Flutterby™! : Russ Cooper on Windows Update

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Russ Cooper on Windows Update

2003-05-15 16:24:34.889998+00 by Dan Lyke 1 comments

Russ Cooper, NTBugtraq editor, on the flaws of Windows Update. Required reading. Meanwhile, here in the development world Phil has finally actually had to work with real code, rather than just writing image processing loops that the rest of us have to integrate, and his enthusiasm for the Windows development environment has diminished to the "think I'm going to be using Linux for my home explorations". Ken yesterday described his experiences with Windows Server 2003 as "I guess they can't put the admins out of a job". In the face of all this, it's good to know that Microsoft is hard at work on translucent menus. Time to get Charlene's desktop machine switched to Linux, we need to be making the tweaks necessary to roll the better system out into the world.

[ related topics: Free Software Dan's Life Microsoft Open Source moron Work, productivity and environment ]

comments in ascending chronological order (reverse):

#Comment made: 2003-05-15 17:53:22.109727+00 by: Mark A. Hershberger [edit history]

From my email, since it looks like his site is being /.'ed.

Well, looks like Windows Update has once again shown how untrustworthy Microsoft can be. For at least the past several days Windows Update has been providing consumers with false information. WU users would connect, initiate the scan, the scan would complete and inform the user their system needed no patches. Wonderful, a clean bill of health, or so the consumer thought.

In reality, some flaw in the Windows Update process has led it to conclude that a system, in need of critical security patches, is instead clean and good to go on the Internet. In other words, if the security check fails, tell consumers they're just fine and don't need anything.

It's good that we don't need elaborate checklists and voodoo mojo security tools to check our systems; we only have to make a quick visit to Windows Update to be sure. Finally, with the introduction of Automatic Updates, we no longer even need to make that visit manually, we can trust that Microsoft will supply us with a properly tested security patch within 24 hours and patch our systems for us (unless we're running Windows XP and got MS03-013 when it was released to WU.)

A year ago I complained about Windows Update, with its registry only checking and myriad other problems. At the time Microsoft was distributing Shavlik's HFNetchk, and so at least with tools from Microsoft we could see the error of Windows Update's ways. That cry of disgust caused Microsoft to yank HFNetchk, because they hadn't licensed it and didn't have a formal agreement for its promotion. "Consumers be damned, make darn sure they're not getting conflicting information from us" seemed to be the rallying cry at Microsoft.

I questioned the Trustworthy Computing Initiative's value then because of that debacle. When asked by the media at the new year how I felt the Trustworthy Computing Initiative had progressed, I gave it an "F", or failing grade. Some wondered why, and pointed to things which the public hadn't seen as justification for TCI's benefits. Seems too many never bothered to read Bill Gates' memo. They failed to grasp the fact that TCI was in response to a public perception that Microsoft was not sufficiently trustworthy.

Has Microsoft done anything to change that perception? No, absolutely not I say! (emphatically)

Let me put it this way. Since the inception of Windows Update millions of computers have been infected with Trojan's that are today allowing individuals to conduct en-masse DDoS attacks. Read that how you want, but its a fact. Here's another. Since the inception of Windows Update Microsoft has gone to producing patches almost every week. Few if any business' have found Microsoft trustworthy enough to permit automatic updates. So since the inception of Windows Update Microsoft has increased the number of times an Administrator needs to patch every Windows system in his/her company. Since Windows Update Microsoft has made it increasingly difficult for an Administrator to avoid Windows Update. Despite the fact that at no time has Windows Update ever proven itself trustworthy, Microsoft continue to force you to use this unreliable mechanism more.

If anyone is wondering why Windows Update is a dog, again, consider the posts this week to NTBugtraq. You wouldn't believe the number of individual experiences I received regarding problems with Windows Update. No doubt Microsoft receives far more than I do. I can't believe that huge corporations are having the problems they are, nor can I believe they haven't received a reasonable answer from Microsoft as to why the problems exist. The fact that so many possible solutions were seen to correct problems with Windows Update also suggests the environment is far less stable than it even appears to me.

Consider, to use Windows Update reliably I need to;

  1. Ensure my system date is reasonably correct.
  2. Ensure my IE language setting hasn't disappeared for some reason. Even if it hasn't disappeared, try adding another language too.
  3. Ensure I don't have a network share connected which has more capacity than the drives on my own machine.
  4. Ensure that I am not setting up a new system and have set IE to check for certificate revocation.
  5. Ensure I'm checking from the system I want patches for, meaning all of the systems in my environment must be the same OS or I, as Administrator, have multiple systems to check for updates.
  6. Try HTTPS instead of HTTP if it says I need no patches, it may not have checked properly.
  7. Wonder if the backend systems for Windows Update are down, under maintenance, or just configured incorrectly if it says I need no patches, it may not have checked properly.
  8. Try MBSA, that's handled by a different development group than Windows Update so the errors might not occur in both environments, or may be different, so you can then have fun deducing the differences yourself.
  9. Wait some undetermined period of time and try again!
  10. Contact Microsoft and not get a response.

And with that list can anyone say Windows Update is reliable, or to use their words, trustworthy computing?

But hey, what's Windows Update after-all. Its just a consumer platform for trying to fix a problem which really isn't Microsoft's after all (read the Breakseal.) Corporate users aren't using Windows Update, they're running Software Update Services...if they have a Windows 2000 system that is, and if they have one for every group they're trying to update, and if have a test environment to check every fix, and if they don't mind handling a very long list of patches they've chosen not to deploy...etc...

If anyone was serious about beginning to tackle the trustworthiness of Microsoft, they'd have done something a year ago when I first called Windows Update a dog. See for yourself, have a look at my previous musings and then tell me what's been fixed or improved. If, like me, you see nothing...then the Trustworthy Computing Initiative once again gets an "F";

The following URLs are wrapped to 2 lines, you'll have to piece them together for them to work;



Hello, Microsoft, are you listening???

Everyone is free to reprint, quote, or forward any or all of this message anywhere they'd like, preferably to places where people with more influence with Microsoft than I will see it.

Cheers, Russ - NTBugtraq Editor

p.s. Here's a thought, how about getting Windows Update to remove Trojans??...;-]