Forgot your password?
typodupeerror
Microsoft Security

Microsoft wants Automatic Update for Windows 917

Posted by CmdrTaco
from the brace-yourself-for-trouble dept.
Edward Dao writes "After the embarassment of last week's blaster worm, Microsoft is weighing the possibility of automatic update. Microsoft not only wants to upload the latest patch on to users' computer but also installing it for them." This will work out really well for everyone I'm sure. Yikes! Can I at least press 'Ok' first?
This discussion has been archived. No new comments can be posted.

Microsoft wants Automatic Update for Windows

Comments Filter:
  • oh yeah? (Score:5, Funny)

    by krisp (59093) * on Tuesday August 19, 2003 @09:29AM (#6732047) Homepage
    Of course, this will be implemented in such a way that implantinga fake RR for windowsupdate.microsoft.com into a local name serverallows Windows to download and run any file with a certian file name. This should make it far eaiser to fool Windows Update into installing Linux.
    This will make Linux rollouts a breeze after buying all those Dells.

    Imagine the possibilities!

    Then again, the Microsoft Tax is cheaper then the SCO tax.
    • Re:oh yeah? (Score:5, Insightful)

      by killthiskid (197397) on Tuesday August 19, 2003 @09:39AM (#6732193) Homepage Journal

      Two things from the article:

      ...say that it is time to consider making software updates automatic for home users of the Windows operating system.

      And...

      The company is "looking very seriously" at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them...

      So... only for home users and users can shut it off!

      So don't freak out too much... maybe this will actually help... think if this had been in effect for slammer... we keep bitching that the 'patch was available, why didn't people use it!'... well, this would fix that problem.

      One other thing from the article:

      Microsoft also will begin shipping new versions of Windows XP with the built-in firewall activated by default, said Steve Lipner, director of the company's security engineering strategy.

      Now that makes sense!

      • I love home users. (Score:5, Interesting)

        by BoomerSooner (308737) on Tuesday August 19, 2003 @10:00AM (#6732390) Homepage Journal
        I have several people who use a web based service from my company that runs on Windows 2000 Server. I check for patches daily and install them as soon as I do a full backup (in case it shits out the whole system).

        My users kept calling saying "You have that Blaster Worm on your system because every time I try to connect my computer dies!". So I explain to them my systems have been patched for that exploit for over a month and I have run all the proper testing software to verify. I then ask if they have AntiVirus software installed and their reply is "I don't know.". Lol, I don't know, so it must me my server! I immediately tell them to invest in a copy of Norton Antivirus and Norton Firewall.

        Ah, the world of windows.

        The funny thing is if these same people were running linux they would be logged in as root and still execute whatever script someone sent them. I'm not too sure Linux would be any more secure than Windows because in windows you can also run as just a User. However, when doing that a significant number of poorly designed programs will not work.
        • by EvilTwinSkippy (112490) <yoda@e t o y o c .com> on Tuesday August 19, 2003 @11:03AM (#6732905) Homepage Journal
          The funny thing is if these same people were running Linux they would be logged in as root and still execute whatever script someone sent them.

          I definitely hear that. In fact Lindows operates in precisely this manner.

          I am increasingly convinced that our enemy is not Microsoft, or even SCO. Our enemy is cluelessness. If we could somehow impart the masses with an infantessimal fraction of our sense of the big picture most of our problems would disappear.

          When I say "our" I mean all computer professionals. I don't give a rat's ass what kind of Guru you are, Networking, Windows, Linux, BSD, Mac, or PDP-11. We all share a chunk of "the clue". It is our duty to impart "the clue" onto others, without bias, and without favoring any particular implementation.

          What is the best way? I don't know. I can only shoot off a few half-baked ideas. My front-running suggestion is take an example from Mythology.

          Think about it. How many people do you know who never change their oil, yet decorate for Christmas, throw salt over their shoulder after spilling it, and avoid black cats and ladders? Imagine a computer mythology complete with ritual, dogma, and superstition. The masses already have developed their own misguided rituals, we should just go ahead and publish a book on the proper ones.

          Think about how complete a job all of the Greek god did to explain about weather, war, death, and fate. These are REALLY tough concepts even today. And yet, but putting names on them, giving them personalities, and endowing these creations with a sense of power people bought into it.

          Of course, you should encourage those who show a natural aptitude to study computers in the conventional hacker sense. More or less the same way wizards always seemed to be operating on a different level than average folk.

          • by greenhide (597777) <jordanslashdot@c ... om minus math_go> on Tuesday August 19, 2003 @01:07PM (#6734717)
            I am increasingly convinced that our enemy is not Microsoft, or even SCO. Our enemy is cluelessness. If we could somehow impart the masses with an infantessimal fraction of our sense of the big picture most of our problems would disappear.

            No, actually our enemy is the script kiddies and virus software writers whose goal is to shut down the whole system.

            Whether they do it for fun or ...Profit?!?, what they're doing is morally wrong, invasive, etc.

            And yet, it seems many here at Slashdot place all the blame on the users, and never on the virus writers. Heck, we've even deified some of these people and bitch and moan when virus writers are caught and put into jail.

            This is like blaming people for leaving their doors unlocked, rather than blaming the thieves who are actually doing the stealing.

            Obviously, it is our responsibility as slightly-more-savvy-than-average computer users to secure our own computers, and to encourage others to do the same.

            But the truth is, computers should be easy. If I use a fork, I shouldn't have to worry about tine alignment or upgrade its metallacity or whatever. Computers are more complex than forks, obviously, but users shouldn't have to worry about the inner workings of their computers in order to use them to do they work that they *want* to do.

            That being said, I still think that there should be a special circle of hell reserved for those idiots who actually buy things from spammers and who open any attachment they receive. Those people are just being very, very stupid. So maybe we could spread a myth that if you respond to any SPAM or open an attachment that has a virus, your computer will melt. I don't think that most users are impressed by the warnings that say things like, "If you open this attachment, there will be a bad file on your system, it will get sort of slower and might crash." That's pretty much an everday occurrence for many users anyway.
      • Re:oh yeah? (Score:5, Insightful)

        by blahlemon (638963) on Tuesday August 19, 2003 @10:50AM (#6732682)
        It does not make sense to have Microsoft's firewall activated by default. The thing is buggy as heck and some DSL accounts don't work properly when it is activated. Consider that their OS is NOT engineered for security (an admission they made themselves) and that they have a track record of "swiss cheese" code.

