Microsoft wants Automatic Update for Windows

Edward Dao writes "After the embarassment of last week's blaster worm, Microsoft is weighing the possibility of automatic update. Microsoft not only wants to upload the latest patch on to users' computer but also installing it for them." This will work out really well for everyone I'm sure. Yikes! Can I at least press 'Ok' first?

No thanks

[GeckoFood]

Some of us are still on dialup, and an automagic update of Windows via 56K modem would literally take HOURS if the connection even holds at all. I don't think I should be forced into high-speed access just so I can update my Windows partition periodically.

You can do this already

[dlur]

You can do this already with Windows XP if you set it up to do so. In the system properties go to the Automatic Updates tab and then click on the radio button next to the bottom option, "Automatically download the updates, and then install them on the schedule that I specify".

Of course you'd have to be out of your gourd to do this regarding MS's history of untested patches. Also I noticed that MS is including driver updates in the critical updates as well (nVidia driver). I've NEVER installed a driver from MS on my computer and every time a customer of ours does it, it seems to totally screw up everything.

Big deal

[flicken]

Debian (and other distros) have allowed* you to do this for years.

# cat /etc/cron.daily/apt-get
#!/bin/sh

apt-get --yes --quiet update
apt-get --yes --quiet upgrade

Presto! Automatically download and install all system updates.

* NB: allowed, not required---it's your choice.

Yawn. "Keep my computer up to date"

[Ayanami Rei]

Circa Windows 2000, service pack 3.
By default, this already happens.

The story here is that Microsoft backed off when privacy groups thought this was a crummy idea (especially with the EULA of SP3 and XP SP1, big-brother visions abound).

Now they are saying they'd consider giving you more control over this, and to, by default, accept security-relevant patches in this manner by default.
Also, (big item), they'll ship the machines with the firewall enabled. That alone is probably the best idea they've adopted under recent community pressure.

Good for home users

[martingunnarsson]

I think this is great, most Windows-users don't know what Windows update is anyway. Of course it should only distribute critical updates.
You can already have Windows download and install the most important updates on its own. I have this feature enabled on an internal webserver at work, and it works very well. It downloads the patches as they become available, then it installs them att 3 AM when there's noone visiting the server anyway.
Corporate users probably don't want a feature like this though, if a fix breaks the most critical business application, it's better to not apply it at all. They would be better off with an internal Windows update-server that only hosts the patches that has been OK'd by the tech department. This feature is already available as well.

People are lazy? People are stupid? Good heavens!

[lambadomy]

From the article:

"What we're finding now is that through a combination of the availability of broadband and customers wanting to stay up to date with security patches, and, most importantly, considering the kinds of threats out there now, that customers want us to keep them up to date automatically -- not just by downloading the patches for them but installing them as well."

I'm not sure who these customers are that want this...but to me this amounts to saying "our customers are lazy and stupid". Maybe I'm trolling, but...the "kinds of threats" that are out there are caused by microsoft writing vulnerable code in the first place! Sure everyone has bugs, but maybe, just maybe, they'll write a buggy patch too! I don't see how anyone could even be considering this as the default. If these people want microsoft to automatically update their computer...they can turn it on right now!

I know you hear this a lot here, but people need to either

a) have a working knowledge of their computer/operating system, including how to maintain it.
b) have their computer regularly maintained by another live human being.

This isn't that hard. People have this perception of computers as the same as their television or washing machine in terms of support - don't touch it unless it's obviously unusably broken. They don't work that way, they're much closer to cars. Sure, some people don't maintain their cars either, but those people aren't in the majority.

I'm rambling at this point, but really this is a disaster waiting to happen. What, are we going to end up testing EULAS in court finally when microsoft breaks ten million computers automagically and then says "well, you clicked the agreement"? I guess that could be agreeable. Please, I know most people here know what they're doing with their computers, but this problem is not just caused by microsoft. Educate everyone you know about the needs for computer mainenence! Make them pay you, I don't care, do something. Of course, the stupid IT department here got the worm too, so maybe it's completely hopeless.

Windows already has this...

