I just came across yet another security discussion, in which at least one poster emphasized the importance of auto-updates as a means of keeping a system protected. Here’s the response I added:
I couldn’t agree less. Auto update is a huge vulnerability. It’s literally a welcome mat for some third party to shove software into the bowels of your system. That third party may be both trustworthy and technically competent… but there is no guarantee that it will remain so over time, and no likelihood that you’ll know if and when it becomes untrustworthy or incompetent.
Ironically, far from “getting it right,” [as the previous poster had suggested] Microsoft provided the best-ever example of the auto-update fallacy, when it mis-used the mechanism to shove Windows Genuine Advantage (WGA) onto systems around the world. WGA is not a ‘feature’ that any user would want. It gives Microsoft extra control over your PC, and opens the possibility of false positives that could literally require you to buy a new copy of Windows. No, the problems are not frequent… but the point is that whether an update is to your benefit or not, you gave up the right to complain about it when you enabled (failed to disable) the service.
I’m still waiting for someone to hack the auto-update feature. What better mechanism could their be, for installing malware? Even if Microsoft’s auto-update service happens to be secure (a big if), there are probably lots of others on your system by now, some of which you’re probably not even aware of.
It’s your system, do what you think is best. But on my gear, all auto-update services remain in the OFF position.
Am I being unreasonable? Paranoid? I don’t think so. I have never seen any compelling advantage to automatic updates. If the software is so crappy it can’t work without constant updates, I’ll just pass on it entirely. On the other hand, if there are substantial changes, I will inevitably want to assess them before allowing them on my equipment. I don’t give anyone carte blanche to enter my front door, and I can’t see why I should be less stringent with my electronic devices.