D
Doug Kanter
From Brian Livingston's "Windows Secrets" Newsletter
When Automatic Updates can be harmful
By Woody Leonhard
For years I've been advising Windows consumers to disable Automatic Updates:
Keep Microsoft's mitts off your machine until you're darn sure the proffered
patches do more good than harm.
I've taken a lot of flak for that heretical stance, vilified for intimating
that Microsoft's patching process leaves consumers in the lurch. Bah. Recent
events have proved my point conclusively: Windows auto-update is for chumps.
The auto-update process
Take a second right now to check your auto update settings. Click Start,
Control Panel, Security Center. Don't click the Automatic Updates bar at the
top - Microsoft has the dialog box rigged to turn on auto-updating if you
click around indiscriminately. Instead, click the "Automatic Updates" line
at the bottom of the Security Center. Windows shows you an official-looking
dialog box - "Help Protect Your PC," it says - with a cheerful good green
shield at the top and a naughty bad red shield at the bottom.
If you're setting up Windows for your Great-Aunt Millicent who frets that
playing Solitaire will lock up her PC, go ahead and click "Automatic
(recommended)" and resign yourself to your technical co-dependent
relationship.
But if you're even moderately conversant with Windows - certainly if you're
reading this newsletter - check one of the other buttons. I recommend
"Notify me but don't automatically download or install them." That way I
have two chances to catch myself before installing everything Microsoft
pushes out the Patch Tuesday door.
With auto updates disabled, the next time Microsoft has a "critical" patch
that it wants to push onto your machine, a balloon will pop up out of a
yellow shield in the system tray, next to the clock at the bottom of the
screen. The balloon will ask your permission to download and/or install
whatever software Microsoft has on offer. Your job is to refrain from giving
that permission until millions of clueless Windows users have an, uh,
opportunity to beta test Microsoft's latest missives.
What happened last month, Part I
Permit me to summarize the Windows Automatic Updates Out-of-Box Experience
of the past month, from a consumer's perspective.
On April 11, 2006 - a Patch Tuesday that will live in infamy - Microsoft
released four collections of patches. Two were relatively innocuous, at
least for Windows consumers.
One of the patch collections, MS06-016 (917288), "patched" Outlook Express
on some PCs so well that OE couldn't open its address book.
Many people who had Windows set for automatic updating got up one morning,
sat down at their PCs, downloaded their mail, and suddenly discovered that
they couldn't reply to messages. Every time they tried to get into their
address books, Windows just sat there. Without their knowledge, Microsoft
had simply reached into their PCs and broken Outlook Express. No warning. No
thank you very much. No nuthin'.
The other patch collection, MS06-015 (911562) contained a new, inadequately
tested Mr. Hyde version of a program called verclsid.exe that wreaked all
sorts of havoc on some machines:
.. Windows Explorer would freeze when attempting to get into My Documents or
My Pictures.
.. Word and Excel would freeze when trying to open or save a doc in My
Documents.
.. Internet Explorer would freeze unless you typed http:// in front of a Web
address.
And so on. Microsoft's lengthy error list is at KB 918165. That article
currently sits at version 4.2, having undergone three major revisions and
then some - a sure sign that the error list itself had numerous errors.
Although the MS06-015 patch was officially released on Tuesday, Apr. 11, it
wasn't pushed out the Automatic Update chute in the U.S. until that Saturday
or Sunday. Lots of people trying to finish their income taxes over that
last-minute April 15 "tax weekend" ran scrambling for alternatives when they
discovered they couldn't use Excel or Internet Explorer.
What happened last month, Part II
Last month's auto-update debacle doesn't stop there. For the first time in
history, Microsoft released a passel of three more patches, out of cycle,
two weeks after Patch Tuesday. Except, er, uh, two of the three "critical
patches" weren't really critical patches at all.
The first patch patched the MS06-015 patch by jiggering a couple of Registry
settings. Microsoft gave fair warning - the fix was widely anticipated and
appears to stop the insanity generated by the original patch. Victimized
Windows consumers who left automatic updates on suddenly discovered, almost
two weeks after the original botch job, that Word and Excel and Windows
Explorer and Internet Explorer started working properly again. Magic.
The second mid-month out-of-sequence patch still leaves me scratching my
head. Microsoft pushed an obscure five-month-old patch through the automatic
update system, with no forewarning, no explanation, and no reason that I can
discern. That patch (900845) replaces a program called aec.sys, which is an
acoustic error-canceling driver, of all things. My guess - and it's only a
guess - is that Microsoft somehow accidentally released this patch into the
Automatic Updates food chain. Kinda makes me shudder.
