Does Netgear really "Push" critical security updates?

If you're looking for the official Netgear policy, you may want to PM one of the moderators here and see if they will answer your question, otherwise what you'll recieve here is lots of personal opinions.  

I don't need to ask NG because i know that they haven't pushed any updates in 2020.  I can infer their policy from the underlying facts.

My logic is simple. 

NG has had critical (9.4/10) security issues revealed (and fixed via firmware updates made available at their download site) in the past 12 months.

   and

NG has not pushed any firmware updates to the units

   therefore

If (you want to be be protected from those security issues)

   then

update the firmware manually (and take the risks inherent in that process).

Netgear does make firmware updates available to the live update feeds. If the device is configured for automatic updates, it will happen when available. If not - there is no unrequested or forced push of anything.

Disputable how smart the advise is to disable the automatic update as suggested. The problem was that many users had very bad experience with any kind up new updates.

OK

Nice post

Good luck with your inference

---

@schumaku wrote:

Netgear does make firmware updates available to the live update feeds. If the device is configured for automatic updates, it will happen when available. If not - there is no unrequested or forced push of anything.

On the RBK50's, NG will inform the user that there are updates available. They have been doing that recently, confusing people about which ver is the latest etc.  AFAIK, the user has to choose to install the updates. Is there way to configure it for automatic install?

I have removed my R9000 and I don't recall that there was a way to have the new firmwares install automatically on those.

 

Disputable how smart the advise is to disable the automatic update as suggested. The problem was that many users had very bad experience with any kind up new updates.

 

I don't like automatic installs myself.  But I tend to read up about the latest issues in the news, listen to Security_Now podcast etc.  The casual user is in a no-win situation: They can be on older insecure versions or enable automatic installation (if that is even available for the Orbi's) with its risks.

---

With my short history (2 months) w the Orbi's, I was asking if NG pushed and automatically installed fixes in 2020. Because they certainly had a couple of serious issues come up last year.

---

@alokeprasad wrote:

---

---

With my short history (2 months) w the Orbi's, I was asking if NG pushed and automatically installed fixes in 2020. Because they certainly had a couple of serious issues come up last year.

---

Perhaps the real question is, has anyone here had problems(?) with their system due to the 'serious issues' that came up last year you mention above?

and there's more

https://kb.netgear.com/000058854/How-do-I-make-sure-that-automatic-firmware-updates-happen-in-the-mi...

This discussion is tilting philosophical.

Indeed, it is a matter of taking security issues seriously and fixing them before they have consequences. Many consequenses may not be apparent to the user. Like using their router as a hop in DDOS attacks , yadda yadda.

Fixing security issues is a matter of practicing "safe hex".  We should do (or not do) these things after being aware of the issues, not with the complacency that someone else (like Netgear in this case) will take care of the problems automatically if it was "serious enough".

Still don't have any answer: Has NG push-installed updates on the Orbi's in the past year?

---

@alokeprasad wrote:

This discussion is tilting philosophical.

 

I warned of this in the beginning

 

Still don't have any answer: Has NG push-installed updates on the Orbi's in the past year?

 

Couldn't tell ya, but it sounds like you have a plan.

 

---

---

@vajim wrote:

and there's more

 

https://kb.netgear.com/000058854/How-do-I-make-sure-that-automatic-firmware-updates-happen-in-the-mi...

---

From that article (from 2018):

Some NETGEAR routers support automatic firmware updates. Automatic firmware updates ensure that important security updates are automatically delivered to your router to increase the security of your home network. Automatic firmware updates restart your router as part of the update process, which means that you lose Internet access for a few minutes.

Automatic firmware updates happen between 1:00 a.m. and 4:00 a.m. local time. To avoid firmware updates starting at an inconvenient time, make sure that your router is set to your local time zone.

Have they in fact done any of this automatic installs on the Orbi's and the Nighthawk R8xxx, and R9xxx in the last year?

---

@vajim wrote:

---

@alokeprasad wrote:

This discussion is tilting philosophical.

 

I warned of this in the beginning

 

Still don't have any answer: Has NG push-installed updates on the Orbi's in the past year?

 

Couldn't tell ya, but it sounds like you have a plan.

 

---

 

---

Yes.  I tend to install security related updates.  On my PC's and routers.

---

@alokeprasad wrote:

---

---

 

---

Yes.  I tend to install security related updates.  On my PC's and routers.

---

OK...wouldn't it been easier to have stated that in the beginning?

