Microsoft dodging the real stealth update issues

Microsoft dodging the real stealth update issues

Summary: I've taken some time to properly digest Microsoft's response to the stealth update issue that I've been discussing here for the last few days and I've come to the conclusion that Microsoft is dodging the real issues about the stealth updates.

SHARE:
TOPICS: Microsoft, Windows
141

Breaking news - Latest from Microsoft

I've taken some time to properly digest Microsoft's response to the stealth update issue that I've been discussing here for the last few days and I've come to the conclusion that Microsoft is dodging the real issues about the stealth updates.

Let's begin by dissecting the official response I received from a Microsoft spokesperson yesterday.

The files that are being updated are part of the Windows Update client itself. Windows Update automatically updates itself from time to time to ensure that it is running the most current technology, so that it can check for updates and notify customers that new updates are available.

I knew that already.

This is normal behavior, and it has worked this way since the service debuted several years ago.

I'll get back to this point later ...

This is not to suggest that we were as transparent as we could have been; to the contrary, we could have been clearer on how Windows Update behaves when it updates itself. [emphasis added]

Right now Microsoft seem to be trying to defend a way of thinking that's indefensibleThis point leaves me somewhat confused. I can't figure out from this whether the Windows Update patch that was released on August 24th could have acted as a normal update (in other words, bought up a notification as usual only released out of step and not on Patch Tuesday) or whether this is referring to the fact that Microsoft could have somehow made the process more transparent but didn't. I need to clarify this. One possibility here is that Windows update was somehow broken and Microsoft wanted to push a patch before the regular Patch Tuesday so that updates weren't interrupted. However, coming back to the real world, I have no evidence to suggest that the Windows Update mechanism was broken before this stealth update was applied.

We’ve received helpful and important feedback on this point, and we are now looking at the best way to clarify WU’s behavior to customers so that they can more clearly understand how WU works.

Good.

That said, we continue to be confident that the choice to use Automatic Updating continues to be the best decision for many of our customers. Windows Update remains a popular service with our customers because it helps them stay safe and have confidence that they are running the latest software from us.

Here comes the PR spin. Basically, what I'm reading here is that we should all have Windows set to automatically retrieve and install updates automatically and that those of us that don't are deviants from the norm. I'm given a choice to "Download updates but let me choose whether to install them" or "Check for updates but let me choose whether to download and install them" (the wording used within Windows Vista) but by choosing one of these options I made the wrong choice.

Next page -->

OK, next let me look at some of the comments made by Nate Clinton, Windows Update Program Manager:
So first some background: Windows Update is designed to help our consumer and small business customers (customers without an IT staff) keep their systems up-to-date. To do this, Windows Update provides different updating options: 1) Install updates automatically, 2) Download updates but let me choose whether to install them, 3) Check for updates but let me choose whether to download and install them, and 4) Never check for updates. Our goal is to automate the process wherever possible so that we can increase the likelihood of a system being secure and up-to-date, while giving customers the flexibility to control how and whether updates are installed. [emphasis added]

OK, so Windows provides the different options in order to give "customers the flexibility to control how and whether updates are installed."

The reasons for this are both philosophical and practical. Philosophically, Microsoft believes that users should remain in control of their computer experience. Practically, customers have told us that they want to have time to evaluate our updates before they install them.

OK, so far, this is good stuff. It's my PC and I can decide how and when it's updated.

That said, and to the benefit of both customers and the IT ecosystem, most customers choose to automate the updating experience.

There's the slap in the face for those of us who want to have control over updates.

Let's skip a bit now down to a juicy part:

One question we have been asked is why do we update the client code for Windows Update automatically if the customer did not opt into automatically installing updates without further notice? The answer is simple: any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available. Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications.

OK, this needs a lot more clarification. Last time I looked, Windows updates was working just fine on the system that received the stealth update. I was given notification of updates just fine on August 14th (Patch Tuesday). This part of Clinton's blog post spawns questions galore:

  • So what had happened between the 14th and the 24th of August to break Windows Update?
  • In what way was Windows update broken?
  • How was Windows able to download this stealth update if the mechanism was broken?
  • Why no notification?
  • Why is the entry in the Event Log for this update so vague? eventlogvista_1_sm.jpg
  • Why no knowledge base article?
  • Are people who have Automatic Updates turned off now permanently locked out from Windows Update because they don't have the patch?

Finally, there's this line:

In fact, WU has auto-updated itself many times in the past.

Raises a few questions, for example:

  • When?
  • Why?

Also, maybe more importantly, especially since Microsoft didn't start a dialog about these updates until the issue was spotted:

  • What other stealth updates have been applied?
  • What stealth update mechanisms exist in Windows?

Next page -->

Let's go back to that earlier point that was made by Microsoft:
This is normal behavior, and it has worked this way since the service debuted several years ago.

I want to join this up with a comment made by James O'Neill on his personal blog over on TechNet:

To me, the whole premise of this argument is stupid. First off when I went to grab the screen shot I've modified here it says at the bottom "Note: Windows Update might require an update before you can update Windows"

I presume that O'Neill is referring to the Windows Update Change Settings screen:

changesettingsvista_1_sm.jpg

Do you see the wording on that screen? No, you can't, and that's because it's hidden blow the fold of the screen and you have to scroll down:

changesettingsvista_2_sm.jpg

Now do you see it? I don't know about you, but I think that's not that easy to see. I suggest making it a bit clearer:

changesettingsvista_3_sm.jpg

But a point worth making is that this wording is specific to Windows Vista and doesn't appear on the equivalent window on XP:

changesettingsxp_1_sm.jpg

Sorry Microsoft, but a weak excuse like this just doesn't cut it and doesn't explain why it was done and why the Event Log was so vague.