[ibanix]

... as the 'Automatic Updates' control in Windows 2000 SP3 and beyond. It is enabled by default in SP3/SP4, and will place an icon in your taskbar when new updates are available. It won't download them until you ask it to do so.

You can set it completely off, or set it to automagically download and install updates.

Re:Not such a bad idea

[Anonymous Coward]

http://www.discreet.com/products/gmax/gmax_inter im _fix.html

Well, actually, the entire 3DSMax product line is affected, but this was the best link I could fine.

Our sysadmins were also complaining about having something else broken, but I'm not sure what that was all about.

Re:MSBlaster

[_|()|\|]

MSBlaster wasn't an embarrasment for MS, but for the lazy sysadmins who, with a month's prior notice and the patch to fix it, were still hobbled by the bug.

I'm using critical update notification on Windows 2000. I installed a generic critical update the day before Blaster really took hold. The next day, I had six new critical updates.

That same day, Windows Update on three Windows XP systems showed no updates. when I ran Windows Update again in the afternoon, there were twenty critical updates.

If the patch has really been available for months, then Windows Update is severely broken. If it doesn't work when I'm actively using it, why would I want it to be automatic?

The comparison to the GNU FTP site is specious. On the one hand, a million computers were compromised by a worm; on the other, one FTP server was compromised by an insider.

Re:And we kept wondering ...

[gl4ss]

well, iirc, the 'standard' eula coming now basically allows them to change the rules of it as they see fit without you agreeing to it.

yeah it seems totally stupid and unforceable but so is most things in eulas nowadays anyways.

Re:MSBlaster

[4minus0]

How is this bug more of a bummer than how gnuftp was compromised and potentially more damaging? Oh, don't hear people moaning about that on here now do you...?

Do you not read the newspapers?
When the GNU ftp site was compromised did it affect any DMVs?
Did the cracking of the GNU server cause disruption at entire school districts?

In case you missed it, look here [arnnet.com.au]
or here [clarionledger.com]
If you follow the first link you'll see that even Cisco's VoIP customers are affected by Blaster, not just WIndows users.
I'd call that more of a bummer than the GNU compromise.

Re:You can do this already

[PaschalNee]

A quick Google [google.ie] will provide loads of examples.

• Duplicate IP Addresses After Upgrading DHCP Clients to SP2 [microsoft.com]
• Cannot Log on Using IPX After Installing SP3 on Windows NT 4.0 [microsoft.com]
• SSIExecDisable Does Not Work after Applying Windows NT SP4 [microsoft.com]

Are you humoured yet?

Re:Not such a bad idea

[socrates32]

If the automatically downloaded and installed patch doesn't require (or even allow) user intervention, then the user cannot be held to any "changes" to the EULA that came along with it.

That's why there's an "I Agree" button in the first place. If you don't know a change happened, you can't have agreed to it. If you don't have the option to disagree, then you haven't agreed to it either.

Re:You can do this already

[xanadu-xtroot.com]

You can do this already with Windows XP

You can do this with any Win* box that's running IE6-SP1 (with the latest updates). This stuff is installed for you (and no, I haven't noticed an option to stop it from doing so - I'm the admin of a 75 or so MS Shop).

Re:OS X has a nice compromise

[sammaffei]

And, 10.3 Panther will also let you save off the updates. That way, you won't have to re-download them in case you need to rebuild the system (provided that you archive the packages).

Sure beats the "Winbows XP re-install and download 80 Mb of updates" hamster wheel.

Re:You can do this already

[Xformer]

How about a more recent development tool? eVC++ 4.0 SP2 has problems talking with emulated CE.NET devices, where earlier versions did not. Transferring files to the emulator is kind of necessary if you want to debug something w/o destroying an actual device. I ran into this just last week.

And, oh yeah, this is on XP with all relevant updates applied (by relevant, I exclude things like fax and game related patches, which mean nothing on this machine).

Re:MSBlaster

[fudgefactor7]

If your IT person(s) can't do the patching on that few a number of computers in the span of a month then, yes, they're lazy. I deal with that number of systems, in MULTIPLE countries, every time there's a new patch/fix. The IT depertment that you are referring to either (a) is filled with incompetents, or (b) need to hire someone who knows what their doing.