The process of auto-updates is hot button discussion here only because of it's history.

IF Netgear were to NOT be pushing auto updates you'll still have the group, as yourself, who will perform manual updates while others perhaps not so much.

My only advice to your thinking on updates is be prepared for potential failures.  There are numerous cases where users here jump on the first evidence of an update only to find it slowed or crashed their system.  Some end up reverting.  I may have not seen or heard of any auto pushes but at the same time I haven't seen or heard of a update that was flawless.

---

@alokeprasad wrote:

---

I have removed my R9000 and I don't recall that there was a way to have the new firmwares install automatically on those.

 

---

The feature exists for years on the R9000 (and many more devices)

Users actively managing devices will often read email notifications for security updates, will login so the firmware update annoucement will show up - before the automatic update will happen the following night. That's why many here are probably ahead of the automatic update. 

Thx, schumaku. Thanks for the memories     I had automatic updates disabled all along, so I never experienced an update without me initiating it.  I am unaware if NG pushed automatic installations on the RXXXX devices.  Are they actually updating those devices anymore?

I don't see automatic-update option (or how to turn it off) on the RBK50's web interface or user manual.  The choices (from the manual p 89) are: You can use the router web interface to check if new firmware is available and update your router and satellite,or you can manually update the firmware for your router andsatellite.

So, I'm asking the community here if they, in fact, push automatic installs on the Orbi's.  

I don't know what answer I like: I would not like push installs on MY Orbi. In fact, I want to turn all such automatic-anything off. But it would nice to have that be done in a reliable manner on users who don't follow the latest goins-on in IT world.

In real life, the users are stuck between a rock and a hard place: Have Systems with un-patched security holes or systems (out of warranty) that get bricked or reset overnight by NG.  Sadly, I'm seeing many posts that are talking about bricking happening to them.

There as been resome recent posts regarding users seeing updates come down from NG on to there Orbi units. Seems NG is stil auto pushing with out any user intervention. 

https://community.netgear.com/t5/Orbi/Orbi-RBR50-Router-Firmware-Version-V2-7-2-102/m-p/2027821/high...

Orbi doesn't or will it ever seem to have the ability to let the user disable this either. Been like this since the beginning and users have asked about it. No change from NG stance. 

https://kb.netgear.com/000058854/How-do-I-make-sure-that-automatic-firmware-updates-happen-in-the-mi...

This article applies to:

• Wireless AC Router Nighthawk (35)
• Wireless AX Router Nighthawk (WiFi 6) (19)
• Cable Gateway AX (2)
• Wireless AC Router (21)
• Wireless N Router (72)
• Legacy Wireless Router (5)
• Wireless G Router (35)
• Legacy Wireless N Router (10)

Orbi is not listed here so we can presume Orbi is done differently. 

How do I make sure that automatic firmware updates happen in the middle of the night for my Orbi WiF... applies to all Orbi, Orbi AX, Orbi Pro, Orbi Pro Wifi 6, Nighthaww mesh. 

Thanks all for the replies. 

It is settled.  NG can, and apparently have started again, push auto-installs of firmware. 

They must be fixing something important to take that step.

Too bad that one cannot disable auto-installs.

We are also in a world of hurt if the push-installs are glitchy, either in the installation process or the firmware quality. Some of the "hacking-type" methods like tftp and nmrpflash are totally unsuitable for non-techies.

---

@alokeprasad wrote:

 

Too bad that one cannot disable auto-installs.

 

 

 

 

you can please some of the people some of the time but you'll never be able to please all the people all the time.  

 

 

 

---

---

@alokeprasad wrote:

NG can, and apparently have started again, push auto-installs of firmware. 

---

Are you stating "push without the user allowing"? Auto firmware update is perfectly normal.

It's all based on the same process - an XML feed(s) used for the auto firmware update. There is no push-like thing overriding anything. Worth mentioning that they can make different version available based on the location and based on features enabled.

---

@alokeprasad wrote:

Too bad that one cannot disable auto-installs.

---

How do I enable/disable auto firmware update? 

---

@schumaku wrote:

---

@alokeprasad wrote:

---

@alokeprasad wrote:

Too bad that one cannot disable auto-installs.

---

How do I enable/disable auto firmware update? 

 

---

The instructions in the link above are not available for the Orbi RBK50.  See screenshot.

Maybe the codebase for the Nighthawks and Orbi's forked at some time and they removed the option to disable auto updates on the Orbi's.