys find two more holes to exploit. Windows Vista is certainly the most secure Windows ever, by a long shot. But there is no such thing as a 100-percent secure computer, because people can always find a way to take something good and turn it into something bad. So in addition to the security features discussed in the preceding articles, you need to keep your computer up-to-date with security patches as they become available. That’s what Windows Update and this articleare all about.

Understanding Automatic Updates

Many people are afraid of Windows Update. They’re afraid that the changes to their system that the updates make will break something that they can’t fix. It’s certainly true that any change to your system could create a problem. But it’s unlikely that keeping up with updates will cause any significant problems— certainly nowhere near as many problems to which you expose yourself by not keeping up with updates. Others fear that Microsoft will somehow exploit them through automatic updates. That’s not the way it works. Microsoft has tens of millions of customers, and tens of billions of dollars. It doesn’t need to exploit anybody to be successful. Desperate people (and companies) do desperate, exploitive things. Microsoft is as far from desperate as you can get. Microsoft is also a publicly held company on the stock exchange, which means it is subject to constant scrutiny. Such companies are not the ones that distribute malware. Most malware comes from e-mail attachments and free programs from unknown sources. When it comes to knowing who to trust and not to trust, large publicly held companies are by far the most trustworthy, if for no other reason than they can’t afford to be untrustworthy. A third common fear of automatic updates centers around the question “What’s this going to cost me?” The answer to that is simple: Absolutely nothing. Which brings us to the difference between updates and upgrades.

Updates versus upgrades

People often assume that the terms update and upgrade are synonymous. We certainly use the terms interchangeably in common parlance. But in the computer world, there is a big difference. Upgrades usually cost money, and involve a fair amount of work. For example, upgrading from Windows XP to Windows Vista will cost you some money, and will take some time. You might even need to hire someone to verify that the upgrade will work, and do the upgrade for you. Updates are much different. Updates are small, simple, and free of charge. Some people turn of automatic updates because they’re afraid they’ll get some mysterious bill for something they downloaded automatically without realizing it. That will never happen. Turning on and using automatic updates will never cost you a penny.

Why updates are important

Automatic updates are an important part of your overall security. Many forms of malware, especially viruses and worms, operate by exploiting previously unnoticed flaws in programs. The term exploit, when used as a noun in computer science, refers to any piece of software that can take advantage of some vulnerability in a program in order to gain unauthorized access to a computer. Some hackers actually publish, on the Internet, exploits they discover, which is both a good thing and a bad thing. The bad thing is that other hackers can use the exploit to conjure up their own malware, causing a whole slew of new security threats. The good thing is that the good guys can quickly create security patches to prevent the exploits from doing their nefarious deeds. Automatic updates keep your system current with security patches that fix the flaws that malware programs attempt to exploit.

Some Hacking Lingo

The hacking world is replete with its own terminology. A zero day exploit is one that becomes available before a software product is even released to the public. A blackhat is a bad guy who has sufficient technical knowledge to find and publish exploits. A script kiddie is an inexperienced programmer who doesn’t have enough skill to create or discover his own exploits, but does have enough expertise to create malware based on known exploits. A whitehat is one of the good guys—the security experts who find ways to thwart the efforts of blackhats and script kiddies.

Enabling Automatic Updates

Automatic updates are the best way to keep up with security patches. In fact, chances are they are already enabled on your system. To find out, just open Security Center. In case you skipped the preceding articles, or forgot how, you can use any technique that follows to open Security Center:

- Click the Start button and choose Control Panel->Security -> Security Center. - Tap the Windows key, type sec, and click Security Center under Programs. - Double-click the shield icon in the Notification area. If the Automatic updating bar is green and shows “On,”  there’s no need to change anything. Your computer has been getting automatic updates all along. It will continue to do so provided you don’t turn automatic updates off.

If automatic updates are turned off, seriously consider turning them on. To do so, just click the Turn on Now button in Security Center.

Managing Updates

In Windows Vista Automatic updates related to security require little or no effort on your part. But there may be times where you’re faced with optional updates. These updates aren’t security related. Rather they’re new versions of drivers, fixes for minor bugs, and so forth. They’re optional because your computer is secure whether you install the update or not.

Managing optional updates

To manage optional updates, and tweak some settings, use the Windows Update page in Control Panel. To get to that page: - Click the Start button and choose Control Panel ->  Security  ->  Check for Updates. - Or Tap the Windows key, type win, and choose Windows <version> Extras. A window opens. If there are any optional updates, click View available updates to see what they are. The name of each will be listed next to an empty checkbox. You have three options for dealing with each one: - If you want to download and install the update, select (check) its checkbox. - If you want to hide the item so it doesn’t show up in the future, right-click it and choose Hide update. (It won’t go into hiding until you leave the current window.) - If you want to get more information about the item before you decide, right-click its name and choose View details. If you opted to install any optional updates, click the Install button and follow the onscreen instructions to proceed. If you don’t want to install any optional updates, click Cancel.

