Re: When Automatic Updates can be harmful

Today Doug Kanter attempted to dazzle everyone with this
profound linguistic utterance

From Brian Livingston's "Windows Secrets" Newsletter


When Automatic Updates can be harmful

By Woody Leonhard

For years I've been advising Windows consumers to disable
Automatic Updates: Keep Microsoft's mitts off your machine
until you're darn sure the proffered patches do more good
than harm.

I've taken a lot of flak for that heretical stance,
vilified for intimating that Microsoft's patching process
leaves consumers in the lurch. Bah. Recent events have
proved my point conclusively: Windows auto-update is for
chumps.

The auto-update process

Take a second right now to check your auto update settings.
Click Start, Control Panel, Security Center. Don't click
the Automatic Updates bar at the top - Microsoft has the
dialog box rigged to turn on auto-updating if you click
around indiscriminately. Instead, click the "Automatic
Updates" line at the bottom of the Security Center. Windows
shows you an official-looking dialog box - "Help Protect
Your PC," it says - with a cheerful good green shield at
the top and a naughty bad red shield at the bottom.

If you're setting up Windows for your Great-Aunt Millicent
who frets that playing Solitaire will lock up her PC, go
ahead and click "Automatic (recommended)" and resign
yourself to your technical co-dependent relationship.

But if you're even moderately conversant with Windows -
certainly if you're reading this newsletter - check one of
the other buttons. I recommend "Notify me but don't
automatically download or install them." That way I have
two chances to catch myself before installing everything
Microsoft pushes out the Patch Tuesday door.

With auto updates disabled, the next time Microsoft has a
"critical" patch that it wants to push onto your machine, a
balloon will pop up out of a yellow shield in the system
tray, next to the clock at the bottom of the screen. The
balloon will ask your permission to download and/or install
whatever software Microsoft has on offer. Your job is to
refrain from giving that permission until millions of
clueless Windows users have an, uh, opportunity to beta
test Microsoft's latest missives.

What happened last month, Part I

Permit me to summarize the Windows Automatic Updates
Out-of-Box Experience of the past month, from a consumer's
perspective.

On April 11, 2006 - a Patch Tuesday that will live in
infamy - Microsoft released four collections of patches.
Two were relatively innocuous, at least for Windows
consumers.

One of the patch collections, MS06-016 (917288), "patched"
Outlook Express on some PCs so well that OE couldn't open
its address book.

Many people who had Windows set for automatic updating got
up one morning, sat down at their PCs, downloaded their
mail, and suddenly discovered that they couldn't reply to
messages. Every time they tried to get into their address
books, Windows just sat there. Without their knowledge,
Microsoft had simply reached into their PCs and broken
Outlook Express. No warning. No thank you very much. No
nuthin'.

The other patch collection, MS06-015 (911562) contained a
new, inadequately tested Mr. Hyde version of a program
called verclsid.exe that wreaked all sorts of havoc on some
machines:

. Windows Explorer would freeze when attempting to get into
My Documents or My Pictures.

. Word and Excel would freeze when trying to open or save a
doc in My Documents.

. Internet Explorer would freeze unless you typed http://
in front of a Web address.

And so on. Microsoft's lengthy error list is at KB 918165.
That article currently sits at version 4.2, having
undergone three major revisions and then some - a sure sign
that the error list itself had numerous errors.

Although the MS06-015 patch was officially released on
Tuesday, Apr. 11, it wasn't pushed out the Automatic Update
chute in the U.S. until that Saturday or Sunday. Lots of
people trying to finish their income taxes over that
last-minute April 15 "tax weekend" ran scrambling for
alternatives when they discovered they couldn't use Excel
or Internet Explorer.

What happened last month, Part II

Last month's auto-update debacle doesn't stop there. For
the first time in history, Microsoft released a passel of
three more patches, out of cycle, two weeks after Patch
Tuesday. Except, er, uh, two of the three "critical
patches" weren't really critical patches at all.

The first patch patched the MS06-015 patch by jiggering a
couple of Registry settings. Microsoft gave fair warning -
the fix was widely anticipated and appears to stop the
insanity generated by the original patch. Victimized
Windows consumers who left automatic updates on suddenly
discovered, almost two weeks after the original botch job,
that Word and Excel and Windows Explorer and Internet
Explorer started working properly again. Magic.

The second mid-month out-of-sequence patch still leaves me
scratching my head. Microsoft pushed an obscure
five-month-old patch through the automatic update system,
with no forewarning, no explanation, and no reason that I
can discern. That patch (900845) replaces a program called
aec.sys, which is an acoustic error-canceling driver, of
all things. My guess - and it's only a guess - is that
Microsoft somehow accidentally released this patch into the
Automatic Updates food chain. Kinda makes me shudder.

The third mid-month "critical update" patch - which also
got shoved onto all PCs with automatic update activated -
isn't a patch at all, critical or otherwise. It's the new
version of Windows Genuine Nagware, er, Windows Genuine
Advantage.

With this little gem installed (905474), if Microsoft's
computers can't verify your copy of Windows, your desktop
gets plastered with all sorts of irritating, incessant
nags. As far as I can tell there was little, if any,
advance warning that this "critical update" (yeah, sure)
was going to get rammed down U.S. users' throats in an
out-of-cycle mid-month automatic update. I could find
nothing but this press release, dated the same day Windows
Genuine Nagware spewed down the Automatic Updates chute.

From where I stand, Microsoft has shown that it'll use
Automatic Updates to shove any software change onto any
system that it darn well pleases, any time it likes. This
isn't a conspiracy theory. Microsoft isn't a monolith.
There's no Big Brother or master plan behind it all, no
Mini-Me lurking in the shadows. Instead, what we're seeing
is a bunch of stupid decisions, propagated to a hundred
million PCs, by people who have demonstrated, repeatedly,
that they can't be trusted with the task.

There is a better way

Keeping your PC working well is a tough job. You know that.

Big companies employ network admins who get to wrangle with
Microsoft's offal before updating company computers. It's a
tough, thankless job.

But what of us lowly individual Windows consumers? We're
left holding the bag. Cannon fodder. We're the folks who
get hit with the bugs - the unwitting beta testers for
Microsoft's frequently ill-prepared patches and funny
little nagware programs, too.

I say it's time for Windows consumers to take their
patching destinies into their own hands. Turn off Automatic
Updates. Sit and watch and listen, and judge for yourself
when it's time to patch or not to patch. Keep your eyes on
this newsletter, on my Microsoft Patch Reliability Ratings
page, watch the newsgroups, and any other places you can
find that have an independent point of view. Listen to
people you know and trust before letting Microsoft monkey
around with your PC.

My critics will have you believe that failing to patch
Windows at the very moment Microsoft pushes a patch down
the automatic update chute will leave you poor, helpless,
befuddled and (worst of all!) vulnerable. Poppy***.
Microsoft itself waits to see if its newly released patches
cause problems before sending them through auto-update. The
major problem: they don't wait long enough!

Very, very few people get hit with exploits based on newly
announced security holes shortly after Microsoft's patches
appear. Yes, you need to patch your system. No, you don't
need to do it right away, particularly if you keep the rest
of your security arsenal updated and working properly.

Take your time. The machine you save may be your own.

I fully agree. automatic updates for anything from anybody are
/always/ bad. Which reminds me of a exam quiz hint I got while
in college:

"if a True/False question has the words 'always' or 'never',
it is ALWAYS false!"

--
ATM, aka Jerry

"Never try to reason with a fool" - Roadsign
.