a whitelist user's perspective on windows update

as i may have mentioned before, i use whitelists - for web content (via noscript), for basic network traffic (via my router's port forwarding functionality), and also for traditional applications (via the application launch control functionality of my software firewall). whitelisting is an important part of my security strategy but if there was one thing that made me wish i didn't use application whitelisting it would be windows update.

you see, i don't add the programs involved in software updates to my whitelist. in fact, i don't add the majority of programs on my system to the whitelist. i don't want them being able to run without my knowledge or authorization, especially those that give no indication that anything is running in the first place, and even more so for components that have any role in installation/update. i'm not about to enable silent installs using existing components. and frankly i expect updates to be new anyways so there's little point adding those. for the most part that's not a big deal, i just take note of what program is trying to run (so that i can catch anything that looks suspicious) give a one-time authorization and let the program do it's thing. even for updating most software that's not a big deal, but when it comes to windows update it's a very big deal.

microsoft, for reasons that i can't begin to fathom, are clearly cobbling the update procedure together from as many bits and pieces as they can. i know this because of the number of program executions i need to permit (it's a lot) and how big of an interruption it is. on my older, slower system that i only power on on the weekends i started permitting various parts of windows update on saturday. i don't really have the time (or patience) to sit around clicking every couple of minutes for hours on end so the confirmation dialog only gets clicked when i have to time to go back and check on it's progress (and i sit there for a little bit, clicking here and there until i have to leave again). as of tuesday morning the update was still going. it took until monday just to get to the point of saying "there are updates ready to install". i can only hope that by the time this post is published the update will finally be finished and i can power the machine down.

some people might consider this a failure of application whitelisting, but i don't.  microsoft has designed their update procedure to involve far, far too many invocations of far, far too many separate executables. they need to stop expecting that they can run whatever system components they want, whenever they want, however many times they want with impunity. it's wasteful of resources and it's wasteful of my time.

Tweet