Change how updates work

In the left column of the Windows Update page, you can click Change settings to change how automatic updating works. You’ll come to the options. The preferred (and most secure) setting is the one shown, where Windows checks for critical updates daily at 3:00 A.M. So, what if your computer isn’t turned on and online at 3:00 in the morning? Will you miss out on something important? Not at all. For one thing, there is no time limit on updates. After an update is posted, it stays posted forever. So you can download and install it at any time. If your computer isn’t on and online at 3:00 A.M., it will check for updates and download them in the background as soon as you do go online. (“In the background” means “without interfering with whatever you want to do yourself.”) Also, if you shut down the computer before the scheduled time, Windows will offer to check for updates before you shut down. So any way you slice it, you don’t have to worry about missing out on anything important.

Of course, you’re free to choose a different schedule if you prefer, such as weekly at noon or whatever. But daily at 3:00 A.M. is fine. As an alternative to fully automatic updates, you can choose one of the other options shown on the page. For example, you can have Windows download the updates, but ask your permission before actually installing them. Or, you can just be alerted to available updates, then choose whether or not you want to download or install them. Finally, you can choose to turn off automatic updating altogether. If you choose that option, the only way to get updates is to click Check for updates at the left side of the Windows Update page. By default, only critical updates are downloaded and installed. A critical update is one that’s needed to protect your computer against current Internet threats. Choosing Include recommended updates... extends that to less-critical updates that aren’t directly related to security. Recommended updates are usually things like minor bug fixes or improvements to Windows and other Microsoft products. Click OK after making any changes to your settings, or click Cancel to leave all settings in their original state.

Reviewing and removing updates

The fact that there are well over 200,000 hardware and software products available for Windows means that once in a while, an update could cause problems with a particular device or program. Typically you fix that problem by going to the product manufacturer’s Web site and finding out what they recommend. If the manufacturer hasn’t fixed the problem yet, and you need immediate access to the device or program, you might want to temporarily remove the conflicting update, especially if it isn’t a critical security update. To review your history of installed updates, click View update history in the left column. If you need to remove any installed updates, click Installed updates in the history page that opens. Click the update you want to remove and then click Remove. If necessary, you can reinstall the update later by clicking Check for updates in the left column of the Windows Update page.

For more information and general troubleshooting, click the Updates: frequently asked questions link at the left side of the Windows Updates page.

Thwarting Exploits with DEP

Thwarting malware attacks that exploit software vulnerabilities is the most important element of automatic updates. But Windows Vista offers a second way of thwarting such attacks. It’s called Data Execution Prevention or DEP for short. You don’t want to use DEP as an alternative to other techniques described in this part of the book. Rather, you want to use it as an addition to all the other techniques described in this book. For a little background, many malware attacks use a technique called buffer overflow (or buffer overrun) to sneak code (program instructions) into areas of memory that only the operating system (Windows) should be using. Those areas of memory have direct access to everything on your computer. So any bad code that sneaks into that area can do great damage. Data Execution Prevention is a security antidote to such attacks. It monitors programs to make sure they use only safe and appropriate memory locations. If DEP notices a program trying to do anything sneaky, it shuts that program down before it can do any harm.

By default, DEP is enabled for essential Windows programs and services only. When coupled with antivirus protection, that setting is usually adequate. You can crank it up to monitor all programs and services. But if you do, you might also have to individually choose programs that are allowed to bypass DEP. Knowing when that’s okay may require technical expertise that goes beyond the scope of this book. To get to options for DEP, first open the System window using whichever technique is most convenient:

- Click the Start button, right-click Computer, and choose Properties.

- Click the Start button and choose Control Panel ->  System and Maintenance  ->  System.

- Tap the Windows key, type sys, and click System under the Programs heading.

- In the Welcome Center, click More Details. Regardless of the method used, you end up in the System window. In the left column, click Advanced System Settings. That takes you to the System Properties dialog box.

In System Properties, click the Advanced tab, click the Settings button on the Performance heading, and then click the Data Execution Prevention tab. By default, the option to apply DEP to essential Windows programs and services only is selected. For stronger protection, you can turn on DEP for all programs and services. If you choose that option, there may be times where DEP shuts down a program to prevent it from running.

Many modern processors offer NX technologies, which prevent buffer overflows at the hardware level. When that’s the case, Windows supports that hardware-based DEP. For processors that don’t have hardware DEP, Windows uses DEP software to achieve the same result.

If DEP does shut down a program you need, you have a couple of choices. One is to contact the program manufacturer to find out if there’s a version of the program that runs under DEP. Otherwise, if you trust the program, you can add it to the list of programs that are allowed to bypass DEP. To accomplish that, you’ll need to click the Add button, then navigate to and double-click the executable (typically .exe) file that DEP is shutting down.