To auto-update or not to auto-update
By Brian LivingstonI published a Woody Leonhard column as the top story last issue while I was traveling, knowing that he’s opinionated and always gets strong reactions. Well, he didn’t disappoint me.
Reacting to several mistakes Microsoft made in its Automatic Updates downloads in April, Woody railed against Redmond’s patching strategy, saying, “Windows auto-update is for chumps.”
Woody made some very good points, which Microsoft has done nothing to rebut. There’s an important lesson here. I’m going to use this space today to give you the best advice I’ve been able to pull together.
An April that will live in infamy
For those who don’t know the details of what I call Microsoft’s April Fool’s patches, here’s a quick recap, in increasing order of severity:
• An obscure hotfix for XP SP2 machines, patch 900485 from Dec. 2005, was downloaded as a “critical” security patch via Automatic Updates on Apr. 25, two weeks after Redmond’s regular Patch Tuesday distribution. Almost no one needed this hotfix, although it seems to have done no harm. It was apparently inserted into the Automatic Updates mechanism by accident, according to some newsgroup comments, although Microsoft still hasn’t explained the gaffe.
• Security bulletin MS06-016, released on Apr. 11, made it impossible for some users of Microsoft’s free Outlook Express e-mail program to open their Address Books or reply to e-mails. Microsoft acknowledged this on Apr. 26 and published Knowledge Base article 917288. The company describes how to backup, delete, and then import the Address Book to fix OE. But Redmond, six weeks later, hasn’t issued a corrected MS06-016 patch to save people from having the problem in the first place.
• MS06-015, released on the same Patch Tuesday as MS06-016, conflicted with widely used nVidia video drivers, some HP printer/scanner/CD/DVD software, Kerio Personal Firewall, and some other applications, as described in KB 918165. The problem caused Microsoft Office components and some other apps to freeze when accessing files in My Documents or My Pictures, interfered with Windows Explorer and Send To, and prevented Internet Explorer from visiting typed-in Web addresses unless they were prefixed with http. The security bulletin was re-released on Apr. 25 so users could install a version that corrects the problems.
• Windows Genuine Advantage, a Microsoft program that checks Windows installations for valid licenses, was pushed out as a “critical” security update to the U.S., U.K., Australia, and other countries beginning on Apr. 25. It’s impossible to use Add/Remove Programs to remove the GA app, which displays warnings (once per hour after 14 days) if the software considers a copy of Windows to be nonlicensed. (Microsoft explains in KB 905474 how to disable the warnings until the next update is installed.)
I consider the surprise Genuine Advantage downloads to be the most severe blunder. Microsoft had previously said the tool would be strictly opt-in, but the midnight installs flooded some companies’ help desks with calls from panicked users. No one expects Microsoft to give away its products for free. No responsible company, however, slams its biggest, most legitimate customers with a change of this magnitude with little or no notice other than a press release the day before.
In the face of the missteps described above, Microsoft has said almost nothing by way of explanation. The Redmond company is filled with thousands of talented and well-meaning developers, but they don’t drive the corporation’s policy in this area. After several inquiries seeking comment, a Microsoft spokeswoman told me: “Unfortunately, we are unable to provide you with an interview at this time due to lack of spokesperson availability.”
I’ve previously said that home users of Windows (as opposed to advanced users) should keep Automatic Updates turned on. That was because Microsoft assured the public that Automatic Updates would only be used to distribute security updates rated as “critical.” Microsoft’s abuse of its security upgrade mechanism to stealthily install Genuine Advantage, in addition to April’s outrageously buggy patches, is inexcusable. It’s clear that corporate executives have made a deliberate decision to use Automatic Updates to install software that benefits the company, whether or not it helps users or has any relationship to users’ security.
Pros update manually, novices automatically
Because of the April Fool’s patches, I want to clarify my recommendations on who should keep Automatic Updates turned on and who should use the Control Panel to turn it off.
• Advanced users (including companies with full-time IT staff) should never use Automatic Updates. Professionals should first test Microsoft patches — and every other company’s patches — on isolated machines. Read the free and paid versions of the Windows Secrets Newsletter that are published 2 days after Patch Tuesday with warnings of problems. Then use patch-management techniques to carefully install the needed upgrades to end users.
