Microsoft Forces Desktop Search On Windows Update 579
An anonymous reader writes "The Register is reporting that the blogosphere is alight with accusations of Microsoft forcing Windows Desktop Search on networks via the 'automatic install' feature of Windows Update — even if they had configured their systems not to use the program. Once installed, the search program began diligently indexing C drives and entire networks slowed to a crawl."
No Conspiracy Theories (Score:2, Interesting)
Maybe common sense will prevail now? (Score:1, Interesting)
Re:What's worse... (Score:4, Interesting)
Re:No Conspiracy Theories (Score:3, Interesting)
When you install an application (say, a smiley face cursor or a security update) and that installation installs a different application without your consent (say, a spam mailer or a desktop search), isn''t that called a trojan?
What's next, rootkits [mcgrew.info]? Oh wait, this is Microsoft, they wrote the OS. You're already rooted.
-mcgrew
Re:Addition to TFA (Score:5, Interesting)
Conspiracy theory: MS is doing this to cause older or marginal boxes to become less responsive/snappy so as to further nudge the owners towards getting a new machine... and hence Vista.
Similarly as Beagle.... (Score:3, Interesting)
The only time I kind of liked such programs (and the only program I liked) was when I used Coopernic Pro agent, which indexed PDFs and CHM books (I have a *huge* 30GB PDF/CHM library), but you could indicate (graphically, not via some obscure config file editing) which folders you wanted to check. Of course, Beagle does not index CHM.
Re:Similarly as Beagle.... (Score:3, Interesting)
I agree, I see no point in apps like Beagle.
Re:Similarly as Beagle.... (Score:4, Interesting)
No matter how well-organized your file system is, and even if you know the exact path to a file already, Spotlight is still faster for accessing it. To open Photoshop Elements, I just type "ph" , and it's running. I know exactly where Photoshop is installed and I don't need to "search" for it, but typing four keystrokes to get it running is faster than any other means of accessing it (at least for stuff that I don't use frequently enough to keep on my Dock).
Same deal with bookmarks -- I can get to Wikipedia, even if my browser isn't running, just by typing "wik" . It's not always about searching in the literal sense; sometimes it's just a super-convenient shortcut to a known location.
(Disclaimer: This opinion is based on Spotlight in Leopard. On Tiger, I broke down and installed Quicksilver.)
Re:What's worse... (Score:2, Interesting)
Re:WTF? (Score:5, Interesting)
I manage the WSUS at my company. No updates are EVER to be passed through without my direct approval, even new revisions of previously approved updates. We've had far too many updates go through and break things to allow any kind of auto approval. So, imagine my surprise when I sit down to a cup of coffee and my morning log review, and the first thing I see when I log in is the Windows Update icon telling me to install Windows Desktop Search - something I never approved.
It went straight through, completely ignoring all of our security policies in the process. I was a little irritated at the Windows Update self-update passing through but I let that one slide since it was a MUCH needed bugfix and MS got a suitable backlash from it (silly me, thinking it was a one-time thing). Now we have the same behavior again months later. This is not acceptable. Luckily I'm in a bit earlier than most people so I was able to recall it with a few ninja edits to our group policy, and a company wide email apologizing for allowing it to be published, and warning people to avoid installing it if it somehow still got through to their systems.
I made a few changes. Our WSUS servers now no longer have internet access and are not scheduled to download. I must manually turn on their internet access in our firewall and activate the pull interactively. That way I will see the updates as they arrive, and not have to put up with this stealth update bullshit in the future. I clearly cannot trust them to just sit there and acquire updates on their own any longer.
I'm now developing a security policy for our corporate security software that will forcibly kill any applications on a blacklist I am creating. I will be adding Google Desktop, Windows Desktop Search, Plaxo, AIM, and any other programs I find that have a habit of sending data back home to outside companies. I'll happily find people alternatives that don't phone home - it's not the apps that bother me, it's the potential for leakage of our corporate data to third parties. I don't particularly care if the feature can be turned off, since I'm not the one installing it. If a program has potential to phone home, it's banned.
Re:No Conspiracy Theories (Score:5, Interesting)
Re:What's worse... (Score:2, Interesting)
The valid complaint, the only valid complaint, is that it does hog up the disk (though not the network) while indexing, and it indexes more than it needs to by default.
I can confirm this. (Score:2, Interesting)
WTF? Did you really say... (Score:2, Interesting)
Did you really say...
I think they mean that their WSUS downloaded and installed it without any prior notice, which is the way any MS shop should have it set up.Wrong, wrong, WRONG, wrong, wrooooOOONNNNGGG!
