Re: When Automatic Updates can be harmful

Hello Doug
Thank you for bringing this thoughtful and very logically put together
observation and advice regarding MS updates.
I do not think there was anything in it that can be disputed. For a novice
computer user it is refreshing to read such an article.
Even an MS mouthpiece would have to remain silent.
I was advised nearly 12 months ago by an MVP to be cautious of MS updates.
As he said that it was dangerous for a complete novice not to wait and see.
I did on all those updates as I have before.
I even posted one or two warnings when I first saw someone in trouble in a
group. I then had two frequent posters/helpers jump on me.
'What probs - nobody is having problems - what do you know anyway - ranter -
MS sceptic'. I suggested they did a bit of research. One replied 'I always
do my research - I do a lot of research. Well the prat hadn't done this
time, as the number of disgruntled posters proved. And these same persons
still open their mouths without first engaging their brains.
They know themselves for what they are.
I will certainly keep a watch in that newsletter - the link is in my
favourites. Thanks again.
Rgds
Antioch

"Doug Kanter" <ancientangler@xxxxxxxxxxx> wrote in message
news:1qN8g.800$Oh1.554@xxxxxxxxxxxxxxxx
From Brian Livingston's "Windows Secrets" Newsletter


When Automatic Updates can be harmful

By Woody Leonhard

For years I've been advising Windows consumers to disable Automatic
Updates: Keep Microsoft's mitts off your machine until you're darn sure
the proffered patches do more good than harm.

I've taken a lot of flak for that heretical stance, vilified for
intimating that Microsoft's patching process leaves consumers in the
lurch. Bah. Recent events have proved my point conclusively: Windows
auto-update is for chumps.

The auto-update process

Take a second right now to check your auto update settings. Click Start,
Control Panel, Security Center. Don't click the Automatic Updates bar at
the top - Microsoft has the dialog box rigged to turn on auto-updating if
you click around indiscriminately. Instead, click the "Automatic Updates"
line at the bottom of the Security Center. Windows shows you an
official-looking dialog box - "Help Protect Your PC," it says - with a
cheerful good green shield at the top and a naughty bad red shield at the
bottom.

If you're setting up Windows for your Great-Aunt Millicent who frets that
playing Solitaire will lock up her PC, go ahead and click "Automatic
(recommended)" and resign yourself to your technical co-dependent
relationship.

But if you're even moderately conversant with Windows - certainly if
you're reading this newsletter - check one of the other buttons. I
recommend "Notify me but don't automatically download or install them."
That way I have two chances to catch myself before installing everything
Microsoft pushes out the Patch Tuesday door.

With auto updates disabled, the next time Microsoft has a "critical" patch
that it wants to push onto your machine, a balloon will pop up out of a
yellow shield in the system tray, next to the clock at the bottom of the
screen. The balloon will ask your permission to download and/or install
whatever software Microsoft has on offer. Your job is to refrain from
giving that permission until millions of clueless Windows users have an,
uh, opportunity to beta test Microsoft's latest missives.

What happened last month, Part I

Permit me to summarize the Windows Automatic Updates Out-of-Box Experience
of the past month, from a consumer's perspective.

On April 11, 2006 - a Patch Tuesday that will live in infamy - Microsoft
released four collections of patches. Two were relatively innocuous, at
least for Windows consumers.

One of the patch collections, MS06-016 (917288), "patched" Outlook Express
on some PCs so well that OE couldn't open its address book.

Many people who had Windows set for automatic updating got up one morning,
sat down at their PCs, downloaded their mail, and suddenly discovered that
they couldn't reply to messages. Every time they tried to get into their
address books, Windows just sat there. Without their knowledge, Microsoft
had simply reached into their PCs and broken Outlook Express. No warning.
No thank you very much. No nuthin'.

The other patch collection, MS06-015 (911562) contained a new,
inadequately tested Mr. Hyde version of a program called verclsid.exe that
wreaked all sorts of havoc on some machines:

. Windows Explorer would freeze when attempting to get into My Documents
or My Pictures.

. Word and Excel would freeze when trying to open or save a doc in My
Documents.

. Internet Explorer would freeze unless you typed http:// in front of a
Web address.

