Microsoft wants Automatic Update for Windows

Edward Dao writes "After the embarassment of last week's blaster worm, Microsoft is weighing the possibility of automatic update. Microsoft not only wants to upload the latest patch on to users' computer but also installing it for them." This will work out really well for everyone I'm sure. Yikes! Can I at least press 'Ok' first?

Not such a bad idea

[JohnGrahamCumming]

If you RTFA you'd find that Microsoft is only "looking very seriously" at this idea,
that it would not apply to business users of XP (since they want careful control
of the patching of their machines), and that it would be possible to opt-out from
the automatic updates.

So if you are a business user you don't get automatic updates, if you are a home
user of XP that is technically savvy you can turn it off, and if you are a home
user who is not computer savvy then you are going to get automatic updates. This
latter group seems like the ideal set of people to get automatic protection.

John.

Re:Not such a bad idea

[fireduck]

how often do MS patches actually break things?

I'm a home user. I've applied every critical update MS puts out. I apply practically everything available on the windows update site (even the beta versions of stuff like movie maker). I have never had a piece of software not work after applying an update. I think I'm a fairly typical home user. MS Office, MS Money, a bunch of games, photo editing software, winamp, random shareware. Stuff most people use. and stuff that has never broken on me.

Software breaking is definitely a problem, but how often does it really happen? I'd imagine that the liklihood of these people getting a virus / worm is greater than the liklihood of an ms patch breaking a piece of software...

Re:Not such a bad idea

[crazyphilman]

Well, I'm a developer, and I run Windows 2000 professional at home, with IIS and Visual Studio .Net installed. Wanna talk about patches breaking stuff? Here's my list of woes (noting that Linux has never given me this kind of trouble):

1. If you install the O/S, then patch it, and THEN try to install Visual Studio, the Visual Studio installer crashes. The problem seems to be that if you install Microsoft's updated .Net packages before Visual Studio, Visual Studio can't handle that and it chokes.

2. If you install the O/S, then Visual Studio, then Norton Internet Security (kind of important on a windows 2000 box, which doesn't have an integrated firewall), then try to update Norton and Windows, WHICH OUGHT TO WORK, Norton will update fine, Windows Update will crash several times, and the end result will be your IIS will stop working, so your Visual Studio won't be able to create VS.Net projects. I think this might be related to a recent patch, because it didn't happen before Service Pack 4 came out.

3. If you have a recent copy of Roxio's CD burning software, it'll stop working after you update Windows. The app will start up, but it'll crash as soon as you insert a CD-RW into the drive. I've updated the software from the Roxio site, too, hoping that would help (no luck). It's got to be something in one of the windows patches. So, patch windows or burn CDs! You seem to have to choose one or the other. Older, no longer available copies of Roxio seem to keep working, so if you get a Rio Volt MP3 Cd-player, you can install the older software off of their disk (warning: this might not be true anymore).

5. Windows patches keep restoring MS Outlook Express! If I kill it off, it keeps coming back like a friggin' vampire. It's the undead, unwanted email app. Actually, the only easy way I've found to kill it is to change the security on the Outlook Express folder so that no one has read-write priviledges, then boot from a floppy and clean the thing out. This way, Windows can't keep putting the files back (Grr... Windows puts 'em back THREE SECONDS after you delete them, otherwise!).

Ugh. I hate Microsoft. And, I'm a programmer who uses that platform! What does THAT tell you? ;)

Re:Not such a bad idea

[Dark+Lord+Seth]

No Updates Were Installed

The following items failed to install. To try installing them again, click Review and install updates, and then click Install Now again.

818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1
330994: April 2003, Security Update for Outlook Express 6 SP1
Security Update for Windows 2000 (823980)
823559: Security Update for Microsoft Windows
816093: Security Update Microsoft Virtual Machine (Microsoft VM)
814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP)
Security Update, February 13, 2002 (MSXML 3.0)

I like to think that I'm the only person where Windows Update consistently fails HORRIBLY but that'd be naive. At least I tried to apply every critical update. It somehow fails to download the files required. Good thing I got a decent firewall up and running because even the MS patching system is horribly shit. Ah well, that's the first thing to break down on a fresh (less then a week old) Win 2000 install.

This also raises another question: How many people were affected by the worm because Windows Update simply fucked up for them? Even if WU would die on updating for even 1% of all users, how many people would it affect then? I only just found another way to manually download the patches to see if that'll work. Oh and this isn't the first time Windows Update fucks up. I've had it crash PCs, screw up installations and I've made it succesfully install the same patch 5 times in a row.

Woot for Windows Update! Adding another weak link in an already fragile chain which is Windows security!

Re:Not such a bad idea

[Psiren]

Too dumb? How about just not interested? Many people just want their computer to work, the way their car and dishwasher "just work".

