Microsoft wants Automatic Update for Windows

Edward Dao writes "After the embarassment of last week's blaster worm, Microsoft is weighing the possibility of automatic update. Microsoft not only wants to upload the latest patch on to users' computer but also installing it for them." This will work out really well for everyone I'm sure. Yikes! Can I at least press 'Ok' first?

oh yeah?

[krisp]

Of course, this will be implemented in such a way that implantinga fake RR for windowsupdate.microsoft.com into a local name serverallows Windows to download and run any file with a certian file name. This should make it far eaiser to fool Windows Update into installing Linux.
This will make Linux rollouts a breeze after buying all those Dells.

Imagine the possibilities!

Then again, the Microsoft Tax is cheaper then the SCO tax.

Re:oh yeah?

[killthiskid]

Two things from the article:

...say that it is time to consider making software updates automatic for home users of the Windows operating system.

And...

The company is "looking very seriously" at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them...

So... only for home users and users can shut it off!

So don't freak out too much... maybe this will actually help... think if this had been in effect for slammer... we keep bitching that the 'patch was available, why didn't people use it!'... well, this would fix that problem.

One other thing from the article:

Microsoft also will begin shipping new versions of Windows XP with the built-in firewall activated by default, said Steve Lipner, director of the company's security engineering strategy.

Now that makes sense!

And we kept wondering ...

[OMG]

... how they will get people to activate the TCPA/Palladium features.

Now we know: MS will do it for you. How kind of them!

imagine...

[borgdows]

if someone breaks into MS WindowsUpdate servers, he could install ANYTHING on millions of computers!

wow... scary...

No thanks

[GeckoFood]

Some of us are still on dialup, and an automagic update of Windows via 56K modem would literally take HOURS if the connection even holds at all. I don't think I should be forced into high-speed access just so I can update my Windows partition periodically.

Re:Not such a bad idea

[John+Paul+Jones]

Automatic protection from running applications that break following a patch? At least a corporate user can call the helpdesk, while a novice home user would have no idea why something stopped working suddenly, and would chalk it up to "Computers are evil". The divide between the tech-aware and tech-unaware grows exponentially.

MSBlaster

[fudgefactor7]

MSBlaster wasn't an embarrasment for MS, but for the lazy sysadmins who, with a month's prior notice and the patch to fix it, were still hobbled by the bug. If people who are in charge of systems and security spent more time patching and paying ATTENTION to things like Bugtraq and less time complaining about MS the world would be safer.

How is this bug more of a bummer than how gnuftp was compromised and potentially more damaging? Oh, don't hear people moaning about that on here now do you...?

The tale is telling, is it not?

Re:MSBlaster

[twelveinchbrain]

You mean lazy sysadmins who, after installing the hotfix necessary to protect from MSBlaster, found that their applications stopped working? The ones who had to spend hours examining trace files to determine the exact root cause, and download several more hotfixes, with a cascade of errors, to get everything working again? Those lazy sysadmins?

A few things Microsoft needs to do...

[forsetti]

1) WindowsUpdate needs to become MicrosoftUpdate. This would scan and offer patches for all MS software (OS, Exchange, SQL, IIS, Office, Visual Studio, ....). Also extend SUS to do the same.

2) Critical Update notification should be done the way OSX does it (with a little configging) -- instead of a tiny little innocuos icon in the system tray, put an obnoxious pop-up in the middle of the screen, with a big "Go Ahead and Install" button, with lots of skull & cross-bone icons.

3) Create patches using their own packaging structure: MSI. This allows for much simpler deployment and management, via Active Directory. No need to pay for SMS simply for patch deployment.

4) Supply MUCH MORE documentation to end users, discussing the importance of keeping one's machine patched.

5) Stop producing such buggy software! =}8v)

Just my $0.02 ...