...as they don't want to take down a critical production machine.

Why would you so foolishly have a purduction machine open to the Internet? Firewall, anyone? If you can't take that normal of a precaution then you should be fired.

You've never worked in IT, have you?

Apparently, I've been doing this longer than you.

Re:oh yeah?

[mAineAc]

'One other thing from the article: Microsoft also will begin shipping new versions of Windows XP with the built-in firewall activated by default, said Steve Lipner, director of the company's security engineering strategy. Now that makes sense!' How does this make sense? Their firewall is crap. It causes problems with dial up connections all the time. I work for an ISP and many times someone calls in with a bad connection and all we have ot do is shut off the microsoft firewall and all of a sudden it works. This is set by default when you create a dialer anyway. You have to remove the check to disable it. All this is going to do is give people a false sense of belief in their software. It is only a one way firewall anyway. If they have spyware or spamware it does nothing to stop this from reaching out to get info or give it. There are firewall companies out there. This is just a way for windows to remove market share from another source. Soon, if we continue this way, all coders will work for Microsoft or they will be out of work.

Re:oh yeah?

[Virtex]

So... only for home users and users can shut it off!

According to the Windows XP EULA, Microsoft has already given themselves the right to install software on users' home machines without their consent or knowledge. And there's no provision for allowing users to "opt out".

Re:Not such a bad idea

[Notre97]

You must not remember the NT SP6 fiasco. That thing broke complete systems, they had to release SP6a to get anything to work.

If that had been automatically updated, there would be a lot of people in a world of hurt.

Actually the real problem...

[sterno]

Even if the automation was forced, the problem is that the majority of internet users still use dial-up. They are at a lower risk for infection, but they are still at risk (trust me, my father-in-law got hit by it). The problem with dial-up users is that they don't want to spend literally hours downloading patches, so they don't patch their system.

What would be nice is if Microsoft provided a CD subscription for their patches for cheap.

Re:M$ worm.

[buysse]

And, arsehole, what do you think the effect of this policy on free software would be? I'll fucking tell you, there wouldn't be any. If I could be fined for software I released for free, without warranty (because MS also gives no warranty), I'll tell you right now that I wouldn't release it -- and I doubt that many other people would.

Who do you fine if a hole in Linux caused similar damage? Every person who's contributed to the kernel? Redhat? Registered Debian devs? All of the above?

The law demands equal protection. You can't just apply a law to one corporation or individual without applying it to all.

</flame>

Beating Windows File Protection

[Nurgled]

The problems you had deleting Outlook Express are no doubt caused by Windows File Protection. In order to beat it, simply delete the copies of the files you wish to delete from the directory C:\Windows\System32\dllcache (or similar, depending on where you installed Windows).

Once the relevant files (such as msimn.exe) are not present in dllcache, you can delete the versions of them in the main program directory. Windows will, at this point, moan that it failed to restore the files and ask for the CD to restore them, but you have the opportunity to decline, and Windows will never bother you about those files again.

I don't advise that you delete the entire contents of dllcache, though, no matter how elite you think you are. Windows File Protection is good for protecting against apps which overwrite the installed libraries in the Windows directory which can render your Windows 2000 installation unbootable in some cases.

Re:Not such a bad idea

[profplump]

If you haven't had Windows Update break things then you're not technically savvy, at least insofar as you have never supported more than 5 machines. Out of my 350 machines I find that at least every other SP or major patch breaks something. Often it's every major patch. It doesn't always break all the machines, but it almost always breaks something.

I honestly can't understand why you wouldn't want to understand the patches you're installing. You might even want all of them, but you still ought to understand what they are supposed to do. This is not an opportunity afford to you by Windows Update, and it certainly wouldn't happen with automagic updates.

So thank you very much, but I'll keep being "unreasonably paranoid" and get my patches the old fashioned way -- by reading security advisories and deciding which patches I need.

It already does that?

