Are automatic updates a good thing?

Home » General Computing

Summary: Unless you're willing to pay a lot of attention on a very regular basis, automatic updates are an important part of keeping your machine safe.

What are your thoughts on automatic updates? Not Windows updates but automatic updates for my spyware and antivirus programs. I have many anti-spyware and McAfee internet security suite and I have automatic updates turned on on all. Could this lead to problems by leaving my computer open to the net?

This one's easy: I love automatic updates.

Let me explain why, and some of the things to look for to make sure that your automatic updates are safe, and doing what you think.

•

First, I believe strongly that automatic updates for anti-spyware and particularly anti-virus packages is an absolute must. There are simply too many changes - quite literally every day - that keeping them up to date is a must. Doing it automatically is by far the easiest and most reliable way.

"...automatic updates for anti-spyware and particularly anti-virus packages is an absolute must."

Application updates I treat differently. I still want automatic notification of updates and new versions, but:

the update notification should be a true notification - not a regular "do you want to check for updates now" - check it for me, and bother me only if there is something I should be aware of.
the update notification should tell me what it is, and what it's going to do for me - including how important or critical the update might be
I should be able to choose not to install the updates right now, but rather be reminded later
I should also be able to choose not to install the update at all, at least until the next, new, update becomes available.

There are some software packages that do all that, and I really do appreciate them.

And typically, I do accept the updates, but at a time that's convenient for me.

Windows update is a special case. I believe that most users should have automatic updates turned on, and automatically install all updates. That being said, I have it set to notify only, and actually examine the updates being offered before I say yes. And I always say yes.

The relationship of Automatic updates to Windows update is another case of a missed opportunity as well. It appears that Automatic updates only deal with critical issues. If you actually visit the Windows Update site, you may find additional updates that you were not alerted to. (Like Office SP2, which I just now learned of as visited the Windows Update site.) I would prefer some kind of proactive notification for those as well.

As to your concern about security - in a nutshell, I'm not terribly concerned. Most automatic updates are handled through the same mechanisms that your web browser uses to visit web sites. The result is that for most, you're not "opening up" any additional vulnerabilities by enabling automatic updates. And as long as your dealing with reputable vendors, the chances of "automatically" downloading some kind of malware is next to zero. You're at much greater risk by mistakenly clicking on an emailed attachment, not being behind a firewall, or visiting a malicious web site.

Related:

Ask Leo! - How do I keep my computer safe on the internet?
Ask Leo! - How do I make sure that Windows is up-to-date?
Ask Leo! - What's this new 'Security Center' thing in XP service pack 2 all about?

Article 9530 | Posted December 16, 2005

•

Recent Comments

7 Comments

Thank you Leo, I have read the article and found it very helpful.

Posted by: Doug K. at December 16, 2005 3:12 PM

In IE 6, under tools, there is "Windows Update". I have mine set to check for updates every morning at 3 a.m. (when hopefully I am sound asleep).

Posted by: David Heym at December 17, 2005 7:03 PM

Why do you "love" automatic updates when you don't use them yourself? Personally, I much prefer be notified of updates, even though I, like you, always say Yes.

Posted by: pwb at December 19, 2005 12:29 PM

I do use them. The only exception is Windows Update, and it's because I'm a geek and need to know what's going on - as much for here on Ask Leo! as well as for myself. "Normal" people should have it auto-install. I love that too :-).

Posted by: Leo A. Notenboom at December 19, 2005 12:36 PM

Apologies to others if this is a bit technical...

I'm a developer and I like the idea of automatic updates - it certainly helps to make sure users have problems fixed before they know about them, as well as making sure they have all the latest functionality.

My major gripe is that when automatic updates DO cause problems, they're usually whoppers. Added to which, not all companies use an overly secure mechanism - it's not that difficult to redirect a http (web) request to a different webserver - eg editing the hosts file (and yes, I know that's not easy on someone else's Pc but you can spoof DNS entries, poison routers/ARP caches, etc...).

Then, there's nothing to stop Mr. Malicious just substituting the genuine update with their own code. Admittedly, Microsoft and some others use secure HTTP (same as banks) and MD5 hashing (for the non-technical think of it as a short list of letters and numbers that sum up the contents of a file - any change to the file means a different MD5 hash, so you can check that what you've downloaded matches what you expected to download - at least the software should do this internally) but there are still a large number of companies that do NOT use MD5 hashing, secure conenctions or anything else - which I personally find to be a HUGE security hole.

To make things worse, there's already hundreds of programs that let you see what information is being passed back and forth between your computer and , which means anyone malicious can monitor the (legitimate) traffic on their own PC, deduce how it works and then substitute their own.

So I let anything notify me of new updates but if possible, I install them myself unless I trust the security used by the software company as well as the company itself - They may not be malicious but it doesn't always mean they're competent.

Posted by: Simon at May 2, 2008 9:16 AM

automatic updates in our point of vew are not good things to us it means giving way to Genuin programs to intrude in our machines informing us
that we are using malicious soft ware that why keep automatic updates closed

Posted by: abdelrahimsagr at July 18, 2008 11:47 PM

I have Automatic Updates enabled and like the feature, except for one irritating behavior. Some updates require a restart to take effect. I understand that, but I don't understand why Microsoft insists on doing the restart without permission. They give a brief notice and then do the restart. Several times, I've been working on something and have been called away from the computer momentarily. I know I should save before leaving, but I don't always remember. I hate it when I return to discover that the computer has automatically rebooted and I've lost what I was working on. Is there any way to disable this behavior and give me the notice so I can initiate the reboot when I'm ready for it?

The way to deal with this is to have Automatic Updates set to notify you but NOT install automatically. That way you can choose when to install the updates that are available and handle any possibly required reboots.

- Leo
20-Nov-2008

Posted by: Bill Nelson at November 18, 2008 10:57 PM

Post a comment on "Are automatic updates a good thing?":

Name: (Required)

Email Address: (Required)

(Email Address will not be published.)

Remember Me? YesNo

By popular demand...
my tip jar

Buy Leo a Latte!

Comments: (you may use HTML tags for style)

New!

Subscribe to the RSS Feed specifically for comments on this article.

Before commenting, please...

Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored.
Comment only on this article. Use the Google search box at the top of the page if you have a question about something else.
Don't include personal information in the comment. No email addresses. No phone numbers. No physical addresses.
Don't ask me to recover lost passwords or hacked accounts. I can't, and those comments will be deleted.

I can't respond to every comment. And I can't vouch for the accuracy of others who do.
Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...