Microsoft's Adrian Stone must have been reading my recent posts (here and here) about problems with Windows Update. That's the only conclusion I can draw from this comment on the Microsoft Security Response Center Blog:
Speaking of downloading updates I also want to clarify some questions I have heard lately regarding why some customers have seen MS06-040 downloaded or installed while some of the other updates have not appeared yet during the same interval. With Windows Update we have the ability to prioritize updates in order to ensure that we are providing the broadest customer distribution possible for a particular update or set of updates given the relative threat. Prioritizing of the updates is done taking into account the threats identified with each individual release. As we have seen and has been identified by others the threat presented by the vulnerability addressed in MS06-040 prompted us to do everything possible to ensure that customers received the update with the highest possible priority. The is a normal behavior and if you have not seen the rest of this months updates yet on your computer rest assured they are coming and this is perfectly normal. [Emphasis added]
OK, they won't come right out and say it, but this post sure seems like confirmation that some customers who have Automatic Updates enabled still have not received some or all of the Critical updates that were released one full week ago. Is this normal? Is it new behavior? Is it a temporary condition?
I asked Microsoft yesterday if they have quality-of-service metrics for Automatic Updates and whether there is a maximum number of days customers should have to wait for Critical updates to be delivered. I also asked for some technical details on the architecture of Windows Update. That information is not available in the TechNet article linked to in the above MSRC post as a good source of information "about how Windows Update works." I have received no response to that request.
Last April, after returning from the RSA Security conference, Debby Fry Wilson, director of the Microsoft Security Response Center, published this post on the MSRC blog:
In our world, press coverage is one of the most efficient and broad-reaching ways to communicate to the world at large during a security incident. Therefore it is absolutely essential that we deal with the media with the same integrity and transparency that we endeavor to achieve when we communicate directly with our customers.
We rely on the media to help us amplify up-to-the-minute critical information to customers when there is a security issue. Therefore, it is a hard-core standard practice for our team that there be no waffling, no sugar-coating, no hyping, no anything but the bare bones facts when interacting with the media on security issues -- which happens to be our same commitment in interacting with customers.
On this episode, at least, Microsoft does not seem to be honoring that commitment.