Readers have asked me, “How quickly is my computer protected after Patch
Tuesday, if I have auto-updates turned on?”
The question arises because most of the patches that Microsoft posted on
Aug. 8 took a lot longer than
usual to download. It appears that Windows Update, when configured to
download and install patches automatically, didn’t start downloading most
patches until three days after Patch Tuesday. Some PCs didn’t auto-install all
of the security patches until nine days had passed.
A sweeping review of 10 security suites published in a major computer magazine
last month featured some very unlikely rankings for this crucial category of products.
After examining the evidence, I’ve found that some material facts were omitted from
the article, rendering its ratings useless.
Windows Live Messenger — the successor to MSN Messenger — hit the stands
a week ago on
Wednesday. That was version 8.0.0787. Ancient history.
Less than two days later, Microsoft released a new version, 8.0.0792. Hooo boy.
Here we go again.
I announced in the July 13 newsletter that Shavlik Technologies, a well-known
patch-management vendor, had released a free and capable
replacement for Microsoft’s Windows Update (WU) service.
The Shavlik program, known as NetChk Protect, is free for
up to one year, can remotely update 1 to 10 PCs from a single PC on a network, and
supports far more programs than Microsoft’s offering does.
In my last issue, I reported that Microsoft’s in-house Windows Update routine
is now likely to download marketing gimmicks such as Windows Genuine Advantage to your
PC. I advised all Windows users, other than novices, to turn off Automatic
The Internet interprets Microsoft as damage and routes around it.
My apologies to John Gilmore for tweaking his famous 1993
quote about censorship. But the above statement just happens to sum up the
alternatives Windows users are adopting ever since Microsoft’s “Windows Genuine
Advantage” (WGA) debacle.
Windows Genuine Advantage — the controversial program Microsoft
auto-installed as a "critical security update" on many PCs starting on Apr. 25 —
not only causes problems for many users but has now been proven to send
personally identifiable information back to Redmond every 24 hours.
This behavior clearly fits any plausible definition of "spyware." Some tech
writers have said categorizing WGA as spyware is arguable. But I have no
hesitation in calling the program a security nightmare that Microsoft should
never have distributed in its present form.
I published a Woody Leonhard column as the top story
last issue while I
was traveling, knowing that he’s opinionated and always gets strong reactions.
Well, he didn’t disappoint me.
Reacting to several mistakes Microsoft made in its Automatic Updates downloads
in April, Woody railed against Redmond’s patching strategy, saying, “Windows
auto-update is for chumps.”
For years I’ve been advising Windows consumers to disable Automatic Updates:
Keep Microsoft’s mitts off your machine until you’re darn sure the
proffered patches do more good than harm.
I’ve taken a lot of flak for that heretical stance, vilified for intimating that
Microsoft’s patching process leaves consumers in the lurch. Bah. Recent events
have proved my point conclusively: Windows auto-update is for chumps.
Microsoft re-released on Apr. 25 a security patch that had been issued 14
days earlier in the company’s monthly Patch Tuesday schedule.
The original version of security bulletin MS06-015 causes problems with Microsoft
Office and other apps when you try to open or save files in the My Documents
folder; with Internet Explorer when you type Web addresses into the Address Bar;
and with an untold number of other programs.
The Redmond company says the problems are being caused older versions of HP
Share-to-Web software, nVidia graphics drivers, and Kerio Personal Firewall. But
I believe there may be other conflicts at work, as I discuss below.