Perspective

[mukund]

if (company_trusts_microsoft_code())
{
use_windows_OS();
allow_auto_updates();
}
else
use_some_other_OS();

/*
junk code

bitch();
moan();
flail_arms_wildly();
*/

Re:Not such a bad idea

[swordboy]

If you RTFA you'd find that Microsoft is only "looking very seriously" at this idea

Microsoft are MORONS. The fix for this particular worm required SP2 or greater. That is 8 hours and 10 minutes over dialup.

Windowsupdate is a god send for people with broadband but MS are going to be required to send CDs in the mail if they want to keep dial-up users up to speed.

Re:Not such a bad idea

[numbski]

Okay, now what happens when they decide to enter some draconian language into the EULA that you supposedly agree to by installing these patches....are you now just agreeing to whatever they want by simply using Windows? You now have no choice in this case?

Re:Not such a bad idea

[Henry+V+.009]

If they don't know what a patch is, then they're in more danger of a virus attacking their computer anyway. So "the divide between the tech-aware and tech-unaware" shrinks exponentially, as viruses become far less likely. The very rare case of a WU breaking something will have little impact in comparison.

Re:Not such a bad idea

[fireduck]

how often do MS patches actually break things?

I'm a home user. I've applied every critical update MS puts out. I apply practically everything available on the windows update site (even the beta versions of stuff like movie maker). I have never had a piece of software not work after applying an update. I think I'm a fairly typical home user. MS Office, MS Money, a bunch of games, photo editing software, winamp, random shareware. Stuff most people use. and stuff that has never broken on me.

Software breaking is definitely a problem, but how often does it really happen? I'd imagine that the liklihood of these people getting a virus / worm is greater than the liklihood of an ms patch breaking a piece of software...

Bad, Bad idea

[Harbinjer]

This is a bad idea on soooo many levels

First of all is their patches. They sure as hell aren't 100%. So one day your favorite program might work, and the next day it might not. All wihtout you doing anything. This is why businesses take a while to evaluate patches.

Secondly, what if there is an exploitable bug(and there will be at least one). Every windows machine out there might be downloading viruses instead of updates. If someone were to reverse engineer the network interface, and hack a couple DNS servers, they could have all those users downloading whatever they wanted, even illegal things, or viruses, hacks, anything.

Plus there's the privacy issues. I konw that right now windowsupdate could send MS anything anyway, but if we all expect it to update any time it wants, we have no controls at all on our system, MS could send an update to lock you out of your own system if they suspect you of something, or just for the hell of it.

While I don't expect this to actually go through, its important to be wary of just how abusive such a system could be.

P.S. I, for one, welcome our new windowsupdate.microsoft.com masters.

Re:Not such a bad idea

[penguinboy]

"People are going to have to accept mandatory updates as part of the warranty process,"

Since when does Microsoft include a warranty on Windows?

Re:This is better than OS X

[jesboat]

Let's start with the windowing environment, since that is the first thing users will notice. While both KDE and GNOME are mature, stable, and accepted as IEEE standards, Apple has elected to use neither. In fact, they don't even use X at all! Their display system is a proprietary, closed-source system called Quartz Extreme. In addition to the moral issues involved with closed software, this precludes the user from running X apps. There is an untested and alpha-quality X11 emulation layer available for download, but it is emulation, so programs will be slow. Does this sound like a standards-based system to you?

Actually, it's quite good. You'll note that it's emulating only the X11 libraries, really even only the X11 server itself. The slowdown of having X apps pass through that layer also occurs on Linux, *BSD, or any other OS. KDE and GNOME may be open standards, but they're not as nice-looking as Aqua, and the WindowServer that runs Apple's windowing system, is, AFAIK, part of Darwin, and thus open.

Looking under the hood, it gets worse. While all other *nixes use standard ELF binaries, Darwin (Apple's name for their proprietary "Unix" kernel) does not. It uses Mach-O, an unproven format that is proprietary to Apple. The moribund FreeBSD, off which OS X is based, uses ELF, so clearly Apple went to the extra effort of "switching" (heh) simply to break compatibility. With ELF, users would be able to run most of their Lunix apps; with Mach-O this is impossible. Additionally, Apple has moved most configuration info fromhuman readable text files into a proprietary database called "NetInfo", which is much like the Windows registry we all loathe. Why? These are only a few of the ways that Apple has deliberately broken compatibility with other systems, presumably in order to lock users in to expensive Mac hardware.