The third mid-month "critical update" patch - which also got shoved onto all
PCs with automatic update activated - isn't a patch at all, critical or
otherwise. It's the new version of Windows Genuine Nagware, er, Windows
Genuine Advantage.
With this little gem installed (905474), if Microsoft's computers can't
verify your copy of Windows, your desktop gets plastered with all sorts of
irritating, incessant nags. As far as I can tell there was little, if any,
advance warning that this "critical update" (yeah, sure) was going to get
rammed down U.S. users' throats in an out-of-cycle mid-month automatic
update. I could find nothing but this press release, dated the same day
Windows Genuine Nagware spewed down the Automatic Updates chute.
From where I stand, Microsoft has shown that it'll use Automatic Updates to
shove any software change onto any system that it darn well pleases, any
time it likes. This isn't a conspiracy theory. Microsoft isn't a monolith.
There's no Big Brother or master plan behind it all, no Mini-Me lurking in
the shadows. Instead, what we're seeing is a bunch of stupid decisions,
propagated to a hundred million PCs, by people who have demonstrated,
repeatedly, that they can't be trusted with the task.
There is a better way
Keeping your PC working well is a tough job. You know that.
Big companies employ network admins who get to wrangle with Microsoft's
offal before updating company computers. It's a tough, thankless job.
But what of us lowly individual Windows consumers? We're left holding the
bag. Cannon fodder. We're the folks who get hit with the bugs - the
unwitting beta testers for Microsoft's frequently ill-prepared patches and
funny little nagware programs, too.
I say it's time for Windows consumers to take their patching destinies into
their own hands. Turn off Automatic Updates. Sit and watch and listen, and
judge for yourself when it's time to patch or not to patch. Keep your eyes
on this newsletter, on my Microsoft Patch Reliability Ratings page, watch
the newsgroups, and any other places you can find that have an independent
point of view. Listen to people you know and trust before letting Microsoft
monkey around with your PC.
My critics will have you believe that failing to patch Windows at the very
moment Microsoft pushes a patch down the automatic update chute will leave
you poor, helpless, befuddled and (worst of all!) vulnerable. Poppycock.
Microsoft itself waits to see if its newly released patches cause problems
before sending them through auto-update. The major problem: they don't wait
long enough!
Very, very few people get hit with exploits based on newly announced
security holes shortly after Microsoft's patches appear. Yes, you need to
patch your system. No, you don't need to do it right away, particularly if
you keep the rest of your security arsenal updated and working properly.
Take your time. The machine you save may be your own.
When Automatic Updates can be harmful
By Woody Leonhard
For years I've been advising Windows consumers to disable Automatic Updates:
Keep Microsoft's mitts off your machine until you're darn sure the proffered
patches do more good than harm.
I've taken a lot of flak for that heretical stance, vilified for intimating
that Microsoft's patching process leaves consumers in the lurch. Bah. Recent
events have proved my point conclusively: Windows auto-update is for chumps.
The auto-update process
Take a second right now to check your auto update settings. Click Start,
Control Panel, Security Center. Don't click the Automatic Updates bar at the
top - Microsoft has the dialog box rigged to turn on auto-updating if you
click around indiscriminately. Instead, click the "Automatic Updates" line
at the bottom of the Security Center. Windows shows you an official-looking
dialog box - "Help Protect Your PC," it says - with a cheerful good green
shield at the top and a naughty bad red shield at the bottom.
If you're setting up Windows for your Great-Aunt Millicent who frets that
playing Solitaire will lock up her PC, go ahead and click "Automatic
(recommended)" and resign yourself to your technical co-dependent
relationship.
But if you're even moderately conversant with Windows - certainly if you're
reading this newsletter - check one of the other buttons. I recommend
"Notify me but don't automatically download or install them." That way I
have two chances to catch myself before installing everything Microsoft
pushes out the Patch Tuesday door.
With auto updates disabled, the next time Microsoft has a "critical" patch
that it wants to push onto your machine, a balloon will pop up out of a
yellow shield in the system tray, next to the clock at the bottom of the
screen. The balloon will ask your permission to download and/or install
whatever software Microsoft has on offer. Your job is to refrain from giving
that permission until millions of clueless Windows users have an, uh,
opportunity to beta test Microsoft's latest missives.
What happened last month, Part I
Permit me to summarize the Windows Automatic Updates Out-of-Box Experience
of the past month, from a consumer's perspective.
On April 11, 2006 - a Patch Tuesday that will live in infamy - Microsoft
released four collections of patches. Two were relatively innocuous, at
least for Windows consumers.
One of the patch collections, MS06-016 (917288), "patched" Outlook Express
on some PCs so well that OE couldn't open its address book.