        Additionally I would hate to think that computers would roll out with auto update automatically enforced on home users machines. Quite a few home users wouldn't know if they had turned it off or not for one. Can you trust Microsoft to have tested the patch against software you use? What if you've got a "pay for use" internet account? Do you want to pay for the bandwidth Microsoft uses? HINT: Think service pack. What if a patch goes wrong or the home user mistakes it for a virus and forces a shut down in the middle of a service pack?

        I'm not going to suggest that Microsoft would use this to monitor individuals or covertly take over peoples machines, that's just more FUD. I do think, however, that the last thing Microsoft needs to do to their software is add another automated feature that can be comprimised and easlity manipulated because it's already built for interaction with external machines over an inherantly insecure environment.

        You don't fix a hole in a dam by adding more holes.

        • Re:oh yeah? (Score:5, Interesting)

          by killthiskid (197397) on Tuesday August 19, 2003 @11:01AM (#6732856) Homepage Journal

          Valid points... but we're talking lesser of two evils here. I would much rather see a single user of a computer have problems (due to firewall, updates) than their unpatched machine causing problems for more than one user.

          We can't have it both ways... right now windows is set for ease of use over security... and having auto-updates and a firewall will move them towards the security side of things and away from ease of use... but isn't that what we've been bitching about for years?

          • Re:oh yeah? (Score:3, Insightful)

            by blahlemon (638963)
            How about developing a release of Windows that doesn't have extra ports open by default that the system doesn't need? How about recognizing some of the more common issues and have these default fixed?

            I think that Microsoft should halt development and roll out of it's next OS's until it's fixed the base functions. They should start from the beginning, and review the code line by line with a focus for security. Stop adding more and more features until you've fixed the old ones.

            I know, NO OS is 100% secure, no

      • Re:oh yeah? (Score:4, Informative)

        by Virtex (2914) on Tuesday August 19, 2003 @11:34AM (#6733414) Homepage
        So... only for home users and users can shut it off!

        According to the Windows XP EULA, Microsoft has already given themselves the right to install software on users' home machines without their consent or knowledge. And there's no provision for allowing users to "opt out".
  • Not such a bad idea (Score:5, Interesting)

    by JohnGrahamCumming (684871) * <slashdot@@@jgc...org> on Tuesday August 19, 2003 @09:31AM (#6732068) Homepage Journal
    If you RTFA you'd find that Microsoft is only "looking very seriously" at this idea,
    that it would not apply to business users of XP (since they want careful control
    of the patching of their machines), and that it would be possible to opt-out from
    the automatic updates.

    So if you are a business user you don't get automatic updates, if you are a home
    user of XP that is technically savvy you can turn it off, and if you are a home
    user who is not computer savvy then you are going to get automatic updates. This
    latter group seems like the ideal set of people to get automatic protection.

    John.
    • by John Paul Jones (151355) on Tuesday August 19, 2003 @09:33AM (#6732107)
      Automatic protection from running applications that break following a patch? At least a corporate user can call the helpdesk, while a novice home user would have no idea why something stopped working suddenly, and would chalk it up to "Computers are evil". The divide between the tech-aware and tech-unaware grows exponentially.
      • by Randolpho (628485) on Tuesday August 19, 2003 @09:40AM (#6732207) Homepage Journal
        Hmm.... you clearly don't get how Microsoft got to be so huge in the first place, do you? :) Home users actually want stuff like this.
      • by numbski (515011) * <{numbski} {at} {hksilver.net}> on Tuesday August 19, 2003 @09:40AM (#6732208) Homepage Journal
        Okay, now what happens when they decide to enter some draconian language into the EULA that you supposedly agree to by installing these patches....are you now just agreeing to whatever they want by simply using Windows? You now have no choice in this case?
        • So you make the software update so that you agree to a EULA the first time you run it. As long as there are no changes, the patched get installed automatically. Any patch that brings a change to the EULA will not install. It would be downloaded, but a message would pop up saying that there is an update, and make you agree to the new EULA before it is installed.

          At any rate, I think the EULA changes come with things like new versions of the Media Player and the like. Those shouldn't be done automatically any

      • by Henry V .009 (518000) on Tuesday August 19, 2003 @09:40AM (#6732216) Journal
        If they don't know what a patch is, then they're in more danger of a virus attacking their computer anyway. So "the divide between the tech-aware and tech-unaware" shrinks exponentially, as viruses become far less likely. The very rare case of a WU breaking something will have little impact in comparison.
      • by jeffy124 (453342)
        Microsoft would find out about it. Thousands (millions?) of machines would suddenly stop working, making news headlines similar to Blaster. Hence, MS would be forced into doing something, like a patch to rollback an earlier patch. It may also get regular people asking if anything else is out there if it starts happening a lot.
      • by Anonymous Coward
        "The divide between the tech-aware and tech-unaware grows exponentially."
        ...and so do my consulting fees. [insert evil laugh here]
      • by fireduck (197000) on Tuesday August 19, 2003 @09:43AM (#6732267)
        how often do MS patches actually break things?

        I'm a home user. I've applied every critical update MS puts out. I apply practically everything available on the windows update site (even the beta versions of stuff like movie maker). I have never had a piece of software not work after applying an update. I think I'm a fairly typical home user. MS Office, MS Money, a bunch of games, photo editing software, winamp, random shareware. Stuff most people use. and stuff that has never broken on me.

        Software breaking is definitely a problem, but how often does it really happen? I'd imagine that the liklihood of these people getting a virus / worm is greater than the liklihood of an ms patch breaking a piece of software...
        • by Malc (1751) on Tuesday August 19, 2003 @10:19AM (#6732481)
          The last thing that I saw break my system was a patch or update to DirectX. After it installed, my laptop blue-screened on boot. I was unable to fix. After re-installing the OS (and everything else) at great cost to my time, the patch/update worked the second time.