We review every patch and update that comes in. Any sysadmin who blindly accepts and pushes deserves what they get.
But, don't blame that on MS.
Re:Enough with the stealth auto-"updates" dammit! (Score:4, Interesting)
when I first started using windows, I never used windows update. I was suspicious of it and I'd rather just manage my own security even though I would lose out on bugfixes. over time, I grew to 'accept' that MS was trustable in their updates and I started using them. I would approve each one and check to make sure nothing was getting installed that didn't seem useful or needed. but I was 'into' the MS update thing each month and updated my PCs.
over the last year or two (give or take) I lost this trust. it also seems to be about the time that vista came into the scene. I don't run vista and I don't think I ever will, but if I was losing trust in MS's ability to force ONLY essential updates on me. it seems that if I can't even trust xp's update, why would I want to take things to the next level of non-control and give the full 'admin' switch to MS and just be at their update-stream mercy? its my understanding that vista boxes HAVE to be continually (not continuously, but mostly online) in order for them to stay (cough) 'current'. in all that that implies..
if you are a vista user, you MUST accept and trust the update stream. but I can't even trust it as an xp admin or user; how does MS expect me to give them full control over my box by installing and using vista?
I stopped taking the updates from the net and instead use the heisse security thing (the offline update cdrom method). I have a frozen image from when I think there were only 'good' things in that update and I guess that's pretty much the last of the updates I'm going to install (ever) on my xp boxes.
the bond of trust is broken and so I could never accept installing or running vista. I can't examine or really approve/disapprove each update in vista and so ALL my control is essentially gone. no thanks.. really, no thanks!
Re:Article Incorrect (Score:3, Interesting)
Our WSUS server (version 2.0, version 3 upgrade planned for Q1-2008) has Automatic detection only turned on for critical and security updates. All other auto approval options including revisions to updates have been turned off since early 2006. All 2.6.x versions of desktop search were declined when they were released in April 2006 and January 2007 since we do not want this software for various performance, privacy and security reasons. (our systems hold public and private records) We only approve updates on the second Friday of each month, so they can be deployed over the weekend and we catch patch Tuesday.
Yet despite these precautions, "Windows Desktop Search 3.0.1 for Windows XP (KB917013)" was downloaded with approval set to Install for all computers after the synchronization on 10/23/2007 at 3:03am. When I logged into my computer in the morning, I got the "Updates are ready..." message and thought "that's kinda weird....." then I drank some coffee and said "oh crap."
We are not the only ones seeing this behavior. Check the newsgroup microsoft.public.windows.server.update_services . No mention has been made on the MS WSUS team blog yet.
MS really shouldn't be using the auto-install trump card on an add-on like this. They should really be saving it for an update that prevents the spread of an exploit, worm, or virus that is quickly spreading. Anyone else remember Melissa?
To MS - dealing with this unwanted installation is costing us time and money - this tends to piss off the Finance guys who will then cut our budgets as being wasteful and then we'll have less to spend on the software you've locked our organization into...guess where that will go...
Allan W.
Re:What's worse... (Score:2, Interesting)
Third parties have an exponentially more difficult uphill battle" might be more accurate;
True, but any product competing against an existing popular product has an uphill battle. It's the way the market works.
and it's also enough for US anti-trust laws to apply.
Check your facts: US antitrust laws apply to using market force to enter into other markets with an unfair advantage. Name me *one* popular OS that doesn't include the ability to watch vids and listen to music, much less browse the net and *gasp* Search.
These are defacto "parts" of the OS now, and have been for quite some time.Re:No Conspiracy Theories (Score:2, Interesting)
IMO .Net obsoleted Java at .Net 1.1. Java can be used, but from then on .Net had more features, better performance, and "language independance" is a winner. Java is useful, and there is probably a 5 year window where people coming through a CS degree, learned OOP on Java (before it switched back to C++/C#, at least that is what happened at my school, and a few others I know of), so there is a lot of developers out there more comfortable with Java. So if it suits the projects needs, go for it. However, I love being able to code in the language that the solution comes into my head, if VB then VB.net, if Cish then C# or managed C++. While Eclipse is nice, it is still behind VS as an IDE, I know it is kind of a non-technical reasoning, but VS looks better, andVS feels more "integrated" to me. Add to it a large range of 3rd party vendors that supply pluggins to VS (I use Component Softwares CVS/RCS plugin for example, it seemlessly plugs into Windows as a whole, VS recognizes it as does office and Win explorer), and I'm able to integrate my whole dev env not just the editor/designer into one app.
