Here is an excellent article on Windows Auto Update that I wish to share to others.
So you decide if auto updating Microsoft is for you.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
To auto-update or not to auto-update
Brian Livingston By Brian Livingston
I published a Woody Leonhard column as the top story last issue while I was traveling, knowing that he's opinionated and always gets strong reactions. Well, he didn't disappoint me.
Reacting to several mistakes Microsoft made in its Automatic Updates downloads in April, Woody railed against Redmond's patching strategy, saying, "Windows auto-update is for chumps."
Woody made some very good points, which Microsoft has done nothing to rebut. There's an important lesson here. I'm going to use this space today to give you the best advice I've been able to pull together.
An April that will live in infamy
For those who don't know the details of what I call Microsoft's April Fool's patches, here's a quick recap, in increasing order of severity:
• An obscure hotfix for XP SP2 machines, patch 900485 from Dec. 2005, was downloaded as a "critical" security patch via Automatic Updates on Apr. 25, two weeks after Redmond's regular Patch Tuesday distribution. Almost no one needed this hotfix, although it seems to have done no harm. It was apparently inserted into the Automatic Updates mechanism by accident, according to some newsgroup comments, although Microsoft still hasn't explained the gaffe.
• Security bulletin MS06-016, released on Apr. 11, made it impossible for some users of Microsoft's free Outlook Express e-mail program to open their Address Books or reply to e-mails. Microsoft acknowledged this on Apr. 26 and published Knowledge Base article 917288. The company describes how to backup, delete, and then import the Address Book to fix OE. But Redmond, six weeks later, hasn't issued a corrected MS06-016 patch to save people from having the problem in the first place.
• MS06-015 , released on the same Patch Tuesday as MS06-016, conflicted with widely used nVidia video drivers, some HP printer/scanner/CD/DVD software, Kerio Personal Firewall, and some other applications, as described in KB 918165. The problem caused Microsoft Office components and some other apps to freeze when accessing files in My Documents or My Pictures, interfered with Windows Explorer and Send To, and prevented Internet Explorer from visiting typed-in Web addresses unless they were prefixed with http. The security bulletin was re-released on Apr. 25 so users could install a version that corrects the problems.
• Windows Genuine Advantage, a Microsoft program that checks Windows installations for valid licenses, was pushed out as a "critical" security update to the U.S., U.K., Australia, and other countries beginning on Apr. 25. It's impossible to use Add/Remove Programs to remove the GA app, which displays warnings (once per hour after 14 days) if the software considers a copy of Windows to be nonlicensed. (Microsoft explains in KB 905474 how to disable the warnings until the next update is installed.)
I consider the surprise Genuine Advantage downloads to be the most severe blunder. Microsoft had previously said the tool would be strictly opt-in, but the midnight installs flooded some companies' help desks with calls from panicked users. No one expects Microsoft to give away its products for free. No responsible company, however, slams its biggest, most legitimate customers with a change of this magnitude with little or no notice other than a press release the day before.
In the face of the missteps described above, Microsoft has said almost nothing by way of explanation. The Redmond company is filled with thousands of talented and well-meaning developers, but they don't drive the corporation's policy in this area. After several inquiries seeking comment, a Microsoft spokeswoman told me: "Unfortunately, we are unable to provide you with an interview at this time due to lack of spokesperson availability."
I've previously said that home users of Windows (as opposed to advanced users) should keep Automatic Updates turned on. That was because Microsoft assured the public that Automatic Updates would only be used to distribute security updates rated as "critical." Microsoft's abuse of its security upgrade mechanism to stealthily install Genuine Advantage, in addition to April's outrageously buggy patches, is inexcusable. It's clear that corporate executives have made a deliberate decision to use Automatic Updates to install software that benefits the company, whether or not it helps users or has any relationship to users' security.
Pros update manually, novices automatically
Because of the April Fool's patches, I want to clarify my recommendations on who should keep Automatic Updates turned on and who should use the Control Panel to turn it off.
• Advanced users (including companies with full-time IT staff) should never use Automatic Updates. Professionals should first test Microsoft patches — and every other company's patches — on isolated machines. Read the free and paid versions of the Windows Secrets Newsletter that are published 2 days after Patch Tuesday with warnings of problems. Then use patch-management techniques to carefully install the needed upgrades to end users.
• Novice users, who can't or won't read up on reported patch problems before updating their machines, should leave Automatic Updates turned on. Beginners have a greater risk of catching a virus than they do of encountering a serious patch incompatibility.
Some advanced users may disagree with my recommendation that novices should leave Automatic Updates turned on. If you're the main tech support for a newbie, I'd say you can disable AU if a PC has the four items in our recommended Security Baseline ( below), which provides good general security. Patches should still be installed manually within a few days of release, after you check news reports for potential conflicts.
Supporting Grandma's PC means auto-update
We received many comments supportive of Woody's distrust of Automatic Updates, which he's been publicly stating for years. We can give you only a overview here of the positive and negative reactions. As a representative of those who dispute Woody's view, reader Dave Nickason writes:
* "It is irresponsible for Woody to argue for people to turn off AU unless he wants to be the one supporting the unpatched machines of all of our parents, grandparents, and siblings. Some novice PC user like my 81-year old Dad will take that advice, never patch again, and I'll be left to reinstall Windows when his system quits working."
