Microsoft dodging the real stealth update issues

Summary:I've taken some time to properly digest Microsoft's response to the stealth update issue that I've been discussing here for the last few days and I've come to the conclusion that Microsoft is dodging the real issues about the stealth updates.

Breaking news - Latest from Microsoft

I've taken some time to properly digest Microsoft's response to the stealth update issue that I've been discussing here for the last few days and I've come to the conclusion that Microsoft is dodging the real issues about the stealth updates.

Let's begin by dissecting the official response I received from a Microsoft spokesperson yesterday.

The files that are being updated are part of the Windows Update client itself. Windows Update automatically updates itself from time to time to ensure that it is running the most current technology, so that it can check for updates and notify customers that new updates are available.

I knew that already.

This is normal behavior, and it has worked this way since the service debuted several years ago.

I'll get back to this point later ...

This is not to suggest that we were as transparent as we could have been; to the contrary, we could have been clearer on how Windows Update behaves when it updates itself. [emphasis added]

Right now Microsoft seem to be trying to defend a way of thinking that's indefensibleThis point leaves me somewhat confused. I can't figure out from this whether the Windows Update patch that was released on August 24th could have acted as a normal update (in other words, bought up a notification as usual only released out of step and not on Patch Tuesday) or whether this is referring to the fact that Microsoft could have somehow made the process more transparent but didn't. I need to clarify this. One possibility here is that Windows update was somehow broken and Microsoft wanted to push a patch before the regular Patch Tuesday so that updates weren't interrupted. However, coming back to the real world, I have no evidence to suggest that the Windows Update mechanism was broken before this stealth update was applied.

We’ve received helpful and important feedback on this point, and we are now looking at the best way to clarify WU’s behavior to customers so that they can more clearly understand how WU works.

Good.

That said, we continue to be confident that the choice to use Automatic Updating continues to be the best decision for many of our customers. Windows Update remains a popular service with our customers because it helps them stay safe and have confidence that they are running the latest software from us.

Here comes the PR spin. Basically, what I'm reading here is that we should all have Windows set to automatically retrieve and install updates automatically and that those of us that don't are deviants from the norm. I'm given a choice to "Download updates but let me choose whether to install them" or "Check for updates but let me choose whether to download and install them" (the wording used within Windows Vista) but by choosing one of these options I made the wrong choice.

Next page -->

OK, next let me look at some of the comments made by Nate Clinton, Windows Update Program Manager:
So first some background: Windows Update is designed to help our consumer and small business customers (customers without an IT staff) keep their systems up-to-date. To do this, Windows Update provides different updating options: 1) Install updates automatically, 2) Download updates but let me choose whether to install them, 3) Check for updates but let me choose whether to download and install them, and 4) Never check for updates. Our goal is to automate the process wherever possible so that we can increase the likelihood of a system being secure and up-to-date, while giving customers the flexibility to control how and whether updates are installed. [emphasis added]

OK, so Windows provides the different options in order to give "customers the flexibility to control how and whether updates are installed."

The reasons for this are both philosophical and practical. Philosophically, Microsoft believes that users should remain in control of their computer experience. Practically, customers have told us that they want to have time to evaluate our updates before they install them.

OK, so far, this is good stuff. It's my PC and I can decide how and when it's updated.

That said, and to the benefit of both customers and the IT ecosystem, most customers choose to automate the updating experience.

There's the slap in the face for those of us who want to have control over updates.

Let's skip a bit now down to a juicy part:

One question we have been asked is why do we update the client code for Windows Update automatically if the customer did not opt into automatically installing updates without further notice? The answer is simple: any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available. Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications.

OK, this needs a lot more clarification. Last time I looked, Windows updates was working just fine on the system that received the stealth update. I was given notification of updates just fine on August 14th (Patch Tuesday). This part of Clinton's blog post spawns questions galore:

  • So what had happened between the 14th and the 24th of August to break Windows Update?
  • In what way was Windows update broken?
  • How was Windows able to download this stealth update if the mechanism was broken?
  • Why no notification?
  • Why is the entry in the Event Log for this update so vague?
    eventlogvista_1_sm.jpg
  • Why no knowledge base article?
  • Are people who have Automatic Updates turned off now permanently locked out from Windows Update because they don't have the patch?

Finally, there's this line:

In fact, WU has auto-updated itself many times in the past.

Raises a few questions, for example:

  • When?
  • Why?

Also, maybe more importantly, especially since Microsoft didn't start a dialog about these updates until the issue was spotted:

  • What other stealth updates have been applied?
  • What stealth update mechanisms exist in Windows?

Next page -->

Let's go back to that earlier point that was made by Microsoft:
This is normal behavior, and it has worked this way since the service debuted several years ago.

I want to join this up with a comment made by James O'Neill on his personal blog over on TechNet:

To me, the whole premise of this argument is stupid. First off when I went to grab the screen shot I've modified here it says at the bottom "Note: Windows Update might require an update before you can update Windows"

I presume that O'Neill is referring to the Windows Update Change Settings screen:

changesettingsvista_1_sm.jpg

Do you see the wording on that screen? No, you can't, and that's because it's hidden blow the fold of the screen and you have to scroll down:

changesettingsvista_2_sm.jpg

Now do you see it? I don't know about you, but I think that's not that easy to see. I suggest making it a bit clearer:

changesettingsvista_3_sm.jpg

But a point worth making is that this wording is specific to Windows Vista and doesn't appear on the equivalent window on XP:

changesettingsxp_1_sm.jpg

Sorry Microsoft, but a weak excuse like this just doesn't cut it and doesn't explain why it was done and why the Event Log was so vague.

I know that this is a bitter pill for Microsoft to have to swallow, but no matter what spin is being put on the PR, updating files on systems where users have specifically stated they want to have the final say on what's installed is a serious betrayal of trust, and this isn't the first time (we've already seen Microsoft push WGA through the Windows Update mechanism as a high priority update). The Windows Update mechanism cannot become a backdoor, access all areas pass to systems where users believe that they have indicated that they don't want updates, period. No excuses, no waffle, no PR spin. With this incident Microsoft has crossed the line and needs to make a clear public apology and then lay out exactly what stealth updates have been made prior to this one and what's being done to make sure that this doesn't happen again. Also, I believe we need much more transparency over the Windows Update mechanism and what access it gives to systems. If there are exceptions to "Download updates but let me choose whether to install them" and "Check for updates but let me choose whether to download and install them" then how do we know that there aren't overrides to the "Never check for updates" option?

I'm not at the point of suggesting that people should disable Windows Update or block it using their firewall because I have no evidence of any wrong doing and nothing to suggest that these stealth updates caused harm. But ... what bothers me is Microsoft's take on the issue. A "hands-up, fair cop, we were wrong, we won't do it again here's what we'll do instead" would go down a lot better with me (and be far less of a story) than this "we're right, we know best, you're wrong for making a fuss" attitude that I've feeling. Right now Microsoft seem to be trying to defend a way of thinking that's indefensible.

Microsoft has a lot more questions to answer before I'm happy with the explanation.

Thoughts?

<< Home >>

Topics: Microsoft, Windows

About

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.Adrian has authored/co-authored technic... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.