Microsoft confirms slow updates

Microsoft confirms slow updates

Summary: Didn't get your August updates yet? Microsoft says this is "perfectly normal." They also acknolwedge that they've prioritized delivery of the highly-publicized MS06-040 patch. But they aren't providing any more details about the slowdown.

SHARE:
TOPICS: Security
10

Microsoft's Adrian Stone must have been reading my recent posts (here and here) about problems with Windows Update. That's the only conclusion I can draw from this comment on the Microsoft Security Response Center Blog:

Speaking of downloading updates I also want to clarify some questions I have heard lately regarding why some customers have seen MS06-040 downloaded or installed while some of the other updates have not appeared yet during the same interval. With Windows Update we have the ability to prioritize updates in order to ensure that we are providing the broadest customer distribution possible for a particular update or set of updates given the relative threat. Prioritizing of the updates is done taking into account the threats identified with each individual release. As we have seen and has been identified by others the threat presented by the vulnerability addressed in MS06-040 prompted us to do everything possible to ensure that customers received the update with the highest possible priority. The is a normal behavior and if you have not seen the rest of this months updates yet on your computer rest assured they are coming and this is perfectly normal. [Emphasis added]

OK, they won't come right out and say it, but this post sure seems like confirmation that some customers who have Automatic Updates enabled still have not received some or all of the Critical updates that were released one full week ago. Is this normal? Is it new behavior? Is it a temporary condition?

I asked Microsoft yesterday if they have quality-of-service metrics for Automatic Updates and whether there is a maximum number of days customers should have to wait for Critical updates to be delivered. I also asked for some technical details on the architecture of Windows Update. That information is not available in the TechNet article linked to in the above MSRC post as a good source of information "about how Windows Update works." I have received no response to that request.

Last April, after returning from the RSA Security conference, Debby Fry Wilson, director of the Microsoft Security Response Center, published this post on the MSRC blog:

In our world, press coverage is one of the most efficient and broad-reaching ways to communicate to the world at large during a security incident.  Therefore it is absolutely essential that we deal with the media with the same integrity and transparency that we endeavor to achieve when we communicate directly with our customers. 

We rely on the media to help us amplify up-to-the-minute critical information to customers when there is a security issue.  Therefore, it is a hard-core standard practice for our team that there be no waffling, no sugar-coating, no hyping, no anything but the bare bones facts when interacting with the media on security issues -- which happens to be our same commitment in interacting with customers.

On this episode, at least, Microsoft does not seem to be honoring that commitment.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • So Ed, it appears you were correct

    Someone here accused you of sensationalizing...Turns out you were correct....And I bet your expose' help force Microsofts addmission, huh?
    Yodaddy
  • Yeah, but there is a hole in their integrity

    To quote your quote from microsoft:

    "...Therefore, it is a hard-core standard practice for our team that there be no waffling, no sugar-coating, no hyping, no anything but the bare bones facts when interacting with the media on security issues ? which happens to be our same commitment in interacting with customers"

    Does this mean they only 'waffle, sugar-coat and hype' when it comes to WGA?
    Yodaddy
  • Automatic update breaks if manul update installed?

    Is it just me or has anyone else noticed that for W2Ksp4 it seems once you install a patch outside the Automatic Update or Windows Update web site, all future sutomatic updates fail to install?

    A while back I downloaded several of the "critical patches" as exe files and manually installed them on several systems. This is much faster than waiting for Automatic Update to kick in or individually visiting Windows Update web site.

    Since doing so Automatic Update has never downloaded anything and visiting Windows Update gives me a list of patches "needed" the oldest being the ones I installed manually. These download fine but the installs all fail.

    --wally.
    wkulecz
  • Checking for MBSA or SMS?

    I wonder if they are checking for connections from MBSA and SMS and giving them an additional boost in priority over regular end-users. I think a lot of companies would be upset to know that they can't pull down the latest patches for their ENTIRE ORGANIZATION. But if Microsoft checks for one of those products, they might realize the importance and make sure they get through?
    adsanders@...
    • Should be WSUS not MBSA

      Got my tools confused for a minute there...
      adsanders@...
  • How big are the pipes?

    I think this is a security issue of how fast microsoft can fix/update software if someone wanted to issue a big "terrorist" attack on their software. I'm noit sure I want Microsoft announcing how many virus you have to release at once to overwhelm the system. I also wonder if it is an issue of people updating all at the same time. They used to have sewer/water issues in some cities at the TV breaks of the superbowl.
    walway@...
    • Security through obscurity?

      The Super Bowl/toilet flush thing is an <a href="http://www.snopes.com/sports/football/superbowl.asp">urban legend</a>.

      And I would disagree that knowing how fast Microsoft can push out patches makes any difference to online criminals. If someone can come up with a zero-day exploit that spreads via unpatched systems, such as Blaster, it will cause chaos and havoc, regardless of whether MS can patch its installed base in one day or five.

      The real issue here is that customers have a right to know what they're getting when they sign up for Automatic Updates. Would you accept this service if you were told that the system promised delivery with 60 days of release of a critical update? What about 30 days? 10? 5? There's obviously a point at which most people will accept delays from an automatic system, but they can't make an informed choice without information.
      Ed Bott
  • As if that was needed

    "Microsoft confirms slow updates"

    Five years and counting since XP was released, we didn't need MS
    to confirm this was ridiculously slow. Oh wait;-)
    Richard Flude
  • MS UPDATES & IE7

    I HAVEN'T HAD ANY UPDATES IN A WHILE.ALSO,I GAVE IE7BETA A GOOD TRY,BUT IT A L W A Y S CRASHES ALMOST IMMEDIATELY.THERE APPEARS TO BE NO SOLUTION,AS WHEN I SEND ERROR REPORTS,MS ALWAYS SENDS A RESPONSE.WHEN IT COMES TO IE7-NO RESPONSE WAS EVER SENT OR RECIEVED EVEN THOUGH I SENT OVER 500 REPORTS!
    shadowash666@...
  • RE: Microsoft confirms slow updates

    You talk about "downloading updates". It's not here the problem I have. Each time I update Microsoft Office, it takes 1 hour to install on my computer. Hopefully, I just have one computer to update. Other products that I have problem with is .NET Framework and Visual Studio. The problem seems to be related with Windows Installer that is doing many extra works. They just have to backup files and overwrite them with the new versions !!!
    sickle