Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Friday, March 06, 2009

Automatic Updates and New Computers FAIL

Windows Automatic Updates
Have you heard me rant about Automatic updates before? 
Over the years I've been somewhat critical of auto update programs including Microsoft's own Windows Update mechanism. I've always told people to wait 5-10 days before installing a new update so the rest of the world can test it and report any problems.

Of course, there have been exceptions. Occasionally Microsoft has released security patches for vulnerabilities which we knew to be out there actively attacking on the web. During those situations,  I've recommended you be the first on your block to download a security patch, typically available on Tuesday morning.

This week I had the privilege to spend some time with the folks at Microsoft responsible for automatic updates and security patches. While I've been asked not to share the exact process and procedures for creating Windows updates I can tell you I have more confidence in Microsoft then I used to.

In most cases, I will still wait 5 -10 days before installing a Windows Update, but I will be preaching to the world not to let the update be forgotten. Again, I'm not at liberty to share specific numbers but I can tell you there are too many people who aren't doing updates at all. The more machines out there not having updated security patches the more dangerous it is for the rest of us.

My new recommendation is to set your Automatic Update settings to "Download updates for me, but let me choose when to install them". Ideally, I would like this to say “Download updates for me, and make sure I don’t forget to install them”.  Your settings can be changed in the Security Center applet in the control panel.

New recommendation for updates

There are far too many un-patched Windows machines in the world and their problem could be our problem. They’re ripe to become at the control of the bad guys and available to launch attacks or fill our inboxes with spam. Tell your grandmother, tell your boss, tell your dry cleaner, run the Windows updater and make sure their machine is safe. No amount of anti-virus programs in the world can take the place of a completely patched Windows operating system.

Austin We Still Have a Problem
Unfortunately, there’s still one major problem that annoys the heck out of me. When you buy a new computer, it may include the latest service pack, but it probably won’t have all the available security patches installed.  That means, the moment your connect to the internet, it’s ready to be attacked. 

Computer OEM’s need to be more responsible and they need to ship machines with all the available updates!  This goes beyond a well patched Windows OS. If they’re shipping with Adobe Acrobat, or Apple Quicktime they better not have been put on the disk image a month ago. They need to be the most currently available, patched version or they’re selling you a time bomb.  If you’re buying a new computer don’t be afraid to ask the sales rep what third party software is installed and what especially what version it is.

Things to consider before you buy…

What version of Internet Explorer is installed?
Does it come with Apple Quicktime?  RealPlayer?
Adobe Acrobat?  Flash?  Which versions?

My audience here at isn’t that big so spread the word. Until customers start asking these questions, nobody at Dell, HP, Sony, Lenova, etc will take on the responsibility for their actions.  Expect future rants from me on this topic.




Share on Facebook


Blogger Unknown said...

Great Idea for updates reminders! This subject matter brings to mind a Windows annoyance.

I am a keyboard jockey and typically do most of my work without touching the mouse.

The windows security center has little pop-up messages from time to time, and you HAVE to use the mouse to close them.

If you get the chance, please tell someone there to CHANGE THIS.

8:04 AM  
Anonymous Anonymous said...


Open Security Center > Change the way Security Center alerts me > Select the option you want.

1:13 AM  
Blogger Charles Pearmain said...

I agree both about the default setting for Automatic Updates and the horrific state in which machines from the large manufacturers (HP, Fujitsu Siemens, Sony and Lenovo raise your hands) are shipped.

I run a small UK IT business and, unless a client requests otherwise, we always configure new machines with all updates, an antivirus package and a passworded user account before delivering them. It can take over an hour for an XP system to update itself and Vista is even worse! Heaven protect those poor individuals in rural areas stuck with a dialup connection (and yes, they still exist!

9:04 AM  
Blogger Unknown said...

HappyAndyK -THANKS!

I never saw that in there. Hopefully that will solve that annoyance.