I know that this is a bitter pill for Microsoft to have to swallow, but no matter what spin is being put on the PR, updating files on systems where users have specifically stated they want to have the final say on what's installed is a serious betrayal of trust, and this isn't the first time (we've already seen Microsoft push WGA through the Windows Update mechanism as a high priority update). The Windows Update mechanism cannot become a backdoor, access all areas pass to systems where users believe that they have indicated that they don't want updates, period. No excuses, no waffle, no PR spin. With this incident Microsoft has crossed the line and needs to make a clear public apology and then lay out exactly what stealth updates have been made prior to this one and what's being done to make sure that this doesn't happen again. Also, I believe we need much more transparency over the Windows Update mechanism and what access it gives to systems. If there are exceptions to "Download updates but let me choose whether to install them" and "Check for updates but let me choose whether to download and install them" then how do we know that there aren't overrides to the "Never check for updates" option?

I'm not at the point of suggesting that people should disable Windows Update or block it using their firewall because I have no evidence of any wrong doing and nothing to suggest that these stealth updates caused harm. But ... what bothers me is Microsoft's take on the issue. A "hands-up, fair cop, we were wrong, we won't do it again here's what we'll do instead" would go down a lot better with me (and be far less of a story) than this "we're right, we know best, you're wrong for making a fuss" attitude that I've feeling. Right now Microsoft seem to be trying to defend a way of thinking that's indefensible.

Microsoft has a lot more questions to answer before I'm happy with the explanation.

Thoughts?

<< Home >>

Topics: Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

141 comments
Log in or register to join the discussion
  • Why haven't I been updated?

    I've got Windows Update set to notify me, but not download or install updates. Also, as of Tuesday, 9/11, my machine is fully patched. Yet, all of the dll files listed in the original article as having been updated were not updated on my machine. All of mine have a modified date of 7/30. Were there different waves of Update updates and mine were updated earlier than others? Inquiring minds wanna know.
    MGP2
    • nsead of looking at the modified date ...

      ... look at the version of the file (under Properties) ... the updates files should end in 381.
      Adrian Kingsley-Hughes
      • Cha ching!

        As the saying goes, "I've been updated without being kissed"...or something like that. ;-)
        MGP2
    • What the hell the goverment wait for

      giving MS a wack across the head big time something painful and expensive.
      As long a MS will be free to exert there power anyone whos under its boot will have there right baffel like there where not there .

      There should be punishment to the highiest level of that shop and big one .....

      I move to open source 5 years ago and use ms only when force to.
      but luckily i dont have anything that goes near MS product .
      Quebec-french
      • Microsoft harvests data for...

        the government and thus will always be allowed to do whatever they want.

        They have never had more than a slap on the wrist for breaking any laws.
        bjbrock
        • There you go talking ....

          ... out your arse again. Do you have proof of your claim that Microsoft is harvesting information?
          ShadeTree
          • I did have proof...

            [i]Do you have proof of your claim that Microsoft is harvesting information?[/i]

            I did, but Microsoft erased it from my computer. ;-)
            MGP2
          • im guessing

            that if anyone wanted to harvest info from computers running Windows, then MS wouldnt even know it is happening
            richvball44
          • Are you a techie?

            Yes? You have not excuse!
            No? Try using a Port analyzer to see that MS DOES probe and pick from your Windoze system!
            nomorems
      • Umm... I am guess your natural language is French.

        Perhaps you should use the Systran.com site to assist in converting to English?
        nomorems
  • Apology? From Microsoft?

    Then what, back to business as usual. They have violated your trust not once but at least twice as you indicated in your blog.

    "[I]Fool me once shame on you, fool me twice shame on me.[/I]"

    Personally I don't understand why you would continue to allow this behavior. After all, I am sure there is some law that can apply to protect the consumer in this case.

    Bottom line is you and every other user of Microsoft out there needs to make a decision:

    1 - Hold Microsoft to the fire and burn their @ss.
    2 - Move to another platform
    3 - Keep using their products and shut the hell up when you get screwed again.

    This is just one more reason why I won't use Microsoft products. ]:)
    Linux User 147560
    • But if MS apologized...

      ...it would imply that MS and its senior executives are fallible, which is something few politicians or corporate executives are willing to admit, because it might cost them their jobs.
      John L. Ries
    • And just one more reason that Windows users ...

      ... don't care what yor opinion is on the matter.

      "This is just one more reason why I won't use Microsoft products."
      ShadeTree
      • Ironically

        it seems they don't care what your (notice correct spelling!) opinion on the matter is either! ]:) Guess we are even.
        Linux User 147560
      • Windows USERS care! Windows shills and apologists DON'T (NT)

        nt
        nomorems
    • Good suggestion!

      [i]Bottom line is you and every other user of Microsoft out there needs to make a decision:[/i]

      What makes you think that they haven't already done that and, once examining the alternatives, decide that Windows is [b]still[/b] the better solution for them?

      I think it is [b]hilarious[/b] that the people who are [b]most[/b] outraged by MS's actions are the ones who aren't in the least bit affected by those actions. Hilarious!! Do you get upset when Britney Spears releases a lousy album? :)
      NonZealot
      • Britney who?

        :?
        ]:)
        Linux User 147560
        • britney is like Vista, all looks with nothing behind it

          Maybe Bill should hire Britney to write M$ a new pop hit song on the benefits of everybody switching to Vista?
          jaybyrd
          • Whoa . . . Britney's got a great behind!

            As for a pop song on the benefits of Vista, how about the BAHA MEN doing "Who Let the Dogs Out" (from 2000)?
            dmennie
      • <b>LOL!</b>

        good stuff. :)
        xuniL_z