Many people who had Windows set for automatic updating got up one morning,
sat down at their PCs, downloaded their mail, and suddenly discovered that
they couldn't reply to messages. Every time they tried to get into their
address books, Windows just sat there. Without their knowledge, Microsoft
had simply reached into their PCs and broken Outlook Express. No warning. No
thank you very much. No nuthin'.
The other patch collection, MS06-015 (911562) contained a new, inadequately
tested Mr. Hyde version of a program called verclsid.exe that wreaked all
sorts of havoc on some machines:
.. Windows Explorer would freeze when attempting to get into My Documents or
My Pictures.
.. Word and Excel would freeze when trying to open or save a doc in My
Documents.
.. Internet Explorer would freeze unless you typed http:// in front of a Web
address.
And so on. Microsoft's lengthy error list is at KB 918165. That article
currently sits at version 4.2, having undergone three major revisions and
then some - a sure sign that the error list itself had numerous errors.
Although the MS06-015 patch was officially released on Tuesday, Apr. 11, it
wasn't pushed out the Automatic Update chute in the U.S. until that Saturday
or Sunday. Lots of people trying to finish their income taxes over that
last-minute April 15 "tax weekend" ran scrambling for alternatives when they
discovered they couldn't use Excel or Internet Explorer.
What happened last month, Part II
Last month's auto-update debacle doesn't stop there. For the first time in
history, Microsoft released a passel of three more patches, out of cycle,
two weeks after Patch Tuesday. Except, er, uh, two of the three "critical
patches" weren't really critical patches at all.
The first patch patched the MS06-015 patch by jiggering a couple of Registry
settings. Microsoft gave fair warning - the fix was widely anticipated and
appears to stop the insanity generated by the original patch. Victimized
Windows consumers who left automatic updates on suddenly discovered, almost
two weeks after the original botch job, that Word and Excel and Windows
Explorer and Internet Explorer started working properly again. Magic.
The second mid-month out-of-sequence patch still leaves me scratching my
head. Microsoft pushed an obscure five-month-old patch through the automatic
update system, with no forewarning, no explanation, and no reason that I can
discern. That patch (900845) replaces a program called aec.sys, which is an
acoustic error-canceling driver, of all things. My guess - and it's only a
guess - is that Microsoft somehow accidentally released this patch into the
Automatic Updates food chain. Kinda makes me shudder.
The third mid-month "critical update" patch - which also got shoved onto all
PCs with automatic update activated - isn't a patch at all, critical or
otherwise. It's the new version of Windows Genuine Nagware, er, Windows
Genuine Advantage.
With this little gem installed (905474), if Microsoft's computers can't
verify your copy of Windows, your desktop gets plastered with all sorts of
irritating, incessant nags. As far as I can tell there was little, if any,
advance warning that this "critical update" (yeah, sure) was going to get
rammed down U.S. users' throats in an out-of-cycle mid-month automatic
update. I could find nothing but this press release, dated the same day
Windows Genuine Nagware spewed down the Automatic Updates chute.
From where I stand, Microsoft has shown that it'll use Automatic Updates to
shove any software change onto any system that it darn well pleases, any
time it likes. This isn't a conspiracy theory. Microsoft isn't a monolith.
There's no Big Brother or master plan behind it all, no Mini-Me lurking in
the shadows. Instead, what we're seeing is a bunch of stupid decisions,
propagated to a hundred million PCs, by people who have demonstrated,
repeatedly, that they can't be trusted with the task.
There is a better way
Keeping your PC working well is a tough job. You know that.
Big companies employ network admins who get to wrangle with Microsoft's
offal before updating company computers. It's a tough, thankless job.
But what of us lowly individual Windows consumers? We're left holding the
bag. Cannon fodder. We're the folks who get hit with the bugs - the
unwitting beta testers for Microsoft's frequently ill-prepared patches and
funny little nagware programs, too.
I say it's time for Windows consumers to take their patching destinies into
their own hands. Turn off Automatic Updates. Sit and watch and listen, and
judge for yourself when it's time to patch or not to patch. Keep your eyes
on this newsletter, on my Microsoft Patch Reliability Ratings page, watch
the newsgroups, and any other places you can find that have an independent
point of view. Listen to people you know and trust before letting Microsoft
monkey around with your PC.
My critics will have you believe that failing to patch Windows at the very
moment Microsoft pushes a patch down the automatic update chute will leave
you poor, helpless, befuddled and (worst of all!) vulnerable. Poppycock.
Microsoft itself waits to see if its newly released patches cause problems
before sending them through auto-update. The major problem: they don't wait
long enough!
Very, very few people get hit with exploits based on newly announced
security holes shortly after Microsoft's patches appear. Yes, you need to
patch your system. No, you don't need to do it right away, particularly if
you keep the rest of your security arsenal updated and working properly.
Take your time. The machine you save may be your own.