[x00101010x]

Uhm... last i checked, there's an option to do that already. I think it defaults to download automatically and then an icon in the taskbar lets you know they're ready to install and with 3 clicks you're installing them and getting ready to reboot 3 times. Maybe they're talking about making it default or forfced... maybe i should RTFA...

Re:This is better than OS X

[Graff]

You'll note that it's emulating only the X11 libraries, really even only the X11 server itself.

Just a note. Apple's X11 server on MacOS X is not an emulator at all. It is a window sever application, just like the ones you would have on Linux, Windows, BSD, or whatever. It is still in beta (not alpha as an earlier poster tries to say) but it works pretty much perfectly and is just as quick as other X11 window servers out there. Apple plans on releasing the completed version with MacOS X 10.3, Panther, and it will be a free download.

Take a look at Apple's X11 site [apple.com] for more information.

No Thanks! Patch MS03-026 hosed all my work!

[MrCaseyB]

I work for a post production company, recently was in the final week of a 3month long project; A full 30sec CG commercial for Clorox. So it's the final days before deadline and I'm working 100+ hr week, the worm is about to hit and I download the latest security patches, all is well...or so I thought. In my half-awake, overworked not quite alert fashion, I agreed to let windows update do its thing, a decision I now regret. It installs the latest patches including the one for RPC, and I continue with my work. I work through the weekend in "3d Studio Max" made by "Discreet" Saving my work diligently as I go. On Monday the other folks in the office come in and alert me to a minor problem that every time they try to click on one of my .max files in explorer, explorer.exe crashes. Just hovering over the damn thing causes a crash ( explorer in detail view, without the web features on) I checked the files myself and they all seem to work fine, but nobody else can open or render them. I check google, I check Discreet's support forums...nothing. Then I remember that I windows update ran over the weekend and 2 patches were installed, the DirectX patch and the RPC patch. Because 3dsmax utilizes directx or opengl for viewport rendering, I started there. Interestingly, there is no easy way to remove that patch, there is no listing for it in add/remove, I found an entry for it in the registry and called MS security dept to help me remove it, they had no fuckin clue. I tried my best and all my .max scene files were still coming up corrupt. So then I switched gears and tried removing MS03-026. BINGO. This little shit had caused every .max scene file I created over the weekend to be totally corrupt. I lost about 36hrs of work at a time where I couldn't spare a minute. Thanks Microsoft and Discreet!

I posted my story to the discreet support site, a couple days later discreet posted an official response, confirming what i had posted. Some customers were notified via email, many were not. A lot of people got screwed like I did with this bizarre conflict.

I learned my lesson, don't click on Windows system dialog boxes when you are half asleep and unable to make sound decisions.

Re:Not such a bad idea

[delus10n0]

GAH!

Ok, people. You really need to research this.

XP and 2003's auto updating feature uses the "Background Intelligent Transfer" service. This service will throttle itself to only download using "leftover" bandwidth. If you're not using your internet connection, it chugs along full steam ahead. If you start to use it, it throttles back and gives you priority.

Read all about it here [microsoft.com] before whining about how slow it will make your dialup.

Plus there's always the option of downloading the SP/hotfixes elsewhere and burning them on CD. Or just ordering the SP from Microsoft. Sheesh.

Re:oh yeah?

[q.kontinuum]

As far as I know it ignores completely IPv6 traffic.

http://support.microsoft.com/default.aspx?scid=kb; en-us;306203

With Microsoft Internet Protocol version 6 (IPv6) installed and Internet Connection Firewall (ICF) or Basic Firewall enabled, the firewall filters Internet Protocol version 4 (IPv4) traffic, but the basic firewall and the ICF does not block or filter IPv6 traffic.

Note ICF is available on Microsoft Windows XP and Microsoft Windows Server 2003, Standard Edition and Windows Server 2003, Enterprise Edition. Basic Firewall is a component of Routing and Remote Access that you can enable for any public interface on a computer running both Routing and Remote Access and a member of the Windows Server 2003 family.

Auto-update works for dial-up

[JWhitlock]

Microsoft are MORONS. The fix for this particular worm required SP2 or greater. That is 8 hours and 10 minutes over dialup.