Sorry, I don't agree. I still have to fill my car with diesel, check the oil and water, pressure on the tyres etc. This is all essential end user maintenance. Granted, I don't poke around in the engine when something mechanical goes wrong. The same goes for computers. It's a general purpose machine. It is complicated, and that will always be the case.

imagine...

[borgdows]

if someone breaks into MS WindowsUpdate servers, he could install ANYTHING on millions of computers!

wow... scary...

A few things Microsoft needs to do...

[forsetti]

1) WindowsUpdate needs to become MicrosoftUpdate. This would scan and offer patches for all MS software (OS, Exchange, SQL, IIS, Office, Visual Studio, ....). Also extend SUS to do the same.

2) Critical Update notification should be done the way OSX does it (with a little configging) -- instead of a tiny little innocuos icon in the system tray, put an obnoxious pop-up in the middle of the screen, with a big "Go Ahead and Install" button, with lots of skull & cross-bone icons.

3) Create patches using their own packaging structure: MSI. This allows for much simpler deployment and management, via Active Directory. No need to pay for SMS simply for patch deployment.

4) Supply MUCH MORE documentation to end users, discussing the importance of keeping one's machine patched.

5) Stop producing such buggy software! =}8v)

Just my $0.02 ...

Service Packs

[Ratbert42]

Anyone remember NT4 Service Pack 6? The first one? The one that broke tcp/ip?

patch reliability

[jdvernon1976]

Let's assume for a moment that everyone's fine with Microsoft deciding you need to patch your system. Your home machine downloads the patch and installs it and your machine reboots - you're patched.

Those of us that work as sysadmins/netadmins/DBAs at various companies know that when Microsoft puts a patch out on Windows Update, it's not necessarily tested out to completion. That's part of why patches take so long to proliferate - dependable administrators test them in-house, instead of depending on MS's testers. Let's face it...if Microsofts Quality Assurance team were so sharp (or listened to - it can't ALL be their fault), many of the after-the-fact patches wouldn't be necessary.

Is Microsoft going to take responsibility for auto-installed patches that a) don't work b) make situations worse? Or are they going to take the stance of "The user could've refused our auto-install, but they didn't - they knew the risks."

We all know how hard it can be to opt-out of spam - how difficult will Microsoft make it to opt-out of auto-installed patches...and for those of us that can't/don't, how sure are we that it won't make things worse?

I love home users.

[BoomerSooner]

I have several people who use a web based service from my company that runs on Windows 2000 Server. I check for patches daily and install them as soon as I do a full backup (in case it shits out the whole system).

My users kept calling saying "You have that Blaster Worm on your system because every time I try to connect my computer dies!". So I explain to them my systems have been patched for that exploit for over a month and I have run all the proper testing software to verify. I then ask if they have AntiVirus software installed and their reply is "I don't know.". Lol, I don't know, so it must me my server! I immediately tell them to invest in a copy of Norton Antivirus and Norton Firewall.

Ah, the world of windows.

The funny thing is if these same people were running linux they would be logged in as root and still execute whatever script someone sent them. I'm not too sure Linux would be any more secure than Windows because in windows you can also run as just a User. However, when doing that a significant number of poorly designed programs will not work.

Re:I love home users.

[EvilTwinSkippy]

The funny thing is if these same people were running Linux they would be logged in as root and still execute whatever script someone sent them.

I definitely hear that. In fact Lindows operates in precisely this manner.

I am increasingly convinced that our enemy is not Microsoft, or even SCO. Our enemy is cluelessness. If we could somehow impart the masses with an infantessimal fraction of our sense of the big picture most of our problems would disappear.

When I say "our" I mean all computer professionals. I don't give a rat's ass what kind of Guru you are, Networking, Windows, Linux, BSD, Mac, or PDP-11. We all share a chunk of "the clue". It is our duty to impart "the clue" onto others, without bias, and without favoring any particular implementation.

What is the best way? I don't know. I can only shoot off a few half-baked ideas. My front-running suggestion is take an example from Mythology.

Think about it. How many people do you know who never change their oil, yet decorate for Christmas, throw salt over their shoulder after spilling it, and avoid black cats and ladders? Imagine a computer mythology complete with ritual, dogma, and superstition. The masses already have developed their own misguided rituals, we should just go ahead and publish a book on the proper ones.

Think about how complete a job all of the Greek god did to explain about weather, war, death, and fate. These are REALLY tough concepts even today. And yet, but putting names on them, giving them personalities, and endowing these creations with a sense of power people bought into it.

Of course, you should encourage those who show a natural aptitude to study computers in the conventional hacker sense. More or less the same way wizards always seemed to be operating on a different level than average folk.

