Re: When Automatic Updates can be harmful



Doug Kanter wrote:

From Brian Livingston's "Windows Secrets" Newsletter


When Automatic Updates can be harmful

By Woody Leonhard

For years I've been advising Windows consumers to disable Automatic
Updates: Keep Microsoft's mitts off your machine until you're darn
sure the proffered patches do more good than harm.

I've taken a lot of flak for that heretical stance, vilified for
intimating that Microsoft's patching process leaves consumers in the
lurch. Bah. Recent events have proved my point conclusively: Windows
auto-update is for chumps.
The auto-update process

Take a second right now to check your auto update settings. Click
Start, Control Panel, Security Center. Don't click the Automatic
Updates bar at the top - Microsoft has the dialog box rigged to turn
on auto-updating if you click around indiscriminately. Instead, click
the "Automatic Updates" line at the bottom of the Security Center.
Windows shows you an official-looking dialog box - "Help Protect Your
PC," it says - with a cheerful good green shield at the top and a
naughty bad red shield at the bottom.
If you're setting up Windows for your Great-Aunt Millicent who frets
that playing Solitaire will lock up her PC, go ahead and click
"Automatic (recommended)" and resign yourself to your technical
co-dependent relationship.

But if you're even moderately conversant with Windows - certainly if
you're reading this newsletter - check one of the other buttons. I
recommend "Notify me but don't automatically download or install
them." That way I have two chances to catch myself before installing
everything Microsoft pushes out the Patch Tuesday door.

With auto updates disabled, the next time Microsoft has a "critical"
patch that it wants to push onto your machine, a balloon will pop up
out of a yellow shield in the system tray, next to the clock at the
bottom of the screen. The balloon will ask your permission to
download and/or install whatever software Microsoft has on offer.
Your job is to refrain from giving that permission until millions of
clueless Windows users have an, uh, opportunity to beta test
Microsoft's latest missives.
What happened last month, Part I

Permit me to summarize the Windows Automatic Updates Out-of-Box
Experience of the past month, from a consumer's perspective.

On April 11, 2006 - a Patch Tuesday that will live in infamy -
Microsoft released four collections of patches. Two were relatively
innocuous, at least for Windows consumers.

One of the patch collections, MS06-016 (917288), "patched" Outlook
Express on some PCs so well that OE couldn't open its address book.

Many people who had Windows set for automatic updating got up one
morning, sat down at their PCs, downloaded their mail, and suddenly
discovered that they couldn't reply to messages. Every time they
tried to get into their address books, Windows just sat there.
Without their knowledge, Microsoft had simply reached into their PCs
and broken Outlook Express. No warning. No thank you very much. No
nuthin'.
The other patch collection, MS06-015 (911562) contained a new,
inadequately tested Mr. Hyde version of a program called verclsid.exe
that wreaked all sorts of havoc on some machines:

. Windows Explorer would freeze when attempting to get into My
Documents or My Pictures.

. Word and Excel would freeze when trying to open or save a doc in My
Documents.

. Internet Explorer would freeze unless you typed http:// in front of
a Web address.

And so on. Microsoft's lengthy error list is at KB 918165. That
article currently sits at version 4.2, having undergone three major
revisions and then some - a sure sign that the error list itself had
numerous errors.
Although the MS06-015 patch was officially released on Tuesday, Apr.
11, it wasn't pushed out the Automatic Update chute in the U.S. until
that Saturday or Sunday. Lots of people trying to finish their income
taxes over that last-minute April 15 "tax weekend" ran scrambling for
alternatives when they discovered they couldn't use Excel or Internet
Explorer.
What happened last month, Part II

Last month's auto-update debacle doesn't stop there. For the first
time in history, Microsoft released a passel of three more patches,
out of cycle, two weeks after Patch Tuesday. Except, er, uh, two of
the three "critical patches" weren't really critical patches at all.

The first patch patched the MS06-015 patch by jiggering a couple of
Registry settings. Microsoft gave fair warning - the fix was widely
anticipated and appears to stop the insanity generated by the
original patch. Victimized Windows consumers who left automatic
updates on suddenly discovered, almost two weeks after the original
botch job, that Word and Excel and Windows Explorer and Internet
Explorer started working properly again. Magic.
The second mid-month out-of-sequence patch still leaves me scratching
my head. Microsoft pushed an obscure five-month-old patch through the
automatic update system, with no forewarning, no explanation, and no
reason that I can discern. That patch (900845) replaces a program
called aec.sys, which is an acoustic error-canceling driver, of all
things. My guess - and it's only a guess - is that Microsoft somehow
accidentally released this patch into the Automatic Updates food
chain. Kinda makes me shudder.
The third mid-month "critical update" patch - which also got shoved
onto all PCs with automatic update activated - isn't a patch at all,
critical or otherwise. It's the new version of Windows Genuine
Nagware, er, Windows Genuine Advantage.

