Thursday, May 25, 2006

When in Doubt, Leave it Out, Windows update Mess

April Windows update Woes

Here are Microsoft's April Fool's patches, starting with small ones at the top and going to the worst ones below::

• Obscure hotfix for XP SP2 machines, patch 900485 from Dec. 2005, downloaded as a "critical" security patch via Automatic Updates on Apr. 25, two weeks after Redmond's regular Patch Tuesday distribution. Almost no one needs this hotfix, although it seems to have done no harm. It was apparently inserted into the Automatic Updates mechanism by accident, according to some newsgroup comments, although Microsoft still hasn't explained the gaffe.

• Security bulletin MS06-016, released on Apr. 11, makes it impossible for some users of Microsoft's free Outlook Express e-mail program to open the Address Book or reply to e-mails. Microsoft acknowledged on Apr. 26 and published Knowledge Base article 917288. The company describes how to backup, delete, and import the Address Book to fix Outlook Express. But, six weeks later, it hasn't issued a corrected MS06-016 patch to save people from having this problem in the first place.

• MS06-015, released on the same Patch Tuesday as MS06-016, conflicts with widely used nVidia video drivers, some HP printer/scanner/CD/DVD software, Kerio Personal Firewall, and some other applications, as described in KB 918165. The problem caused Microsoft Office components and some other apps to freeze when accessing files in My Documents or My Pictures, interferes with Windows Explorer and Send To, and prevented Internet Explorer from visiting typed-in Web addresses unless they were prefixed with http. The security bulletin was re-released on Apr. 25 users could install a version to correct the problems.

• Windows Genuine Advantage, the Microsoft program that checks users Windows installations for valid licenses, was pushed out as a "critical" security update to the U.S., U.K., Australia, and other countries beginning on Apr. 25. It's impossible to use Add/Remove Programs to remove the GA app, which displays warnings (once per hour after 14 days) if the software considers a copy of Windows to be nonlicensed. (Microsoft explained in KB 905474 how to disable the warnings until the next update is installed.)

What a surprise, this Genuine Advantage download is a major blunder of trust. Microsoft previously said this tool would be strictly opt-in, but these automatic midnight installs flooded companies' help desks with calls from panicking users. Nobody expects Microsoft to give away products for free, but No responsible company, slams its biggest, most legitimate customers with a change like this with little or no notice other than a press release the day before.

In the face of the screwups above, Microsoft has had no explanation. The Redmond company might be filled with thousands of talented developers, but they don't drive the corporation's overall policy. inquiries seeking comment, from a Microsoft spokeswoman : "Unfortunately, we are unable to provide you with an interview at this time due to lack of spokesperson availability."

Maybe home users of Windows (as opposed to advanced users) should keep Automatic Updates turned on. That was when Microsoft assured the public that Automatic Updates would only be used to distribute security updates rated as "critical." Microsoft abused its security upgrade mechanism to stealthily install Genuine Advantage, in addition to these many outrageously buggy patches, is inexcusable, and It's clear that MSFT corporate executives have made a deliberate decision to use Automatic Updates to install software that benefits the company, whether or not it helps users or has any relationship to users' security.

Pros update manually, novices should too

• Advanced users (including companies with full-time IT staff) should never use Automatic Updates. Professionals should first test Microsoft patches — and every other company's patches — on isolated machines. Read the free and paid versions of the Windows Secrets Newsletter that are published 2 days after Patch Tuesday with warnings of problems. Then use patch-management techniques to carefully install the needed upgrades to end users.

• Novice users, who can't or won't read up on reported patch problems before updating their machines, should leave Automatic Updates turned to Automatically Download, and Notify, but Do Not Install. Keep your Anti-Spyware and Antivirus updated, most Beginners have a greater risk of catching a virus than they do of encountering a serious patch need.

And you can disable Autoupdates totally as most Patches should still be installed manually within a few days of release, after a thorough check of news reports for potential Micorsoft screwups or software failures and conflicts.


Post a Comment

<< Home