          Right now we're holding off applying Win2K SP4 to our web servers. It contains a change to the security model that will break some of our ISAPI extensions. The fix is trivial, but we haven't had time to check it out on a test bed, nor deploy it to all our servers (unfortunately we have to do them manually as we don't have anything like SMS deployed).
        • by crazyphilman (609923) on Tuesday August 19, 2003 @10:46AM (#6732645) Journal
          Well, I'm a developer, and I run Windows 2000 professional at home, with IIS and Visual Studio .Net installed. Wanna talk about patches breaking stuff? Here's my list of woes (noting that Linux has never given me this kind of trouble):

          1. If you install the O/S, then patch it, and THEN try to install Visual Studio, the Visual Studio installer crashes. The problem seems to be that if you install Microsoft's updated .Net packages before Visual Studio, Visual Studio can't handle that and it chokes.

          2. If you install the O/S, then Visual Studio, then Norton Internet Security (kind of important on a windows 2000 box, which doesn't have an integrated firewall), then try to update Norton and Windows, WHICH OUGHT TO WORK, Norton will update fine, Windows Update will crash several times, and the end result will be your IIS will stop working, so your Visual Studio won't be able to create VS.Net projects. I think this might be related to a recent patch, because it didn't happen before Service Pack 4 came out.

          3. If you have a recent copy of Roxio's CD burning software, it'll stop working after you update Windows. The app will start up, but it'll crash as soon as you insert a CD-RW into the drive. I've updated the software from the Roxio site, too, hoping that would help (no luck). It's got to be something in one of the windows patches. So, patch windows or burn CDs! You seem to have to choose one or the other. Older, no longer available copies of Roxio seem to keep working, so if you get a Rio Volt MP3 Cd-player, you can install the older software off of their disk (warning: this might not be true anymore).

          5. Windows patches keep restoring MS Outlook Express! If I kill it off, it keeps coming back like a friggin' vampire. It's the undead, unwanted email app. Actually, the only easy way I've found to kill it is to change the security on the Outlook Express folder so that no one has read-write priviledges, then boot from a floppy and clean the thing out. This way, Windows can't keep putting the files back (Grr... Windows puts 'em back THREE SECONDS after you delete them, otherwise!).

          Ugh. I hate Microsoft. And, I'm a programmer who uses that platform! What does THAT tell you? ;)

        • by aliens (90441)
          I applied all critical fixes to a friend's computer. Suddenly his NIC was not recognized. Uninstalled all critical patches didn't bring it back. It works fine on a base install of XP.

          But just imagine, you goto use your computer and boom, no more internet. Now you call your techie friend, he/she asks "What did you install recently?" Nothing that you know of, making both your lives that much more difficult.

        • by Dark Lord Seth (584963) on Tuesday August 19, 2003 @11:07AM (#6732974) Journal
          No Updates Were Installed

          The following items failed to install. To try installing them again, click Review and install updates, and then click Install Now again.

          818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1
          330994: April 2003, Security Update for Outlook Express 6 SP1
          Security Update for Windows 2000 (823980)
          823559: Security Update for Microsoft Windows
          816093: Security Update Microsoft Virtual Machine (Microsoft VM)
          814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP)
          Security Update, February 13, 2002 (MSXML 3.0)

          I like to think that I'm the only person where Windows Update consistently fails HORRIBLY but that'd be naive. At least I tried to apply every critical update. It somehow fails to download the files required. Good thing I got a decent firewall up and running because even the MS patching system is horribly shit. Ah well, that's the first thing to break down on a fresh (less then a week old) Win 2000 install.

          This also raises another question: How many people were affected by the worm because Windows Update simply fucked up for them? Even if WU would die on updating for even 1% of all users, how many people would it affect then? I only just found another way to manually download the patches to see if that'll work. Oh and this isn't the first time Windows Update fucks up. I've had it crash PCs, screw up installations and I've made it succesfully install the same patch 5 times in a row.

          Woot for Windows Update! Adding another weak link in an already fragile chain which is Windows security!

        • Two good examples (Score:5, Interesting)

          by TheConfusedOne (442158) <the,confused,one&gmail,com> on Tuesday August 19, 2003 @11:24AM (#6733260) Journal
          SP 6 broke Lotus Notes servers thus 6a came out.

          Even worse, SP 2 installed over a network failed. Failed badly. It did something horrible to the ntfs.sys file IIRC. This meant that the box would blue screen on boot and be irrecoverable if you had an NTFS partition.
    • by Psiren (6145) on Tuesday August 19, 2003 @09:35AM (#6732135)
      So who is held accountable when the latest patch breaks something and causes loss of data? The user, because they didn't opt out? Seems like a potential shitstorm for Microsoft there. If people are too dumb to patch their system with the existing Window Update, how in the hell are they going to diagnose problems when its being done without their knowledge?
      • by micromoog (206608) on Tuesday August 19, 2003 @10:54AM (#6732738)
        If people are too dumb to patch their system with the blah blah blah . . .

        Too dumb? How about just not interested? Many people just want their computer to work, the way their car and dishwasher "just work". They couldn't care less about any of the technical details. Resistance from arrogant fucks like you has been holding this back, and Microsoft is finally making a bold move in the right direction.

        • by Xerithane (13482)
          Resistance from arrogant fucks like you has been holding this back, and Microsoft is finally making a bold move in the right direction.


          Thank you for pointing this out. People don't want to know how the computer works, they just want it to work. I want to write an email, push the email button on my keyboard and click send. That's how a car works. 2% of the American population could actually fix anything that goes wrong with their car, why expect it to be different?

          It's because of the computer elitist
        • by Psiren (6145) on Tuesday August 19, 2003 @11:39AM (#6733475)
          Too dumb? How about just not interested? Many people just want their computer to work, the way their car and dishwasher "just work".

          Sorry, I don't agree. I still have to fill my car with diesel, check the oil and water, pressure on the tyres etc. This is all essential end user maintenance. Granted, I don't poke around in the engine when something mechanical goes wrong. The same goes for computers. It's a general purpose machine. It is complicated, and that will always be the case.
          • Indeed (Score:5, Insightful)

            by autechre (121980) on Tuesday August 19, 2003 @12:54PM (#6734550) Homepage
            And as my father, a mechanic, will tell you, most people do not check the oil, coolant, power steering fluid, tire pressure, etc. The more careful ones bring in the car if it makes a funny noise long enough. Many people only think about the car when it won't run anymore. Putting gas in the car is pretty much the only thing "end-users" do reliably, and even that doesn't happen often enough sometimes (did you know that it's better for your car to not allow it to get below 1/4 tank, because then junk on the bottom of the fuel tank gets sucked into the engine?)

