While talking about Windows 7 RTM (Release To Manufacturing) installs with some colleagues, I mentioned the need to run Windows Update right after loading the operating system. A couple of system administrators looked at me funny, saying they didn’t think it was necessary.

Run Windows Update

The last thing one expects to do after installing a brand-new operating system, is to check for updates. Still, I have been using Windows 7 RC for several months and every patch Tuesday, Windows Update has installed fixes. The bad guys know about the vulnerabilities too and are currently exploiting them.

So doing a manual Windows Update after installing Windows 7 RTM made sense to me. When I checked for updates after each install, I was informed the following patches (2 critical and 4 important) were available:

  • MS09-54: This security update resolves three privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
  • MS09-055: This security update addresses a privately reported vulnerability that is common to multiple ActiveX controls and is currently being exploited. The vulnerability affects ActiveX controls that were compiled using the vulnerable version of the Microsoft Active Template Library.
  • MS09-056: This security update resolves two publicly disclosed vulnerabilities in Microsoft Windows. The vulnerabilities could allow spoofing if an attacker gains access to the certificate used by the end user for authentication.

  • MS09-058: This security update resolves several privately reported vulnerabilities in the Windows kernel. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logged on to the system and ran a specially crafted application.

  • MS09-059: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sent a maliciously crafted packet during the NTLM authentication process.

  • MS09-061: This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser.

During our conversation, one associate felt updating was done automatically. I didn’t see that. So, I am glad I checked Windows Update. Running a manual update is less painful than fighting malware on a brand-new operating system.

Don’t forget UAC, it’s changed

Microsoft changed how User Account Control (UAC) works in Windows 7. Another controversy I plan on writing about in the near future. UAC in Windows 7 allows the user more options or chances to get into trouble, depending on your point of view.

You can find the UAC dialogue box by going to Control Panel, selecting User Accounts, followed by Change User Account Control Settings. Here are the four settings:

  • Top position: Is “Always Notify” and identical to the default mode in Vista.
  • Second position: Is the Windows 7 default setting, prompting the user when a non-Windows executable asks for privilege elevation.
  • Third position: Is similar to the second position. The difference being the prompt occurs on the user’s desktop rather than the secure desktop.
  • Bottom position: This setting turns off all protection afforded by UAC.

As a security advocate, I felt compelled to at least mention that Microsoft changed UAC. Many security-conscious people prefer the “Always Notify” setting. So they need to adjust the setting. Others abhor UAC and will immediately turn it off. No comment, at least for now.


Final thoughts

I understand why software is out-of date as soon as it is released. Why not automate the update process to check after being installed or at least warn the user to check for updates.

My friends and I are still debating about the update process. What is your experience? Is Windows 7 updated automatically after installation?

“Finding vulnerabilities is good news, not bad news. It means we can do something to improve security. It doesn’t mean someone has been screwing up.” Roger Johnston.