And so on. Microsoft's lengthy error list is at KB 918165. That article
currently sits at version 4.2, having undergone three major revisions and
then some - a sure sign that the error list itself had numerous errors.

Although the MS06-015 patch was officially released on Tuesday, Apr. 11,
it wasn't pushed out the Automatic Update chute in the U.S. until that
Saturday or Sunday. Lots of people trying to finish their income taxes
over that last-minute April 15 "tax weekend" ran scrambling for
alternatives when they discovered they couldn't use Excel or Internet
Explorer.

What happened last month, Part II

Last month's auto-update debacle doesn't stop there. For the first time in
history, Microsoft released a passel of three more patches, out of cycle,
two weeks after Patch Tuesday. Except, er, uh, two of the three "critical
patches" weren't really critical patches at all.

The first patch patched the MS06-015 patch by jiggering a couple of
Registry settings. Microsoft gave fair warning - the fix was widely
anticipated and appears to stop the insanity generated by the original
patch. Victimized Windows consumers who left automatic updates on suddenly
discovered, almost two weeks after the original botch job, that Word and
Excel and Windows Explorer and Internet Explorer started working properly
again. Magic.

The second mid-month out-of-sequence patch still leaves me scratching my
head. Microsoft pushed an obscure five-month-old patch through the
automatic update system, with no forewarning, no explanation, and no
reason that I can discern. That patch (900845) replaces a program called
aec.sys, which is an acoustic error-canceling driver, of all things. My
guess - and it's only a guess - is that Microsoft somehow accidentally
released this patch into the Automatic Updates food chain. Kinda makes me
shudder.

The third mid-month "critical update" patch - which also got shoved onto
all PCs with automatic update activated - isn't a patch at all, critical
or otherwise. It's the new version of Windows Genuine Nagware, er, Windows
Genuine Advantage.

With this little gem installed (905474), if Microsoft's computers can't
verify your copy of Windows, your desktop gets plastered with all sorts of
irritating, incessant nags. As far as I can tell there was little, if any,
advance warning that this "critical update" (yeah, sure) was going to get
rammed down U.S. users' throats in an out-of-cycle mid-month automatic
update. I could find nothing but this press release, dated the same day
Windows Genuine Nagware spewed down the Automatic Updates chute.

From where I stand, Microsoft has shown that it'll use Automatic Updates
to shove any software change onto any system that it darn well pleases,
any time it likes. This isn't a conspiracy theory. Microsoft isn't a
monolith. There's no Big Brother or master plan behind it all, no Mini-Me
lurking in the shadows. Instead, what we're seeing is a bunch of stupid
decisions, propagated to a hundred million PCs, by people who have
demonstrated, repeatedly, that they can't be trusted with the task.

There is a better way

Keeping your PC working well is a tough job. You know that.

Big companies employ network admins who get to wrangle with Microsoft's
offal before updating company computers. It's a tough, thankless job.

But what of us lowly individual Windows consumers? We're left holding the
bag. Cannon fodder. We're the folks who get hit with the bugs - the
unwitting beta testers for Microsoft's frequently ill-prepared patches and
funny little nagware programs, too.

I say it's time for Windows consumers to take their patching destinies
into their own hands. Turn off Automatic Updates. Sit and watch and
listen, and judge for yourself when it's time to patch or not to patch.
Keep your eyes on this newsletter, on my Microsoft Patch Reliability
Ratings page, watch the newsgroups, and any other places you can find that
have an independent point of view. Listen to people you know and trust
before letting Microsoft monkey around with your PC.

My critics will have you believe that failing to patch Windows at the very
moment Microsoft pushes a patch down the automatic update chute will leave
you poor, helpless, befuddled and (worst of all!) vulnerable. Poppy***.
Microsoft itself waits to see if its newly released patches cause problems
before sending them through auto-update. The major problem: they don't
wait long enough!

Very, very few people get hit with exploits based on newly announced
security holes shortly after Microsoft's patches appear. Yes, you need to
patch your system. No, you don't need to do it right away, particularly if
you keep the rest of your security arsenal updated and working properly.

Take your time. The machine you save may be your own.




.