            The frightening bit is that my mom, a Physician's Assistant, will tell you the same thing about people and their bodies. She gets in all sorts of cases where people have had horrible things wrong with them and haven't bothered to come in for a week, or the guy who drank 3 40-oz. beers a night, and his main concern was wondering why he had to wake up to go to the bathroom so often.

            (as for dishwashers, most of them require you to at least scrape your plate before you put it in, and my father, having cleared out a dishwasher that pretended you didn't have to do that, will tell you that they ALL require this.)

      • by bourne (539955)

        So who is held accountable when the latest patch breaks something and causes loss of data?

        The same someone who is held accountable when the default OS installation is insecure and the system is compromised by a 2-bit, brain-dead worm.

        That would be... um... hmm... lessee... ah... tumbleweeds blow by in the hot desert wind... nobody, and certainly not Microsoft.

        You can be sure that whatever legalese is in the EULA puts the responsibility squarely on the administrator, where it belongs. If they don't

    • by swordboy (472941) on Tuesday August 19, 2003 @09:40AM (#6732204) Journal
      If you RTFA you'd find that Microsoft is only "looking very seriously" at this idea

      Microsoft are MORONS. The fix for this particular worm required SP2 or greater. That is 8 hours and 10 minutes over dialup.

      Windowsupdate is a god send for people with broadband but MS are going to be required to send CDs in the mail if they want to keep dial-up users up to speed.
      • by TGK (262438) <Killfile@Nephand u s .Com> on Tuesday August 19, 2003 @09:59AM (#6732385) Homepage Journal
        Where are my mod points when I need them? This is perhaps the single best argument raised in this thread. I'm a broadband user (ah the joys of in-home ethernet) and I'm in the process of puting together a new machine. It's running windows because some of the software my school requires is Windows only.

        Now, I've been downloading updates for the last hour or so now. I understand that the Microsoft site is probably pegged following all the media coverage of the latest worm, but nonetheless, I'm a broadband user and it's still taking me a significant chunk of time to download all these updates.

        Dialup can only be worse. If MSFT wants to keep the users current they've gotta either find some way of updating Windows that's not quite so hard on dial up (mailing CDs sounds good) or they need to find some way to bring the average patch size down. I have a hard time buying into the idea that the problems in the system really require a patch of that size. With a little more creative work you'd think they could find a more efficient way to insert the new code.


      • > Microsoft are MORONS. The fix for this particular worm required SP2 or greater. That is 8 hours and 10 minutes over dialup.

        Think how fun it's going to be when you re-install your media and then get to download three years of cumulative updates.

  • by DiS[EnDeR] (195812) on Tuesday August 19, 2003 @09:31AM (#6732073)
    they want to reboot my computer without informing me?
  • by OMG (669971) on Tuesday August 19, 2003 @09:32AM (#6732078)
    ... how they will get people to activate the TCPA/Palladium features.

    Now we know: MS will do it for you. How kind of them!
  • Bandwidth (Score:5, Insightful)

    by jmays (450770) * on Tuesday August 19, 2003 @09:32AM (#6732079)
    I know broadband usage is on the rise but really ... I use a modem. You know ... the kind that attaches to a phone line? Everytime I get online with my low bandwidth solution, I don't want my bandwidth eaten up by patches.

    Granted, by the time this is incorporated into the OS, phone line users may be in the minority but until then ... no thanks.
    • Re:Bandwidth (Score:3, Insightful)

      by Viol8 (599362)
      Agreed. A lot of people forget that not everyone (in fact the vast majority of people still) do not connect to the internet via some fancy
      umpteen mb/s broadband connection. It would be nice if occasionally marketing types (and some geeks for that matter) would remember this
      simple fact.
  • imagine... (Score:5, Interesting)

    by borgdows (599861) on Tuesday August 19, 2003 @09:32AM (#6732086)
    if someone breaks into MS WindowsUpdate servers, he could install ANYTHING on millions of computers!

    wow... scary...
  • No thanks (Score:5, Informative)

    by GeckoFood (585211) <geckofood@@@gmail...com> on Tuesday August 19, 2003 @09:32AM (#6732091) Journal
    Some of us are still on dialup, and an automagic update of Windows via 56K modem would literally take HOURS if the connection even holds at all. I don't think I should be forced into high-speed access just so I can update my Windows partition periodically.
    • by erasmus_ (119185)
      So in other words, you don't think the operation system could be smart enough to determine that you're on a dial-up instead of broadband, and schedule updates to be downloaded during off-hours, and only when it's detected that the computer has been idle for several hours? Yours is like the 3rd post to think that it will start downloading exactly when you're in the middle of something important - MS's usability engineers are not that dumb, no matter what Slashdrones say. Anyway, how do you get your updates
      • Re:No thanks (Score:5, Insightful)

        by gl4ss (559668) on Tuesday August 19, 2003 @10:48AM (#6732664) Homepage Journal
        what off hours? there is no such thing in most cases. and the off hours wouldn't be enough time to download the patches anyways in time(speed just isn't fast enough)

        typical users DON'T leave their home computers on when they don't use them btw.

        and need that phone line occasionally for phone calls, i'm sure you've had one, but some people get them like all the time even on their landline.

        most people when they are online with their modem, are in the middle of doing something important(they wouldn't be online unless they were). using the phone line isn't free either in majority of countries, so leaving it to up to the os to decide when to dial up is not an option.

        the bloated drivers and updates are a real problem in todays world when you're trying to keep your relatives little computers running good enough (nvidia drivers take +30mb, for example). sure it isn't a problem when you have 100mbit jack on the wall but majority of people don't have that.

        • Re:No thanks (Score:3, Insightful)

          by PhoenixFlare (319467)
          what off hours? there is no such thing in most cases. and the off hours wouldn't be enough time to download the patches anyways in time(speed just isn't fast enough)

          Do you not sleep, or what? And of course they're not going to download in one shot, that's what resumable multi-part downloads are for.

          typical users DON'T leave their home computers on when they don't use them btw.

          I feel like a broken record saying this, but you don't speak for everyone. Unless you regularly provide in-home support for a
  • by dlur (518696) <dlur.iw@net> on Tuesday August 19, 2003 @09:33AM (#6732094) Homepage Journal

    You can do this already with Windows XP if you set it up to do so. In the system properties go to the Automatic Updates tab and then click on the radio button next to the bottom option, "Automatically download the updates, and then install them on the schedule that I specify".