With this little gem installed (905474), if Microsoft's computers
can't verify your copy of Windows, your desktop gets plastered with
all sorts of irritating, incessant nags. As far as I can tell there
was little, if any, advance warning that this "critical update"
(yeah, sure) was going to get rammed down U.S. users' throats in an
out-of-cycle mid-month automatic update. I could find nothing but
this press release, dated the same day Windows Genuine Nagware spewed
down the Automatic Updates chute.
From where I stand, Microsoft has shown that it'll use Automatic
Updates to shove any software change onto any system that it darn
well pleases, any time it likes. This isn't a conspiracy theory.
Microsoft isn't a monolith. There's no Big Brother or master plan
behind it all, no Mini-Me lurking in the shadows. Instead, what we're
seeing is a bunch of stupid decisions, propagated to a hundred
million PCs, by people who have demonstrated, repeatedly, that they
can't be trusted with the task.
There is a better way

Keeping your PC working well is a tough job. You know that.

Big companies employ network admins who get to wrangle with
Microsoft's offal before updating company computers. It's a tough,
thankless job.
But what of us lowly individual Windows consumers? We're left holding
the bag. Cannon fodder. We're the folks who get hit with the bugs -
the unwitting beta testers for Microsoft's frequently ill-prepared
patches and funny little nagware programs, too.

I say it's time for Windows consumers to take their patching
destinies into their own hands. Turn off Automatic Updates. Sit and
watch and listen, and judge for yourself when it's time to patch or
not to patch. Keep your eyes on this newsletter, on my Microsoft
Patch Reliability Ratings page, watch the newsgroups, and any other
places you can find that have an independent point of view. Listen to
people you know and trust before letting Microsoft monkey around with
your PC.
My critics will have you believe that failing to patch Windows at the
very moment Microsoft pushes a patch down the automatic update chute
will leave you poor, helpless, befuddled and (worst of all!)
vulnerable. Poppycock. Microsoft itself waits to see if its newly
released patches cause problems before sending them through
auto-update. The major problem: they don't wait long enough!

Very, very few people get hit with exploits based on newly announced
security holes shortly after Microsoft's patches appear. Yes, you
need to patch your system. No, you don't need to do it right away,
particularly if you keep the rest of your security arsenal updated
and working properly.
Take your time. The machine you save may be your own.

Good article. Automatic Update is great in theory, totally awful in
practice.

--
Peace!
Kurt Kirsch
Self-anointed Moderator
http://microscum.com
"It'll soon shake your Windows
And rattle your walls
For the times they are a-changin'."


.



Relevant Pages

  • Re: Is running a patch that changes something in Windows XP permis
    ... again for a Microsoft MVP: I have been trying to understand what the ... Windows XP versions before SP2 the system was recognised as SP2 RC1. ... > some things to quote here that tell us that the patch probably does not ... > change the value of TcpNumConnections in the registry and that there isn't ...
    (microsoft.public.windowsxp.general)
  • RE: WMF Exploit Patch Released
    ... it isn't so much Microsoft saying you should upgrade for this ... Will there be a WMF patch for Windows 95 as well? ... > The Norwich University program offers unparalleled Infosec management ...
    (Security-Basics)
  • So Windows Update is a dog, now what?
    ... extension, that means that the soon-to-be-released Windows Update, ... How about someone getting serious about patch management over at ... In their explanation of the severity rating scheme, the Microsoft ... incredibly reliable mechanism for getting patches onto systems, ...
    (NT-Bugtraq)
  • Re: Daylight Savings Time 2007 and Windows 2000 Server...
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... support older versions of their software as well as Microsoft. ... patch for this problem but to also thoroughly test it and develop the ...
    (microsoft.public.windows.server.active_directory)
  • Re: When Automatic Updates can be harmful
    ... For years I've been advising Windows consumers to disable ... Automatic Updates: Keep Microsoft's mitts off your machine ... Microsoft pushes out the Patch Tuesday door. ...
    (microsoft.public.windowsxp.general)