Re:Who's being "forced" to do anything?! (Score:3, Interesting)
All I have to say is that it's not happened yet, and that I believe the risk of h4x0r-types screwing up my system is less than Microsoft screwing up my system.
And, to date, I've spent more time cleaning up after Microsoft updates than dealing with intrusions. In the worst case, I blow away the partition and reload everything from backups. No biggie.
Re:What's worse... (Score:5, Interesting)
There is only ONE popular OS. Windows. That's the problem... All other OSes have less than 10% of the market, so they're niche players at best.
It might be ~8 years old... (Score:2, Interesting)
Re:Who's being "forced" to do anything?! (Score:2, Interesting)
Microsoft lapdogs (Score:3, Interesting)
Yes, IT is forced the Microsoft way. There used to me several powerful producers of programming languages. Most notably Borland. Borland shot itself in the foot by neglecting Delphi and Microsoft took the small remainder of that market. Now almost all of the windows software houses use Microsoft products. They are Microsoft Certified, member of MSDN use almost exclusively MS visual Studio either for the old C++ or more often now the
Gradually the IT world as been super glued to the Microsoft way. Financial incentives are offered for those companies that have their software Microsoft Certified and on it goes. As a result software houses I work for have been changed from independent IT company to an exclusive Microsoft House and don't you dare to question the technology because most developers like the juicy bones thrown at them by Microsoft at regular intervals.
And of course as a result software users can not do anything else but go along with it. Your average software package today will require you already have MSI 3 windows installer,
Re:What's worse... (Score:3, Interesting)
I kinda love this line. Almost all windows help files are compressed html (chm files). The help system in windows uses the internet explorer window control to view this. Take out IE, the help system doesn't work. Does this qualify as breaking the system if you remove it? I would think so. Also, a few programs incorporate this IE control to provide text services for their program. Microstation, for example, uses this for text style and font control for cad drawings. Without IE installed, you can't use this program for text. Now whether this was intentional or not, it is what it is.
Microsoft can go ahead and write a PROPER HELP FILE VIEWER!!! I can be a mini-browser that handles cfm's and basically anything else, but customized for help files. The code can be the same IE code that exists, but reworked a bit to fit in a little help file app (i.e. tear out lots of extra functionality).
Hey, wow! The above description is starting to sound like Apple help file system. It consists of a specialized browser that display html help files. Wow... to think that they made an extensive html-based help system without using their bundled browser (Safari) is just amazing! I can't believe its possible!
Thats okay; just continue drinking the Microsoft juice and please stop commenting while you're Reality Distortion Field is active.
Re:WTF? (Score:5, Interesting)
Other than this strange auto-approval, we've had no problems whatsoever with WSUS 3.0. It's been great actually. The improved reporting and granularity is a welcome addition that we have yet to truly take advantage of. WDS3 was successfully retracted from the approved list after I revoked it, and I've backed out the GPO changes without any trouble. It's no longer showing up on the clients. Also, BDD2007 and our repository of published software (both in a DFS root) resides on the same WSUS server. I've also grafted Linux PXE and Solaris Jumpstart into RIS/BDD2007 so it's something of a custom build. I don't really think those apps should be interacting with WSUS3 in any way though. Totally different services and disk partitions. There are some user home directories there as well.
As to some of the other posters, I don't know that WDS phones home, yet. I haven't taken the time to do a thorough analysis, but I tend to err on the side of paranoia (after all, security is part of my job). I get very suspicious of any programs collecting data about a computer or user activities in the name of making the user experience better. I also don't see the use of an indexing system that kills the performance of one's operating system. I don't trust MS as far as I can shot-put the planet either.
Our GPO already disables all file indexing, NTFS short filename creation, system restore, unnecessary services like UPnP and messenger, and sets sane, non-annoying defaults for apps like MSN messenger, the language toolbar, media center, etc. It even restores the XP search to the better, more basic 2000 version (it's amazing what you can do with a
And yes, my users have local admin on their desktops. Windows isn't really designed to operate any other way (and I don't have a Fortune 500 budget to fix it like some others do). Our solution to the constant risk of IE was to recommend people use firefox whenever possible (with noscript, adblock, etc) and to get IE, firefox, and other internet-touching apps to run under an unprivileged, local user account that was created to share the exact same desktop/docs/favorites etc as the real user. We also took some time to educate them on safe surfing habits.
What worries me is the trend lately for, say, apps like Sun's Java to ask (default is yes) to install apps like Google Desktop during their normal upgrade cycle. Frankly most users have better things on their minds than wondering if the apps they are clicking upgrade for are about to trojan their boxes with 3rd party bundled software. That's why I'm eyeing an app-killing security policy for the more egregious offenders.