    Of course you'd have to be out of your gourd to do this regarding MS's history of untested patches. Also I noticed that MS is including driver updates in the critical updates as well (nVidia driver). I've NEVER installed a driver from MS on my computer and every time a customer of ours does it, it seems to totally screw up everything.

  • by jridley (9305) on Tuesday August 19, 2003 @09:34AM (#6732112)
    In the past MS has packaged EULA updates along with software updates. I really wouldn't have too much trouble with this as long as they don't try to push EULA changes along with the update.
    Sure, some people might want to turn it off, but by and large I think there would be less damage with it on. I rarely meet a person who even knows what MS Update *is* let alone have used it.

    I wonder how well this would work on dialup though? It seems like the world is really leaving dialup folks behind. I have cable myself but know a lot of people on dialup either because high speed is not available to them or because they really don't need a fulltime connection, and are getting by just fine on a $5/month dialup plan.
    • by ebuck (585470) on Tuesday August 19, 2003 @10:12AM (#6732440)
      Actually, it seems that an automatic pactch installer could totally render EULA updates null and void. This could have the unexpected effect of the owner bound to the original EULA which may not be available except via original media.

      I can see Microsoft arguing to a court that the use of the software implys that they automatically accept a new EULA with each patch; however, I would be very shocked and dismayed if any court in the US would uphold that you could automatically agree to licensing changes without being at least notified that a change had taken place.

      Microsoft could worm their way around the last part with a pop up window asking you to accept the latest EULA; however, that would be a public relations nightmare, and even though Microsoft is keen to kill off any professional competition, they are not in business to openly defy their users.

      The only way an EULA holds up as legal when not read (if my memory serves me correctly) is that you implicitly agreed to it by opening the box. Automatic EULA updates lack even this token agreement. If the automatic update is turned off by default, you might be seen as "implicitly" agreeing to all future EULAs by turning it on. If it is on by default there's no action to bind you to any sort of agreement.

      Mabye they'll put in a clause, "By agreeing to use this software you agree to all future licensing agreements with respect to this software which will invalidate this agreement", ie viral EULA.

      Of course I'm not a lawyer, but if you believe this is sound legal advice, let me write your will.
  • MSBlaster (Score:5, Insightful)

    by fudgefactor7 (581449) on Tuesday August 19, 2003 @09:34AM (#6732123)
    MSBlaster wasn't an embarrasment for MS, but for the lazy sysadmins who, with a month's prior notice and the patch to fix it, were still hobbled by the bug. If people who are in charge of systems and security spent more time patching and paying ATTENTION to things like Bugtraq and less time complaining about MS the world would be safer.

    How is this bug more of a bummer than how gnuftp was compromised and potentially more damaging? Oh, don't hear people moaning about that on here now do you...?

    The tale is telling, is it not?
    • Re:MSBlaster (Score:5, Insightful)

      by twelveinchbrain (312326) on Tuesday August 19, 2003 @09:48AM (#6732303)
      You mean lazy sysadmins who, after installing the hotfix necessary to protect from MSBlaster, found that their applications stopped working? The ones who had to spend hours examining trace files to determine the exact root cause, and download several more hotfixes, with a cascade of errors, to get everything working again? Those lazy sysadmins?
    • Re:MSBlaster (Score:3, Informative)

      by _|()|\| (159991)
      MSBlaster wasn't an embarrasment for MS, but for the lazy sysadmins who, with a month's prior notice and the patch to fix it, were still hobbled by the bug.

      I'm using critical update notification on Windows 2000. I installed a generic critical update the day before Blaster really took hold. The next day, I had six new critical updates.

      That same day, Windows Update on three Windows XP systems showed no updates. when I ran Windows Update again in the afternoon, there were twenty critical updates.

      If the p

    • I didn't bother to patch my office machine against MSBLASTER, and why should I?

      I've been stripped of most of the permissions to admin my own machine because the internal IT support has been centralized. That means a few people service the rest of us in a way that generally has the good of the company in mind.

      That said, if they take away my permission to do it, and they get caught with their pants down, why do they expect us all to run software locally on our own machines to fix the latest problem X? It'
    • Re:MSBlaster (Score:3, Informative)

      by 4minus0 (325645)
      How is this bug more of a bummer than how gnuftp was compromised and potentially more damaging? Oh, don't hear people moaning about that on here now do you...?

      Do you not read the newspapers?
      When the GNU ftp site was compromised did it affect any DMVs?
      Did the cracking of the GNU server cause disruption at entire school districts?

      In case you missed it, look here [arnnet.com.au]
      or here [clarionledger.com]
      If you follow the first link you'll see that even Cisco's VoIP customers are affected by Blaster, not just WIndows users.
      I'd call th
  • by kindbud (90044) on Tuesday August 19, 2003 @09:36AM (#6732146) Homepage
    "I have always been a fierce enemy of the Microsoft update feature, because I just don't like the idea of someone else -- particularly Microsoft -- controlling my system," said Bruce Schneier, co-founder of Counterpane Internet Security Inc. "Now, I think it's great, because it gets the updates out to the non-technically savvy masses, and that's the majority of Internet users. Security is a trade-off, to be sure, but this is one trade-off that's worthwhile."

    And that concludes our evaluation of Counterpane's security consulting services. Have a nice day. Don't let the door hit you on the way out, Bruce.
  • by forsetti (158019) on Tuesday August 19, 2003 @09:37AM (#6732152)
    1) WindowsUpdate needs to become MicrosoftUpdate. This would scan and offer patches for all MS software (OS, Exchange, SQL, IIS, Office, Visual Studio, ....). Also extend SUS to do the same.

    2) Critical Update notification should be done the way OSX does it (with a little configging) -- instead of a tiny little innocuos icon in the system tray, put an obnoxious pop-up in the middle of the screen, with a big "Go Ahead and Install" button, with lots of skull & cross-bone icons.

    3) Create patches using their own packaging structure: MSI. This allows for much simpler deployment and management, via Active Directory. No need to pay for SMS simply for patch deployment.

    4) Supply MUCH MORE documentation to end users, discussing the importance of keeping one's machine patched.