Darwin is not a kernel, Mach is the kernel. You'll note that it's the same micro-kernel that GNU Hurd uses, and if Hurd isn't Unix, what is (nowadays)? Darwin may be based on FreeBSD, but the kernel is Mach, which isn't. Also, you seem to be overlooking that most Linux programs are compiled for Intel processors, not PowerPCs. Thus, they wouldn't run anyways. However, most do compile with little or no modification. Netinfo is never used directly. Requests are handeled by lookupd, which uses Netinfo, but searches flat files (/etc/passwd, /etc/hosts, etc.) first. Netinfo also allows networks that share common printers, hosts, network configuration, users, mounts, etc. to be constructed easily. Unlike the registry, Netinfo is documented, and has manipulation utilities, for both the command line and the GUI. And, it's never gotten fscked up (for me.) Mac hardware may be expensive, but- it's better. Even the Linux people who use Linux on Macs agree it's faster, better, etc. on a Mac. Macs are more durable, featureful, more standard, and "just work" more and don't work less.

When we factor in the threat to users' civil liberties that is posed by the DRM included to support the iTunes Music Store (do you really think it will end there?) it is obvious that real *nix gurus should give OS X a wide berth. Caveat emptor.

Okay, find music for that cheap on Linux (while still supporting the artisit. It's hard. The music industries wouldn't stand for a service without DRM, and you'll note Apple is pretty darn nice. Unlimited CD burns (but no more that 10 for the same playlist), 3 computers, unlimited iPods. Plus, AACs are MPEG-4, which is darn good quality, and darn small file size. I would never use Windoze, and always like Linux. But for me, Mac OS X is a great UNIX, and is all I need it to be.

It would seem youhaven't taken a close enough look at Mac OS X.

Moderators: Mod me down troll all you want, but mod the parent down troll as well.

Re:Not such a bad idea

[TGK]

Where are my mod points when I need them? This is perhaps the single best argument raised in this thread. I'm a broadband user (ah the joys of in-home ethernet) and I'm in the process of puting together a new machine. It's running windows because some of the software my school requires is Windows only.

Now, I've been downloading updates for the last hour or so now. I understand that the Microsoft site is probably pegged following all the media coverage of the latest worm, but nonetheless, I'm a broadband user and it's still taking me a significant chunk of time to download all these updates.

Dialup can only be worse. If MSFT wants to keep the users current they've gotta either find some way of updating Windows that's not quite so hard on dial up (mailing CDs sounds good) or they need to find some way to bring the average patch size down. I have a hard time buying into the idea that the problems in the system really require a patch of that size. With a little more creative work you'd think they could find a more efficient way to insert the new code.

I love home users.

[BoomerSooner]

I have several people who use a web based service from my company that runs on Windows 2000 Server. I check for patches daily and install them as soon as I do a full backup (in case it shits out the whole system).

My users kept calling saying "You have that Blaster Worm on your system because every time I try to connect my computer dies!". So I explain to them my systems have been patched for that exploit for over a month and I have run all the proper testing software to verify. I then ask if they have AntiVirus software installed and their reply is "I don't know.". Lol, I don't know, so it must me my server! I immediately tell them to invest in a copy of Norton Antivirus and Norton Firewall.

Ah, the world of windows.

The funny thing is if these same people were running linux they would be logged in as root and still execute whatever script someone sent them. I'm not too sure Linux would be any more secure than Windows because in windows you can also run as just a User. However, when doing that a significant number of poorly designed programs will not work.

Re:I love home users.

[EvilTwinSkippy]

The funny thing is if these same people were running Linux they would be logged in as root and still execute whatever script someone sent them.

I definitely hear that. In fact Lindows operates in precisely this manner.

