Windows Secrets Newsletter • Issue 75 • 2006-05-11 • Circulation: over 400,000

By Woody Leonhard

For years I’ve been advising Windows consumers to disable Automatic Updates: Keep Microsoft’s mitts off your machine until you’re darn sure the proffered patches do more good than harm.

I’ve taken a lot of flak for that heretical stance, vilified for intimating that Microsoft’s patching process leaves consumers in the lurch. Bah. Recent events have proved my point conclusively: Windows auto-update is for chumps.

The auto-update process

Take a second right now to check your auto update settings. Click Start, Control Panel, Security Center. Don’t click the Automatic Updates bar at the top — Microsoft has the dialog box rigged to turn on auto-updating if you click around indiscriminately. Instead, click the "Automatic Updates" line at the bottom of the Security Center. Windows shows you an official-looking dialog box — "Help Protect Your PC," it says — with a cheerful good green shield at the top and a naughty bad red shield at the bottom.

If you’re setting up Windows for your Great-Aunt Millicent who frets that playing Solitaire will lock up her PC, go ahead and click "Automatic (recommended)" and resign yourself to your technical co-dependent relationship.

But if you’re even moderately conversant with Windows — certainly if you’re reading this newsletter — check one of the other buttons. I recommend "Notify me but don’t automatically download or install them." That way I have two chances to catch myself before installing everything Microsoft pushes out the Patch Tuesday door.

With auto updates disabled, the next time Microsoft has a "critical" patch that it wants to push onto your machine, a balloon will pop up out of a yellow shield in the system tray, next to the clock at the bottom of the screen. The balloon will ask your permission to download and/or install whatever software Microsoft has on offer. Your job is to refrain from giving that permission until millions of clueless Windows users have an, uh, opportunity to beta test Microsoft’s latest missives.

What happened last month, Part I

Permit me to summarize the Windows Automatic Updates Out-of-Box Experience of the past month, from a consumer’s perspective.

On April 11, 2006 — a Patch Tuesday that will live in infamy — Microsoft released four collections of patches. Two were relatively innocuous, at least for Windows consumers.

One of the patch collections, MS06-016 (917288), “patched” Outlook Express on some PCs so well that OE couldn’t open its address book.

Many people who had Windows set for automatic updating got up one morning, sat down at their PCs, downloaded their mail, and suddenly discovered that they couldn’t reply to messages. Every time they tried to get into their address books, Windows just sat there. Without their knowledge, Microsoft had simply reached into their PCs and broken Outlook Express. No warning. No thank you very much. No nuthin’.

The other patch collection, MS06-015 (911562) contained a new, inadequately tested Mr. Hyde version of a program called verclsid.exe that wreaked all sorts of havoc on some machines:

• Windows Explorer would freeze when attempting to get into My Documents or My Pictures.

• Word and Excel would freeze when trying to open or save a doc in My Documents.

• Internet Explorer would freeze unless you typed http:// in front of a Web address.

And so on. Microsoft’s lengthy error list is at KB 918165. That article currently sits at version 4.2, having undergone three major revisions and then some — a sure sign that the error list itself had numerous errors.

Although the MS06-015 patch was officially released on Tuesday, Apr. 11, it wasn’t pushed out the Automatic Update chute in the U.S. until that Saturday or Sunday. Lots of people trying to finish their income taxes over that last-minute April 15 "tax weekend" ran scrambling for alternatives when they discovered they couldn’t use Excel or Internet Explorer.

What happened last month, Part II

Last month’s auto-update debacle doesn’t stop there. For the first time in history, Microsoft released a passel of three more patches, out of cycle, two weeks after Patch Tuesday. Except, er, uh, two of the three "critical patches" weren’t really critical patches at all.

The first patch patched the MS06-015 patch by jiggering a couple of Registry settings. Microsoft gave fair warning — the fix was widely anticipated and appears to stop the insanity generated by the original patch. Victimized Windows consumers who left automatic updates on suddenly discovered, almost two weeks after the original botch job, that Word and Excel and Windows Explorer and Internet Explorer started working properly again. Magic.

The second mid-month out-of-sequence patch still leaves me scratching my head. Microsoft pushed an obscure five-month-old patch through the automatic update system, with no forewarning, no explanation, and no reason that I can discern. That patch (900845) replaces a program called aec.sys, which is an acoustic error-canceling driver, of all things. My guess — and it’s only a guess — is that Microsoft somehow accidentally released this patch into the Automatic Updates food chain. Kinda makes me shudder.

The third mid-month "critical update" patch — which also got shoved onto all PCs with automatic update activated — isn’t a patch at all, critical or otherwise. It’s the new version of Windows Genuine Nagware, er, Windows Genuine Advantage.

With this little gem installed (905474), if Microsoft’s computers can’t verify your copy of Windows, your desktop gets plastered with all sorts of irritating, incessant nags. As far as I can tell there was little, if any, advance warning that this "critical update" (yeah, sure) was going to get rammed down U.S. users’ throats in an out-of-cycle mid-month automatic update. I could find nothing but this press release, dated the same day Windows Genuine Nagware spewed down the Automatic Updates chute.

From where I stand, Microsoft has shown that it’ll use Automatic Updates to shove any software change onto any system that it darn well pleases, any time it likes. This isn’t a conspiracy theory. Microsoft isn’t a monolith. There’s no Big Brother or master plan behind it all, no Mini-Me lurking in the shadows. Instead, what we’re seeing is a bunch of stupid decisions, propagated to a hundred million PCs, by people who have demonstrated, repeatedly, that they can’t be trusted with the task.

There is a better way

Keeping your PC working well is a tough job. You know that.

Big companies employ network admins who get to wrangle with Microsoft’s offal before updating company computers. It’s a tough, thankless job.

But what of us lowly individual Windows consumers? We’re left holding the bag. Cannon fodder. We’re the folks who get hit with the bugs — the unwitting beta testers for Microsoft’s frequently ill-prepared patches and funny little nagware programs, too.

I say it’s time for Windows consumers to take their patching destinies into their own hands. Turn off Automatic Updates. Sit and watch and listen, and judge for yourself when it’s time to patch or not to patch. Keep your eyes on this newsletter, on my Microsoft Patch Reliability Ratings page, watch the newsgroups, and any other places you can find that have an independent point of view. Listen to people you know and trust before letting Microsoft monkey around with your PC.

My critics will have you believe that failing to patch Windows at the very moment Microsoft pushes a patch down the automatic update chute will leave you poor, helpless, befuddled and (worst of all!) vulnerable. Poppycock. Microsoft itself waits to see if its newly released patches cause problems before sending them through auto-update. The major problem: they don’t wait long enough!

Very, very few people get hit with exploits based on newly announced security holes shortly after Microsoft’s patches appear. Yes, you need to patch your system. No, you don’t need to do it right away, particularly if you keep the rest of your security arsenal updated and working properly.

Take your time. The machine you save may be your own.

Woody Leonhard writes books about Windows and Office. His most recent works are Windows XP All-In-One Desk Reference For Dummies, Windows XP Timesaving Techniques For Dummies, Windows XP Hacks & Mods For Dummies, Office 2003 Timesaving Techniques For Dummies, and Special Edition Using Office 2003 (with Ed Bott).