    5) Stop producing such buggy software! =}8v)

    Just my $0.02 ...
  • Bad Idea. (Score:5, Insightful)

    by asdfasdfasdfasdf (211581) on Tuesday August 19, 2003 @09:37AM (#6732157)
    Microsoft is also considering whether to make the Auto Update mandatory earlier, through an interim upgrade known as a service pack.

    This is a huge mistake. Talk about a support nightmare. I recently spent several hours trying to find out why my machine was freezing intermittently, only to find that Update 811493 was to blame. I uninstalled it and everything worked perfectly-- if they make it mandatory, and have a similiar problem what do we do? (Switch to Mac or Linux, right?)

    For the record, there's still no way to tell Microsoft I NEVER want this update. If I use "auto update" at all it downloads it and wants to install. So, now I'm stuck using manual update or my machine might freeze up again.

    Just great.
  • Great (Score:3, Insightful)

    by Henry V .009 (518000) on Tuesday August 19, 2003 @09:37AM (#6732161) Journal
    Most people are in far more danger of their computer being destroyed by a virus than they are of it being damaged by an automatic update.

    If you think this is a bad idea, then you don't realize just how stupid the great mass of computer users are. I'm sure Microsoft will make this in a way that will allow anyone who knows what they are doing to turn this feature off. But it will kill viruses and worms that exploit windows holes, that's for sure. I can't recall one that's come out in years where the patch hadn't already existed, but that users were too stupid to download.

    Besides, I'm sure that recent power outages spooked Microsoft for at least a few moments. They thought: Could this have been a computer problem? Not even Microsoft has that kind of money were it to be found liable.
  • Perspective (Score:5, Funny)

    by mukund (163654) on Tuesday August 19, 2003 @09:38AM (#6732180) Homepage
    if (company_trusts_microsoft_code())
    {
    use_windows_OS();
    allow_auto_updates();
    }
    else
    use_some_other_OS();

    /*
    junk code

    bitch();
    moan();
    flail_arms_wildly();
    */

  • by Ayanami Rei (621112) <rayanami@g[ ]l.com ['mai' in gap]> on Tuesday August 19, 2003 @09:39AM (#6732190) Journal
    Circa Windows 2000, service pack 3.
    By default, this already happens.

    The story here is that Microsoft backed off when privacy groups thought this was a crummy idea (especially with the EULA of SP3 and XP SP1, big-brother visions abound).

    Now they are saying they'd consider giving you more control over this, and to, by default, accept security-relevant patches in this manner by default.
    Also, (big item), they'll ship the machines with the firewall enabled. That alone is probably the best idea they've adopted under recent community pressure.
  • by jamienk (62492) on Tuesday August 19, 2003 @09:40AM (#6732213)
    * Check for warez/serialz -- disable them and alert the vendors. Vendors can subscribe to "MS Auto Alert" program.

    * Check for downloaded MP3s (from a database of known MD5s) -- disable them and alert the record distributors. RIAA can subscribe to "MS Locked Tunes" for service.

    * Check for P2P programs -- disable them and alert local gov't authorities. Gov'ts can give big grants to MS for this as part of their "Anti-Terror-and-Pro-Business-Computers" bill.

    * Check for web/ftp/irc servers -- disable them and alert ISP as to uploading violations. ISPs can join the "MSN One-Stream" network.

    * Check for NAT -- diable and notify ISP... part of the push towards "MS-IPv6-PLUS!"

    * Check for competitors' products (DRDOS, Java, Mozilla, OpenOffice, etc) -- disable them and alert user that their software was incompatable with the latest service pack. This one is free for end-users!
  • Good for home users (Score:3, Informative)

    by martingunnarsson (590268) <martin&snarl-up,com> on Tuesday August 19, 2003 @09:42AM (#6732231) Homepage
    I think this is great, most Windows-users don't know what Windows update is anyway. Of course it should only distribute critical updates.
    You can already have Windows download and install the most important updates on its own. I have this feature enabled on an internal webserver at work, and it works very well. It downloads the patches as they become available, then it installs them att 3 AM when there's noone visiting the server anyway.
    Corporate users probably don't want a feature like this though, if a fix breaks the most critical business application, it's better to not apply it at all. They would be better off with an internal Windows update-server that only hosts the patches that has been OK'd by the tech department. This feature is already available as well.
  • Service Packs (Score:5, Interesting)

    by Ratbert42 (452340) on Tuesday August 19, 2003 @09:42AM (#6732233)
    Anyone remember NT4 Service Pack 6? The first one? The one that broke tcp/ip?
    • by nuser (198161)
      Anyone remember NT4 Service Pack 6? The first one? The one that broke tcp/ip?

      Can you imagine the consequences?

      1.Get auto patched.
      2.No TCP/IP so get disconnected from net.
      3.Reinstall OS
      4.GoTo 1.

      Familiar statistic restated - 90% of the worlds useful computers don't run windows!

  • From the article:

    "What we're finding now is that through a combination of the availability of broadband and customers wanting to stay up to date with security patches, and, most importantly, considering the kinds of threats out there now, that customers want us to keep them up to date automatically -- not just by downloading the patches for them but installing them as well."


    I'm not sure who these customers are that want this...but to me this amounts to saying "our customers are lazy and stupid". Maybe I'm trolling, but...the "kinds of threats" that are out there are caused by microsoft writing vulnerable code in the first place! Sure everyone has bugs, but maybe, just maybe, they'll write a buggy patch too! I don't see how anyone could even be considering this as the default. If these people want microsoft to automatically update their computer...they can turn it on right now!

    I know you hear this a lot here, but people need to either

    a) have a working knowledge of their computer/operating system, including how to maintain it.
    b) have their computer regularly maintained by another live human being.

    This isn't that hard. People have this perception of computers as the same as their television or washing machine in terms of support - don't touch it unless it's obviously unusably broken. They don't work that way, they're much closer to cars. Sure, some people don't maintain their cars either, but those people aren't in the majority.