I am increasingly convinced that our enemy is not Microsoft, or even SCO. Our enemy is cluelessness. If we could somehow impart the masses with an infantessimal fraction of our sense of the big picture most of our problems would disappear.

When I say "our" I mean all computer professionals. I don't give a rat's ass what kind of Guru you are, Networking, Windows, Linux, BSD, Mac, or PDP-11. We all share a chunk of "the clue". It is our duty to impart "the clue" onto others, without bias, and without favoring any particular implementation.

What is the best way? I don't know. I can only shoot off a few half-baked ideas. My front-running suggestion is take an example from Mythology.

Think about it. How many people do you know who never change their oil, yet decorate for Christmas, throw salt over their shoulder after spilling it, and avoid black cats and ladders? Imagine a computer mythology complete with ritual, dogma, and superstition. The masses already have developed their own misguided rituals, we should just go ahead and publish a book on the proper ones.

Think about how complete a job all of the Greek god did to explain about weather, war, death, and fate. These are REALLY tough concepts even today. And yet, but putting names on them, giving them personalities, and endowing these creations with a sense of power people bought into it.

Of course, you should encourage those who show a natural aptitude to study computers in the conventional hacker sense. More or less the same way wizards always seemed to be operating on a different level than average folk.

Re:M$ worm.

[Frymaster]

I don't want anything installed on my system without my permission too.

well, technically you give permission when

1. you agree to the eula
2. you don't activate the opt-out option

i agree that not knowing what's getting put on your machine is irksome, but this idea has sprung from two problems that everyone here is very aware of:

1. people don't do their patches! blaster is all over the news yet a casual poll of my non-geek friends (the windows ones at least) showed that only one had done the patch!
2. joe avg. user doesn't know what half this stuff is anyway? he can get an "agree?" box but he doesn't know what he's agreeing to anyway. the thinking is that the savvy will go for the opt out.

now, having said that, i hate the idea on principle... but i can understand why redmond thinks it's a good idea. they're taking a beating in the press over security and they've determined that the real problem (rightly or wrongly) is the end user - so now they have a "solution"

Re:Not such a bad idea

[RealErmine]

By default, automatic update is enabled for Windows. Anyone technically savvy immediately turns it off five seconds after installation is complete.

Sounds like you're unreasonably paranoid. I've been using Windows 2000 for three years and whenever I need to reinstall (usually due to hard disk crashes or building a new machine. NEVER because the OS or Microsoft did something stupid) the first thing I do is go get all the updates. Nobody who is "technically savvy" wants to run a version of their OS that is three years old. Why? For reasons of security, stability, and compatibility with new software. Why not have the OS go find them for me?

Stop speaking for me. I consider myself technically savvy due to my degrees in Electrical Engineering and Computer Science as well as my hobby of building PCs for my friends. At first, when a service pack added the auto-update feature to W2K, I had it set to let me verify updates, but then I noticed something: I kept hearing about worms and vulnerabilities in Windows on Slashdot and from my friends a day or two after I saw my PC automatically find the fix from MS. It certainly beats going to windows update myself after the fact. I let auto-update have free reign after that discovery.

The fact is that most people who use Windows do not understand that they need to update their OS in order to keep their computer running. What's the first thing you do if you try installing a piece of software and it doesn't work? Roll back to a earlier backup? I doubt it. If your hardware seems to be working you go and get all the current driver and OS updates because developers usually release their software built on platforms with recent OS and driver versions.

Obviously I think automatic updating could be a good thing, but there could be some problems. Nobody with a modem connection wants their OS to automatically dial in and start downloading 15MB patches. You also may not want your server to start downloading patches at peak traffic hours. I hope that MS leaves the option for user input for these reasons. It also only currently downloads critical updates. Their decisions about what is critical have been reasonable so far.

One good thing that you might not see coming from the auto-update is that now you don't need Internet Explorer to use the windows update site.

Re:Not such a bad idea

[Malc]

The last thing that I saw break my system was a patch or update to DirectX. After it installed, my laptop blue-screened on boot. I was unable to fix. After re-installing the OS (and everything else) at great cost to my time, the patch/update worked the second time.

