Microsoft 'Stealth Update' Proving Problematic

DaMan writes "According to the site WindowsSecrets, the stealth Update that Microsoft released back in August isn't quite as harmless as the company claims. The site's research has shown that when users try to do a repair to XP subsequent to the update, bad things happen. 'After using the repair option from an XP CD-ROM, Windows Update now downloads and installs the new 7.0.600.381 executable files. Some WU executables aren't registered with the operating system, preventing Windows Update from working as intended. This, in turn, prevents Microsoft's 80 latest patches from installing -- even if the patches successfully downloaded to the PC.' ZDNet's Hardware 2.0 has independently confirmed that this update adversely affects repaired XP installations: 'This issue highlights why it is vitally important that Microsoft doesn't release undocumented updates on the sly. Even the best tested update can have unpleasant side-effects, but if patches are documented properly and released in such a way that users (especially IT professionals) know they exist, it offers a necessary starting point for troubleshooting.'"

The problem with MicroSoft

[phoenixwade]

This is the reason I support and use Linux. It started as a hobby, something to do with old equipment. But, now it's because of disclosure. I know what is being installed, and can choose when to update, what to update, and, If I've the time and inclination, I can take the update apart, see what it's doing, and even modify part of it.

Microsoft doesn't allow me this, and continues to fail to predict the negative consequences resulting from these choices. Apple at least gives me the option of installing an update, even though they have a bad record on the full disclosure thing too.

Why did no antivirus s/w pick this up?

[jkrise]

A dozen system files have been updated as part of this undocumented stealth update... and yet not a single antivirus software reported this. Why?

How do these antivirus programs know for sure that these updates were 'harmless' and 'normal behaviour'.

In light of this revelation, I think corporates must now take action against these antivirus firms for not preventing this breach. Let's see what Microsoft has to say to this 'harmless' update that allows users to 'know and be informed of further updates'. A Media Defender style expose' of internal communications on this issue would be very interesting indeed.

The real problem is ...

[vtcodger]

***Duh. Undocumented updates cause problems.***

Whereas documented updates are magically OK?

OK, OK, that's not really what you meant, and it's not your point

=====

If you ask me, the real problem is updates. Let's say that one update in 50 is significantly defective -- which is, IMHO, quite optimistic. Let us further guess that 50% of the defective updates introduce new unexpected problems rather than failing to (fully) fix the existing problem -- they do test these things. At least I hope they do. What is likely to get past testing is errors in areas that no one thought would be affected. Lets assume that there are 10 updates a week on average, and that the average time from first report to fix is four weeks.

If you just uncritically load updates, you'll download new grief every 10 weeks or so and take four weeks to get it fixed. that means that five times a year, you'll unwittingly install a significant new problem and that about 40% of the time you'll be living with one or more of these things.

IMO, the best strategy -- at least for larger operations -- is to evaluate each and every patch, and to load only those which seem absolutely necessary. Even that is not going to work all the time.

As for updates that you aren't asked about... A truly bad idea. Hopefully Microsoft and other operations that believe in automatic updates will learn their lesson from this relatively modest (we hope) fiasco and will never ever do THAT again. Memo to organizations that do that. If your QA -- who are overworked, underpaid, and probably need a vacation -- screws up at the wrong time and you put an important business sector offline for days or weeks, you are looking at a major league class action suit. Don't expect the shrinkwrap EULA to protect you.