I have to agree that Windows amateurs, which probably includes the majority of Windows users, won't update their PCs unless it's done for them automatically. Given the latest round of MS mistakes, people who support relatives' PCs will have to accept that auto-updates may eventually cause some conflict that requires time to unravel. But this will probably be a less serious problem than dealing with an unpatched machine that's caught hard-to-remove viruses.
Microsoft is a business, get used to it
Other readers also made a distinction between novices and power users, while not applauding Microsoft for its behavior. Reader Kevin Gagel writes:
* "I'm writing in response to Woody Leonhard's article about Micro$oft's automatic updates.
"While I agree in principle with Woody's assessment of M$'s trustworthiness, I cannot agree with disabling the auto-update feature.
"I've witnessed first hand the benefit of having it enabled, as well as seeing how it can fail us.
"None the less, I have witnessed far more 'good' (I shudder to think M$ can do good) then bad by updating systems automatically.
"What users out there have the ability to 'test' a patch before applying it? What users out there will 'know' when it is the right time to apply a patch?
"Since M$'s activation of what they call a firewall, I've witnessed a huge reduction of viruses being e-mailed to us.
"Leaving systems vulnerable because of someone's incompetence is not the answer. Woody should know that there is a larger number of technically inept end users then there are technically savvy.
"I think that Woody could have done a better job (and justice to the end users) if he'd presented a better balanced position of pros and cons instead of just espousing his nonconspiracy conspiracy theory.
"M$ is and allways has been a business looking to make a buck. It will do whatever it takes to protect that, including pushing noncritical "critical patches" that verify the system is not running a bootleg copy of Windoze."
In the view of this reader and other readers, Microsoft has spent many years building up a capacity to install software automatically, and it can only be expected that the software giant will use it for business advantage .
Do one thing at work, another at home
A different opinion was provided by those who are required to auto-update by work policies, but disable Automatic Updates on personal machines, to which they're willing to devote more care. A reader who goes by the name Ralphy writes:
* "Unfortunately, some of us don't have the luxury of a corporate environment. I work for a Department of Defense unit and must have our boxes patched within a certain time frame. It is impossible for our office to be able to 'test,' then patch. We have too many boxes stretched over a large area.
"If it weren't for automatic updates, we would be spending a lot more time doing updates rather than other mission-essential items. I do agree that last round was bad, but out of 500 machines only 3 were bothered by the update that you spoke of. Those were the only ones we had to fix.
"Having said all of that, at home, I do the opposite. I wait for 2 weeks before I run the updates manually. I'll let the rest of the world be Microsoft's test bed and see what works and what doesn't.
"However, I still rated it a good article but not for the business world."
This underscores the theme of, "Those who can, patch manually. Those who can't, patch automatically."
Why Security Baseline recommends MS Update
A few readers questioned two lines in our Security Baseline that recommend using Microsoft Update for MS software and whatever auto-update features other vendors' software may have. Reader Russell Atwood writes:
* "In issue 75, I found it humorous to have a long article from Woody Leonhard on the trials and tribulations of Windows Automatic Update (don't let it happen to you), and in the Security Baseline, instruct customers to do exactly what Mr. Leonhard says don't do (turn on Automatic Update).
I understand both sides, but it still makes me smile with the irony of it.
Great newsletter, keep up the good work."
The Security Baseline actually never mentions Windows' Automatic Updates. It says, "Individual users should opt into the new, free Microsoft Update, an improvement over Windows Update." Both Microsoft Update and the older Windows Update allow AU to be enabled, disabled, or set to "notify only," as you please.
To make myself perfectly clear, I'm adding to the Security Baseline a recommendation that advanced users disable AU and study the latest copy of this newsletter before installing any Patch Tuesday upgrades.
Norton Internet Security imposes auto-updates
Norton Internet Security, a software security suite, complains and asserts control over auto-updates if users choose manual updates instead. Reader John Lambert writes:
* "My Norton Security flags me that I have 1 'problem' affecting my system when I take Woody's advice to select a button other than the option to take auto-update. Should I worry about this?"
This is surely a harmless warning, although irritating. A more serious dificulty is that NIS can change Windows' auto-update settings without notifying you. A reader by the name of Scott writes:
* "Turning off Windows' auto-update may not be enough to prevent a nasty update surprise. Those who use Norton Internet Security should be aware that Norton will automatically turn on Windows' Automatic Updates unless you turn off automantic updates in Norton. You will continue to get Windows' Automatic Updates downloaded and installed whether you like it or not.
Turn off automatic updates in Windows and Norton if you want any hope of control over updates."
Again, my advice is that novices should auto-update, which includes auto-updating Norton Internet Security and other security software. Everyone else should learn to read up on patch problems and then install new patches manually within a few days of their release.
The readers named above will receive a gift certificate for a book, CD, or DVD of their choice for sending me comments that I printed. To send more information about auto-updates, or to send a tip on any other subject, visit WindowsSecrets.com/contact.