Right now we're holding off applying Win2K SP4 to our web servers. It contains a change to the security model that will break some of our ISAPI extensions. The fix is trivial, but we haven't had time to check it out on a test bed, nor deploy it to all our servers (unfortunately we have to do them manually as we don't have anything like SMS deployed).

Re:Not such a bad idea

[crazyphilman]

Well, I'm a developer, and I run Windows 2000 professional at home, with IIS and Visual Studio .Net installed. Wanna talk about patches breaking stuff? Here's my list of woes (noting that Linux has never given me this kind of trouble):

1. If you install the O/S, then patch it, and THEN try to install Visual Studio, the Visual Studio installer crashes. The problem seems to be that if you install Microsoft's updated .Net packages before Visual Studio, Visual Studio can't handle that and it chokes.

2. If you install the O/S, then Visual Studio, then Norton Internet Security (kind of important on a windows 2000 box, which doesn't have an integrated firewall), then try to update Norton and Windows, WHICH OUGHT TO WORK, Norton will update fine, Windows Update will crash several times, and the end result will be your IIS will stop working, so your Visual Studio won't be able to create VS.Net projects. I think this might be related to a recent patch, because it didn't happen before Service Pack 4 came out.

3. If you have a recent copy of Roxio's CD burning software, it'll stop working after you update Windows. The app will start up, but it'll crash as soon as you insert a CD-RW into the drive. I've updated the software from the Roxio site, too, hoping that would help (no luck). It's got to be something in one of the windows patches. So, patch windows or burn CDs! You seem to have to choose one or the other. Older, no longer available copies of Roxio seem to keep working, so if you get a Rio Volt MP3 Cd-player, you can install the older software off of their disk (warning: this might not be true anymore).

5. Windows patches keep restoring MS Outlook Express! If I kill it off, it keeps coming back like a friggin' vampire. It's the undead, unwanted email app. Actually, the only easy way I've found to kill it is to change the security on the Outlook Express folder so that no one has read-write priviledges, then boot from a floppy and clean the thing out. This way, Windows can't keep putting the files back (Grr... Windows puts 'em back THREE SECONDS after you delete them, otherwise!).

Ugh. I hate Microsoft. And, I'm a programmer who uses that platform! What does THAT tell you? ;)

Re:Not such a bad idea

[evilandi]

downloads in the background and doesn't seem to be noticable

It'd be pretty damn noticable on my British Telecom phone bill.

Not everywhere has free/inclusive local calls, remember.

Re:M$ worm.

[SmallFurryCreature]

People undertake training and a test to verify that they can drive a car. How many people die on the road each year due to people being incapable of handling their car? So much for testing people.

What I find really odd is that we threat computers so differently from the real world. If a real product is found to have a defect then a recall notice is published in all major newspapers (in europe don't know about rest of world) and you can return the faulty product for either a replacement or your money back.

Granted if software companies had to do it this way they would all have gone bust. Or maybe they would invest in real testing. Real testing is not to see if something works but to see if you can break it. When I hear excuses like people using the product wrong as an explantion for bugs I get pissed off. You are not supposed to bite the nose of a teddy bear and then swallow it. Nonetheless this is exactly what is tested against. A product should be safe to use or clearly labelled to indicate who it shouldn't be used by.

I think it says it all that unlike almost everything we buy in the netherlands, software is not tested by a goverment/indepedent organisation. Everything else is. Clothes, cars, books, movies, toys, furniture, food etc etc. But software and hardware are not.

Think this is a strange notion to test software by a central organisation? This what all the consoles do for their software. Oh and please don't mention MS certification, this are just logos you can buy.

Re:M$ worm.

[E-Rock]

I guess it depends on what you're calling a defect. If someone comes along and pours sugar into your gas tank your car won't keep running right. Is that a recallable defect?
If someone sends a particularly malformed request to a process on your machine it won't run right. Is that a recallable defect?
I'd say no in both cases.