    I'm rambling at this point, but really this is a disaster waiting to happen. What, are we going to end up testing EULAS in court finally when microsoft breaks ten million computers automagically and then says "well, you clicked the agreement"? I guess that could be agreeable. Please, I know most people here know what they're doing with their computers, but this problem is not just caused by microsoft. Educate everyone you know about the needs for computer mainenence! Make them pay you, I don't care, do something. Of course, the stupid IT department here got the worm too, so maybe it's completely hopeless.
  • Trust (Score:3, Insightful)

    by Mr_Silver (213637) on Tuesday August 19, 2003 @09:44AM (#6732272)
    The major problem here is: How many people trust Microsoft not to do "other things" whilst they're installing your patches?

    Sure the tech savvy users like those who frequent slashdot (and we're ignoring the rabid fascist anti-MS zealots here) will not like the idea - but the problem that Microsoft is having is that even the general public are starting to mistrust them.

    A case in point is the abysmal failure of Passport. Sure it has hundreds of users, but nearly all of them were forced into getting it because they wanted a hotmail account. Very few people actually store all their personal details on there.

    Until they get the trust issue sorted, people are never going knowingly let them take control.

  • Bad, Bad idea (Score:5, Insightful)

    by Harbinjer (260165) on Tuesday August 19, 2003 @09:45AM (#6732280) Journal
    This is a bad idea on soooo many levels

    First of all is their patches. They sure as hell aren't 100%. So one day your favorite program might work, and the next day it might not. All wihtout you doing anything. This is why businesses take a while to evaluate patches.

    Secondly, what if there is an exploitable bug(and there will be at least one). Every windows machine out there might be downloading viruses instead of updates. If someone were to reverse engineer the network interface, and hack a couple DNS servers, they could have all those users downloading whatever they wanted, even illegal things, or viruses, hacks, anything.

    Plus there's the privacy issues. I konw that right now windowsupdate could send MS anything anyway, but if we all expect it to update any time it wants, we have no controls at all on our system, MS could send an update to lock you out of your own system if they suspect you of something, or just for the hell of it.

    While I don't expect this to actually go through, its important to be wary of just how abusive such a system could be.

    P.S. I, for one, welcome our new windowsupdate.microsoft.com masters.
  • Well, yes. (Score:5, Insightful)

    by autechre (121980) on Tuesday August 19, 2003 @09:48AM (#6732302) Homepage
    From the article:

    "The company is 'looking very seriously' at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them..."

    So yes you can "at least press Ok first." Although I'm sure CmdrTaco has nothing to worry about, since he doesn't run Windows any more, which I suppose is why he didn't read the article.

    Personally, I think that this would probably be a responsible move on their part (and Bruce Schneier apparently agrees with me). I especially like the fact that they're going to start shipping Windows with the firewall enabled. As far as I'm concerned, no one should be worried as long as you can disable automatic updates and disable the firewall (though I think they should make it slightly non-obvious how to do so, so that the people this is intended to benefit won't turn it off). After all, you don't leave Windows exactly as it comes off the CD, do you? Hopefully, you'll also be able to create corporate install CDs with these features disabled if need be.

    There are only two things that concern me:

    1. Broken patches: What if, as has happened in the past, an update breaks the auto-update mechanism? Then they'll be pretty well stuffed. I'm not sure what to say about that other than "don't do that."

    2. Dial-up users: As the article mentions, SP1a is big. Really big. I mean, you might think that the OpenOffice download is big, but that's just peanuts compared to...right. However, that was a combination of many small patches, and just like many other things in life, if people had updated incrementally as they should have, they wouldn't have a need for a giant update. Hopefully, MS will be able to keep the patch size down, and we can watch 2003 to see if they can keep the frequency down as well.

    (Yes, I now have to care about Microsoft products again, which is annoying, but I might as well make the best of it).

  • patch reliability (Score:4, Interesting)

    by jdvernon1976 (242485) on Tuesday August 19, 2003 @09:57AM (#6732374)
    Let's assume for a moment that everyone's fine with Microsoft deciding you need to patch your system. Your home machine downloads the patch and installs it and your machine reboots - you're patched.

    Those of us that work as sysadmins/netadmins/DBAs at various companies know that when Microsoft puts a patch out on Windows Update, it's not necessarily tested out to completion. That's part of why patches take so long to proliferate - dependable administrators test them in-house, instead of depending on MS's testers. Let's face it...if Microsofts Quality Assurance team were so sharp (or listened to - it can't ALL be their fault), many of the after-the-fact patches wouldn't be necessary.

    Is Microsoft going to take responsibility for auto-installed patches that a) don't work b) make situations worse? Or are they going to take the stance of "The user could've refused our auto-install, but they didn't - they knew the risks."

    We all know how hard it can be to opt-out of spam - how difficult will Microsoft make it to opt-out of auto-installed patches...and for those of us that can't/don't, how sure are we that it won't make things worse?
  • by The Pim (140414) on Tuesday August 19, 2003 @10:08AM (#6732420)
    Microsoft and others aren't going to stop producing buggy software. (Really, the effort would be Herculean.) So when there's a hole that will harm users, and knowing that most users won't voluntarily apply patches, what are they supposed to do? Saying "you should have patched" doesn't help their image, and doesn't help computing in general. When exploits can spread across the net in minutes, it's not even tenable for sophisticated users. Having users apply their own patches is an inherently losing proposition.

    What's likely to happen? Microsoft will screw up a few times, to great embarrasment, then they will by economic necessity learn how to make reliable patches. After all, their only alternative is the greater embarrasment of rampant worms and viruses. The rest of the industry (including free software) will see that it is possible, and be pressured to do the same. It may be rocky for a while, but the end result is that millions of naive users will have reasonably secury systems. This is a huge improvement over today.

  • by Richthofen80 (412488) on Tuesday August 19, 2003 @10:13AM (#6732453) Homepage
    The major problem with software distrobutions such as windows is that the entire OS thrives on the 'one click' philosophy. One-click update, one-click install, and one click virus infection. People are so used to windows giving them one click 'Ok' windows that they end up clicking Ok and worrying later. 90% of regular office users end up clicking okay to almost anything and installing spyware, viruses, etc.

    Windows needs to 'brand' the update procedure; make it so obvious and un-repeatable by other apps, so that users are not duped.
  • make it the default (Score:3, Interesting)

    by mboedick (543717) on Tuesday August 19, 2003 @10:40AM (#6732598)

    I don't think it's a horrible idea to make automatic silent updates the default. After cleaning up some of my relatives' machines after the Blaster worm, I set them all to automatic updates. Yes, there is a chance that an update might break something, but this chance is far less than the chance of another exploit or worm trashing the system.