• Novice users, who can’t or won’t read up on reported patch problems before updating their machines, should leave Automatic Updates turned on. Beginners have a greater risk of catching a virus than they do of encountering a serious patch incompatibility.
Some advanced users may disagree with my recommendation that novices should leave Automatic Updates turned on. If you’re the main tech support for a newbie, I’d say you can disable AU if a PC has the four items in our recommended Security Baseline (below), which provides good general security. Patches should still be installed manually within a few days of release, after you check news reports for potential conflicts.
Supporting Grandma’s PC means auto-update
We received many comments supportive of Woody’s distrust of Automatic Updates, which he’s been publicly stating for years. We can give you only a overview here of the positive and negative reactions. As a representative of those who dispute Woody’s view, reader Dave Nickason writes:
- “It is irresponsible for Woody to argue for people to turn off AU unless he wants to be the one supporting the unpatched machines of all of our parents, grandparents, and siblings. Some novice PC user like my 81-year old Dad will take that advice, never patch again, and I’ll be left to reinstall Windows when his system quits working.”
Microsoft is a business, get used to it
Other readers also made a distinction between novices and power users, while not applauding Microsoft for its behavior. Reader Kevin Gagel writes:
- “I’m writing in response to Woody Leonhard’s article about Micro$oft’s automatic updates.
“While I agree in principle with Woody’s assessment of M$’s trustworthiness, I cannot agree with disabling the auto-update feature.
“I’ve witnessed first hand the benefit of having it enabled, as well as seeing how it can fail us.
“None the less, I have witnessed far more ‘good’ (I shudder to think M$ can do good) then bad by updating systems automatically.
“What users out there have the ability to ‘test’ a patch before applying it? What users out there will ‘know’ when it is the right time to apply a patch?
“Since M$’s activation of what they call a firewall, I’ve witnessed a huge reduction of viruses being e-mailed to us.
“Leaving systems vulnerable because of someone’s incompetence is not the answer. Woody should know that there is a larger number of technically inept end users then there are technically savvy.
“I think that Woody could have done a better job (and justice to the end users) if he’d presented a better balanced position of pros and cons instead of just espousing his nonconspiracy conspiracy theory.
“M$ is and allways has been a business looking to make a buck. It will do whatever it takes to protect that, including pushing noncritical “critical patches” that verify the system is not running a bootleg copy of Windoze.”
Do one thing at work, another at home
A different opinion was provided by those who are required to auto-update by work policies, but disable Automatic Updates on personal machines, to which they’re willing to devote more care. A reader who goes by the name Ralphy writes:
- “Unfortunately, some of us don’t have the luxury of a corporate environment. I work for a Department of Defense unit and must have our boxes patched within a certain time frame. It is impossible for our office to be able to ‘test,’ then patch. We have too many boxes stretched over a large area.
“If it weren’t for automatic updates, we would be spending a lot more time doing updates rather than other mission-essential items. I do agree that last round was bad, but out of 500 machines only 3 were bothered by the update that you spoke of. Those were the only ones we had to fix.
“Having said all of that, at home, I do the opposite. I wait for 2 weeks before I run the updates manually. I’ll let the rest of the world be Microsoft’s test bed and see what works and what doesn’t.
“However, I still rated it a good article but not for the business world.”
Why Security Baseline recommends MS Update
A few readers questioned two lines in our Security Baseline that recommend using Microsoft Update for MS software and whatever auto-update features other vendors’ software may have. Reader Russell Atwood writes:
- “In issue 75, I found it humorous to have a long article from Woody Leonhard on the trials and tribulations of Windows Automatic Update (don’t let it happen to you), and in the Security Baseline, instruct customers to do exactly what Mr. Leonhard says don’t do (turn on Automatic Update).
I understand both sides, but it still makes me smile with the irony of it.
Great newsletter, keep up the good work.”
To make myself perfectly clear, I’m adding to the Security Baseline a recommendation that advanced users disable AU and study the latest copy of this newsletter before installing any Patch Tuesday upgrades.