Now I'll go on a search for a way to disable the HP advisory.

2:40 PM  
Anonymous Anonymous said...

A few years ago I had a pc shop re-install XP for me. They did that OK but didn't install SP2 or subsequent updates. They were on ADSL, I was on dial-up. Took four days solid.

I agree with you about setting Automatic Update settings to "Download updates for me, but let me choose when to install them" but I advise newbies to set it to Automatic, I reckon it's worth the risk of an occasional MS glitch.

New pc's with outdated (insecure) software is a problem, but even when you download a program off the net it's best to check for the latest updates if it's security software where updates are issued regularly.

And how many people buy a pc and never realise they even need to update Adobe Reader, Flash Player, QuickTime, Java, etc? I spread the word about Secunia PSI, seems pretty reliable and makes things a lot easier:

8:25 PM  
Blogger PatsComputerServices said...

One of the problems is places like BestBuy and WalMart. Yes, HP and Dell could put the latest updates available to them on before they box the computer, but it may sit on the shelf for six months to a year before someone buys it.

Either it falls on the store that sells the computer (or the manufacturer who sells it directly), or it falls on a computer shop to be there to set the computer up for the new owner.

Have a great day:)

7:04 PM  
Blogger Unknown said...

I personally set all my XP clients up to automatically update, otherwise it's unlikely to get done. Vista initially was a pain it automatically rebooted without warning, not sure if it's still the same. It's easier to tell clients over the phone how to uninstall a dodgy update than to get rid of a virus or trojan.

I am well aware how easy it is to get infected if you only have a dialup 56K or USB ADSL modem. I think you need to make it clear that it's much safer to put a computer online with an Ethernet connection to a router/firewall/modem to carry out updates.

If you got an old Pentium PC doing nothing, you can even use dialups through a firewall using Smoothwall. don't know about dropping the line though, never had to use it. I even used a router for my old ISDN connection way back.

I'm moving apartment in a couple of weeks and going on to Shaw in Vancouver, I'll be plugging straight into there modem (Ethernet)initially, so the Wan IP will possibly be on my notebook. I might not have a router for a short while until my brother drops one off. But I do have Comodo Firewall Pro installed on a Vista notebook, Oh and I'm logged in as a User as well.

1:05 AM  
Anonymous Anonymous said...

Just this last week I installed 5 updates for XP from the automatic updates. They were set to ask before downloading and installing. After installing the updates, I could no longer get onto sites using Java. Uninstalling the updates solved the problem again. Point being that no matter what MS is doing, they still aren't catching all the problems.

Now I wouldn't tell anyone not to install updates as I keep my machines all up to date religiously. But I would say to install updates at your own risk, and be prepared to remove them if necessary.

7:32 AM  
Blogger Honestbroker9 said...

I turned my auto update for Windows XP off when SP3 came out and there were so many problems with AMD Dual core processor like mine and an ASUS M2N-SLI motherboard. I have never heard of a good work around or that it SP3 has been fixed so I can use it. So here I am with my Windows Auto Updater permanently turned off.

Ron in Tampa

8:44 AM  
Anonymous Anonymous said...

I have vista business and it now will not let me achieve any updates through the security centre and I have tried all the available problem solving answers with no success and it appears microsoft don't have an answer either.

4:35 PM  
Anonymous Anonymous said...

I keep my update settings at "Download,but let me install them". Problem? Microsoft or someone changes my settings.They not only download the updates,but continue to install.I try clicking the shield but get nothing,meaning that I don't know anything about the update. Microsoft needs to do some work on their update installation.

11:01 AM  
Anonymous Anonymous said...

OK, a few questions. If I change the setting so I choose when to install the updates, where is the best place to find out if a particular update is a problem or not? Also, where are the updates once they are downloaded? I now have SP3 downloaded, but I don't want to install it. Can I move it or rename it so it doesn't accidentally get installed?

3:48 AM  

Post a Comment

<< Home