    They just don't understand it at all and as the person who gets called when there is a problem, I'll take any proactive measures that I can to make sure things continue running smoothly.

  • by gelfling (6534) on Tuesday August 19, 2003 @10:49AM (#6732680) Homepage Journal
    In fact I want MS to quietly run every aspect of my life unasked. I want multimegabyte SPs unasked. I want new and improved packaging and several dozen applet upgrades unasked. Especially the ones that break something else. I want updates to wipe out competing applications unasked. I want application changes on the fly so that file formats suddently become incompatible. I want their updates to clash with themselves. And mostly I want to pay for it.
  • by djh101010 (656795) on Tuesday August 19, 2003 @10:52AM (#6732705) Homepage Journal
    Instead of taking the blame for writing yet another security hole (not even a novel one at that), they're pushing it off on the customers who are behind on patches. Yes, people should apply patches for these, but maybe they could be a bit more careful in writing the OS and apps in the first place. The blame here is on MS and the virus/worm writers, not on the customers who are having both inflicted on them.

    Yes, no OS is perfect. But, their attitude here seems to be "you deserve to get hit if you didn't apply the patch-of-the week".
  • by rleyton (14248) on Tuesday August 19, 2003 @10:55AM (#6732751) Homepage
    I can hear it now, a phone call from my Windows/56k modem afflicted parents, "Why's it all so slow?".

    To which the only real reply is "Because Bill knows best Mum. Because Bill knows best". Add to this the fact that they crank up their computer on a six-monthly basis, and would probably stop altogether if each time they did, it rebooted the PC. Not that much different from MSBlast, really.
  • by DanMc (623041) on Tuesday August 19, 2003 @10:56AM (#6732778)
    I'm sure these customers didn't know they had a problem with their PCs. That was the first fact that caused the worm to be a problem. The fact that the computers weren't patched was secondary. Instead of pushing the patches, why not be more aggressive about notifying customers, and giving us better tools to patch and scan? Asking millions of users to pull updates ALL THE TIME, or turn on an automatic pull where there are only 3 configuration options is a real lack of choice. There are lots of things in between that can be tried. If I were a home XP user, and I saw a notification, "Message from Microsoft Security: Due to a problem recently found in WinXP, You are at high risk of being hit with an intrusive virus or worm. Here is a web site with details. Here is a 1-800 number with details. To correct the problem now, press Ok." Supposing MS did give home users this easy to use scan, notify, patch utility, the only reason they would not use it is if the EULA were too scary. This is easy to fix. Put a big splash screen with "Absolutely no Information is gathered and Sent to Microsoft. To see how this tool works, click here. Microsoft will never change this policy without your consent. (Like we did with WindowsUpdate)" We shouldn't have to wait long to see an analysis of Blaster, but I am going to guess that the majority of infection vectors came from business or academic Win2000 installations. WinXP systems crashed so much, they weren't efficiently spreading the worm. So corporate tools to fill this middle ground need to be improved. The hard to learn and use tools like IIS lockdown, hfncheck, etc need to be seriously overhauled. At work, I would love to have a non-web-based WindowsUpdate SCANNER, and a separate PATCHER. They'd be easy to use with a GUI, but also have command line options so they could be used in scripts. (SUS isn't what I'm talking about, because it is browser based, and the process is still a pull. The only way you can push an important update is to go to each server, or set the servers auto-pull frequency really high) I also wonder if MS is afraid that making system maintenance too easy might cut in to their SMS server sales?
  • by Abm0raz (668337) on Tuesday August 19, 2003 @11:02AM (#6732888) Journal
    Windows NT service pack 6

    [RANT]
    Remember this gem? All the people that installed it had inoperable machines. It was so bad that it was recalled *6* hours after being posted. Then a week later came SP6a. I definitely do *NOT* want them pushing crap to my machines. I have no problem getting my own updates. Set up auto-update by default, but let those of us that know what we're doing be able to turn it off. I'm all for (l)users getting crap in general (not necessarily viruses/virii). Maybe that will get them off computers and leave them to the experts.

    How come everyone and their brother is allowed to operate a computer at will, but I need a license to fish?

    [/RANT]

    -Ab
  • Ugh (Score:3, Insightful)

    by ViceClown (39698) * on Tuesday August 19, 2003 @11:10AM (#6733017) Homepage Journal
    This is a terrible idea. My brother is a sys admin and 9 times out of 10 the microsoft update patch breaks some or all of the 3rd party software installed like Backup Exec, anti virus.... you know... the minor things ;-)
  • Yes, But Not MS (Score:3, Interesting)

    by 4of12 (97621) on Tuesday August 19, 2003 @11:12AM (#6733052) Homepage Journal

    I think forced immunization of vulnerable open machines on the network is a good idea, under the right conditions.

    After public notification of the nature of the vulnerability.

    After a patch has been made available and notices posted, sent out.

    After a user or sysadmin keeps their machine unpatched and exposed.

    After a second warning has been posted, sent that forced patching will occur.

    Then, and only then, a worm-delivered patch should be administered.

    But it should not be administered by MS, though they were responsible for the vulnerability.

    MS is a profit oriented business, whose goals include many actions directed towards increasing their own profit in the long and short term, as well as fixing software that users have bought from them.

    No. It should be role of people responsible for network health, because that is the public good that is impacted. As a public, non-profit entity, they would be free of conflict of interest, financial considerations. If MS were to administer remote administration in this way, they would be opening themselves up to conflicts of interest, particularly because of the monopoly market position they hold.

  • Uptime (Score:5, Interesting)

    by ka9dgx (72702) * on Tuesday August 19, 2003 @11:29AM (#6733332) Homepage Journal
    I remember the last big M$ push when they were saying how great their Uptime was. 99.9999%?

    If I have to reboot my servers every time a major bug hits (3 times/year) for 5 minutes, that's bad enough. (99.9971% availability) If I have to reboot the servers every week, now we're down to 99.95% uptime.

    This, of course, doesn't count downtime or technical support issues caused by workstations missing their server connections, or the patches that didn't happen in time, or any of the various other factors that help kill capitalism, and endanger our National Security.

    --Mike--

Real computer scientists don't comment their code. The identifiers are so long they can't afford the disk space.

Working...