Norton Internet Security imposes auto-updates
Norton Internet Security, a software security suite, complains and asserts control over auto-updates if users choose manual updates instead. Reader John Lambert writes:
- “My Norton Security flags me that I have 1 ‘problem’ affecting my system when I take Woody’s advice to select a button other than the option to take auto-update. Should I worry about this?”
- “Turning off Windows’ auto-update may not be enough to prevent a nasty update surprise. Those who use Norton Internet Security should be aware that Norton will automatically turn on Windows’ Automatic Updates unless you turn off automantic updates in Norton. You will continue to get Windows’ Automatic Updates downloaded and installed whether you like it or not.
Turn off automatic updates in Windows and Norton if you want any hope of control over updates.”
The readers named above will receive a gift certificate for a book, CD, or DVD of their choice for sending me comments that I printed. To send more information about auto-updates, or to send a tip on any other subject, visit WindowsSecrets.com/contact.
Ads accepted by most, with caveats
We re-introduced ads into the May 11 issue of the newsletter. We formerly had a moratorium on ads for more than a year, because some major ISPs bounced one of our newsletters because of one advertiser’s URL, which had been abused. We now host all of our own links, which should eliminate the problem.
We received only 3 or 4 readers’ comments of concern about accepting ads, so we’ll keep doing so. But the questions are legitimate and worth addressing. Reader Kim Vong writes:
- “This creates an issue which you will have to address somehow. We have all learned from the Internet, if not from everyday human interaction, to Trust No One. We now have the possibility of ‘Rate our product at the top or we will pull our ads,’ so you can ‘compromise’ by offering to make them #2. You could be, and probably are, 100% honest, but now there’s this doubt lurking. …
“Your newsletter is great! It’s only the product recommendations that I will no longer bother with.”
In rare cases, such as our Jan. 26, 2006, test of antispam appliances, we do take matters into our own hands. But we published this test only because no major magazine had yet discovered the inexpensive yet high-performing alternatives we’d found. We can afford to underwrite such tests only very infrequently.
We’ll continue to print the Security Baseline in each issue of the newsletter, so everyone knows which products are the minimum needed to protect their Windows PCs. Our statements of which security products are currently the highest-ranked are determined solely by adding up the Editors’ Choice awards from big-name reviewers like those mentioned above. Advertisers can’t dictate which security products have received the most top ratings — we simply compile the scores.
It’s important to note that all of the test publications we’ve mentioned do accept advertising of their own. Advertisers may have some effect some of the time, but they can’t bias the test results of all of these labs all of the time. We feel that averaging these testers’ top ratings will always reveal a few strong contenders for your consideration.
Which content is ads and which is editorial?
A separate concern is that there be a clear distinction between editorial matter and advertising. Reader Philip Pearlman writes:
- “If you are going to allow adverts — which is an undesirable feature from this reader’s POV — are the products advertised approved by WindowsSecrets? If not, why not?”
We’ll never allow advertising for any products or services that are harmful or even just irrelevant to the users of Windows. No tobacco, alcohol, gambling, or adult-oriented products, and (in addition) we make advertisers adhere to Google.com’s rather strict requirements for ad content.
As a journalist, I’ve set up a Chinese Wall so that neither myself nor my contributing editors can be pressured by advertisers. Communications with ad reps are headed up by WindowsSecrets.com’s research director Vickie Stevens, whose integrity shines through.
Thanks for your concerns about the newsletter. We intend to always remain worthy of your trust. We’ve learned from other Web sites that prove you can be well-respected while balancing multiple revenue sources. We’re certain that we can keep our dedication to our writing and our readers intact.
Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.
After our battle scars from the April patches, Microsoft’s May patches were a bit of a breather for consumers.
It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was… Nawww… It was just Windows XP playing tricks. 
There’s more evidence to suggest that vulnerabilities are going back underground. Or at least, going to the highest bidder.
It used to be that the term “zero-day” exploit was just a concept that companies like Microsoft treated as a myth. The idea of a vulnerability being found in one of their products and the exploit for that vulnerability coming out at the same time is something that no one wanted to believe could happen.