Re:I love home users.

[greenhide]

I am increasingly convinced that our enemy is not Microsoft, or even SCO. Our enemy is cluelessness. If we could somehow impart the masses with an infantessimal fraction of our sense of the big picture most of our problems would disappear.

No, actually our enemy is the script kiddies and virus software writers whose goal is to shut down the whole system.

Whether they do it for fun or ...Profit?!?, what they're doing is morally wrong, invasive, etc.

And yet, it seems many here at Slashdot place all the blame on the users, and never on the virus writers. Heck, we've even deified some of these people and bitch and moan when virus writers are caught and put into jail.

This is like blaming people for leaving their doors unlocked, rather than blaming the thieves who are actually doing the stealing.

Obviously, it is our responsibility as slightly-more-savvy-than-average computer users to secure our own computers, and to encourage others to do the same.

But the truth is, computers should be easy. If I use a fork, I shouldn't have to worry about tine alignment or upgrade its metallacity or whatever. Computers are more complex than forks, obviously, but users shouldn't have to worry about the inner workings of their computers in order to use them to do they work that they *want* to do.

That being said, I still think that there should be a special circle of hell reserved for those idiots who actually buy things from spammers and who open any attachment they receive. Those people are just being very, very stupid. So maybe we could spread a myth that if you respond to any SPAM or open an attachment that has a virus, your computer will melt. I don't think that most users are impressed by the warnings that say things like, "If you open this attachment, there will be a bad file on your system, it will get sort of slower and might crash." That's pretty much an everday occurrence for many users anyway.

Re:M$ worm.

[Frymaster]

I don't want anything installed on my system without my permission too.

well, technically you give permission when

1. you agree to the eula
2. you don't activate the opt-out option

i agree that not knowing what's getting put on your machine is irksome, but this idea has sprung from two problems that everyone here is very aware of:

1. people don't do their patches! blaster is all over the news yet a casual poll of my non-geek friends (the windows ones at least) showed that only one had done the patch!
2. joe avg. user doesn't know what half this stuff is anyway? he can get an "agree?" box but he doesn't know what he's agreeing to anyway. the thinking is that the savvy will go for the opt out.

now, having said that, i hate the idea on principle... but i can understand why redmond thinks it's a good idea. they're taking a beating in the press over security and they've determined that the real problem (rightly or wrongly) is the end user - so now they have a "solution"

Re:oh yeah?

[killthiskid]

Valid points... but we're talking lesser of two evils here. I would much rather see a single user of a computer have problems (due to firewall, updates) than their unpatched machine causing problems for more than one user.

We can't have it both ways... right now windows is set for ease of use over security... and having auto-updates and a firewall will move them towards the security side of things and away from ease of use... but isn't that what we've been bitching about for years?

Re:M$ worm.

[SmallFurryCreature]

People undertake training and a test to verify that they can drive a car. How many people die on the road each year due to people being incapable of handling their car? So much for testing people.

What I find really odd is that we threat computers so differently from the real world. If a real product is found to have a defect then a recall notice is published in all major newspapers (in europe don't know about rest of world) and you can return the faulty product for either a replacement or your money back.

Granted if software companies had to do it this way they would all have gone bust. Or maybe they would invest in real testing. Real testing is not to see if something works but to see if you can break it. When I hear excuses like people using the product wrong as an explantion for bugs I get pissed off. You are not supposed to bite the nose of a teddy bear and then swallow it. Nonetheless this is exactly what is tested against. A product should be safe to use or clearly labelled to indicate who it shouldn't be used by.

I think it says it all that unlike almost everything we buy in the netherlands, software is not tested by a goverment/indepedent organisation. Everything else is. Clothes, cars, books, movies, toys, furniture, food etc etc. But software and hardware are not.

Think this is a strange notion to test software by a central organisation? This what all the consoles do for their software. Oh and please don't mention MS certification, this are just logos you can buy.

Two good examples

[TheConfusedOne]

SP 6 broke Lotus Notes servers thus 6a came out.

Even worse, SP 2 installed over a network failed. Failed badly. It did something horrible to the ntfs.sys file IIRC. This meant that the box would blue screen on boot and be irrecoverable if you had an NTFS partition.

Uptime

[ka9dgx]

I remember the last big M$ push when they were saying how great their Uptime was. 99.9999%?

If I have to reboot my servers every time a major bug hits (3 times/year) for 5 minutes, that's bad enough. (99.9971% availability) If I have to reboot the servers every week, now we're down to 99.95% uptime.

This, of course, doesn't count downtime or technical support issues caused by workstations missing their server connections, or the patches that didn't happen in time, or any of the various other factors that help kill capitalism, and endanger our National Security.

--Mike--