Windowsupdate is a god send for people with broadband but MS are going to be required to send CDs in the mail if they want to keep dial-up users up to speed.

Windows Update has an Automatic Updates feature that downloads updates in the background. It uses a service called Background Intelligent Transfer Service (BITS) to check for updates and download using idle bandwidth. While you are typing Slashdot comments, the connection is idle, and BITS can use this idle time to download updates. It can download part of it, and restart when you reconnect. So, unless your ISP charges you by the bit, you wouldn't notice it. Sure, it will take a while to get the update (weeks?), but you'll eventually get it.

Dial-up users aren't the weak link in the chain anyway - broadband users with insecure computers are, and are the reason these worms spread to rapidly.

There is an API for BITS [microsoft.com] if you are interested in making a self-updating application for Windows:

Re:That's even SLOWER and less reliable

[delus10n0]

Here [microsoft.com]'s a better link for more information about BITS.

Re:Not such a bad idea

[Slightly Askew]

I think one problem is the assumption that just because a SP is released, it will work perfectly in every situation without any other updates. This is silly. There is no way to test an OS update with every single piece of third-party software under the sun.

2. If you install the O/S, then Visual Studio, then Norton Internet Security (kind of important on a windows 2000 box, which doesn't have an integrated firewall), then try to update Norton and Windows, WHICH OUGHT TO WORK, Norton will update fine, Windows Update will crash several times, and the end result will be your IIS will stop working, so your Visual Studio won't be able to create VS.Net projects. I think this might be related to a recent patch, because it didn't happen before Service Pack 4 came out.

Under known issues with SP4, I found this [microsoft.com], which, I believe, addresses your Norton problem in item 2.

3. If you have a recent copy of Roxio's CD burning software, it'll stop working after you update Windows. The app will start up, but it'll crash as soon as you insert a CD-RW into the drive. I've updated the software from the Roxio site, too, hoping that would help (no luck). It's got to be something in one of the windows patches. So, patch windows or burn CDs! You seem to have to choose one or the other. Older, no longer available copies of Roxio seem to keep working, so if you get a Rio Volt MP3 Cd-player, you can install the older software off of their disk (warning: this might not be true anymore).

What CD burner do you have? I have found a reference to Sony burners failing with SP4 unless you install a fix from Roxio here [roxio.com], which may cover #3.

5. Windows patches keep restoring MS Outlook Express! If I kill it off, it keeps coming back like a friggin' vampire. It's the undead, unwanted email app. Actually, the only easy way I've found to kill it is to change the security on the Outlook Express folder so that no one has read-write priviledges, then boot from a floppy and clean the thing out. This way, Windows can't keep putting the files back (Grr... Windows puts 'em back THREE SECONDS after you delete them, otherwise!).

I have already addressed #4(or 5 :-)) when I discussed WFP.

1. If you install the O/S, then patch it, and THEN try to install Visual Studio, the Visual Studio installer crashes. The problem seems to be that if you install Microsoft's updated .Net packages before Visual Studio, Visual Studio can't handle that and it chokes.

That leaves #1 which, I too, had this problem with. However, all I did was go to add/remove programs, uninstalled the .NET framework that windowsupdate installed, then restarted VS.NET installation. Worked fine after that, and I just skipped the .NET framework recommendation on the windowsupdate site (it was not a "critical" update, anyway).

The point being that as awesome as the resources and support are for Linux and other open source OSes, there is a multitude of free support for Windows as well. I don't infer that this relates to a lack of knowledge or ability, but perhaps a lack of effort to resolve the problem?

Not so good for slow connections

[MoogMan]

What a *retarded* idea. Windows XP has automatic updates turned on by default, so there isnt much difference.

Ok, I can see the logic in making Windows Update fully transparent (and for the majority of users, this would be a good idea).

Regardless, for users like me running on a 56k connection, downloading a couple of meg worth of useless patches, this is *not* an option. My firewall is a better preventative measure than patches upon patches, so i'd rather not bother.

And if the "functionality" is put in anyway? Well, there will be cracks - hey, my firewall will probably block it anyways ;)

Of course, its all the more reason to convert to linux.