Why Windows Update desperately needs an update
Last week's global scramble to dodge the Blaster worm and subsequent warning about a DirectX vulnerability were unpleasant reminders of how unusable Microsoft's Windows Update (the mechanism that many businesses and consumers use to keep their systems up-to-date) really is. As Microsoft pursues its Trustworthy Computing campaign, one need look no further than Windows Update to see just how far the software giant has to go before Windows users can sleep at night.
As the Blaster juggernaut reached a crescendo, many Windows users, IT managers, and systems administrators were asking themselves the same question: "Are my systems protected against this one?" Getting the answer to this question, especially as reports began to circulate that the patch wasn't working in some cases, was no trivial task.
My number one complaint about Windows Update --- a feature that users can engage from the Tools menu on Internet Explorer --- is its lousy user interface.
You have to be a direct descendant of Lieutenant Columbo to figure out whether or not your system has been updated. After engaging Windows Update, the most obvious place to go to see if your system has been properly patched is the "View Installation History" link which appears in Windows Update's left-hand navigation area..
But before doing that, Windows Update greets you with a Welcome message that has specifics on how to protect yourself from the Blaster Worm. The Welcome screen makes the following recommendation: "To protect yourself from the Blaster Worm and its variants, users of the following products: Microsoft Windows® 2000 Service Pack 2 or greater, Microsoft Windows XP, and Microsoft Windows Server 2003, should install 'MS03-026: Security Update for Windows XP (823980).' Microsoft Windows NT4 users are also vulnerable and should click here for more information." While the message provides a direct link to the patch for NT4 users, Windows 2000, Windows XP and Windows Server 2003 users are offered no such convenience. Why?
To further confuse those people who are not sure whether they applied the patch or not (many of us don't know since we don't commit these cryptic codes to memory), the welcome screen continues, "[Your computer is not vulnerable to the Blaster Worm if] you have already downloaded and installed the security update that was addressed by Security Bulletin MS03-026. The MS03-026 update will not be listed on Windows Update in this case." In English, this means that if MS03-026 doesn't show up on the list of updates that you need to do, then you probably did it already.
In that case, it should show up in the Installation History, right? But it's not listed in the Installation History, either--at least not under MS03-026. Instead, the update is listed under "823980." According to Microsoft lead program manager for Windows Update Michael Meulemans, who personally approved the text on the welcome screen, "I agree. It's confusing. We tried to draw the connection between the two codes on the welcome screen, but we could have done a better job."
In searching through the History for evidence of a successful patch, my expectation was that somewhere in the status checking process, I'd see a simple message that tells me whether I am protected against the Blaster worm. For example, perhaps at the top of the installation history, a message that says "Blaster Worm Alert: You can relax. Your installation history indicates that your computer is protected against the Blaster worm." Surely the programmers at Microsoft could have programmed something like this into Windows Update. But they haven't.
So, in the absence of something warm and fuzzy, I'm left to scan a list of entries that in some cases are repetitive and others inconsistent in formatting. For example, whereas one entry says "Security Update for Windows XP (819696)," another says "817606: Security Update (Windows XP)." If the programmers couldn't come up with something more descriptive, at least they could be more consistent. Randomness like this does not breed confidence, a point that Microsoft agreed with during my Windows Update gripe session. According to Windows Update program manager Joseph Dadzie, the reason the installation history doesn't have more descriptive information (such as a reference to the Blaster worm) is that the history is generated from a log (already on the hard drive) that's updated each time Windows Update downloads and installs something new. Said Dadzie, "At the time that the patch for Blaster was made available through Windows Update, the name 'Blaster' didn't exist. Once we add the update to the log and refer to it with our codes, we can't go back and change it later." Fair enough. To protect the integrity of any log and to keep the process lightweight and simple (in other words, no complicated relational databases), you don't want to be mucking with log files once they've been created.
But, absent of something more descriptive, you would think that the entries would be clickable to get more information. While Windows Update may not be able to go back and change entries in a static log to reflect the latest worm news, it can certainly make changes to a Web page that users looking for more information might click through to. This is a relatively trivial task from a programming point of view. For example, in the screen shot I provided, the entry that addresses the Blaster worm vulnerability is "Security Update for Windows XP (823980)." If each of the descriptions in the list was clickable, then doing the detective work would be significantly easier. I could click on each security update and eventually would have been taken to the record in Microsoft's knowledge base that addresses the Blaster Worm. Instead, one has to manually search the Microsoft Knowledge Base on the code (823980) that appears in the installation history entry. But even though that's the code for the Blaster Worm, the text in the search results makes no reference to Blaster. Instead, it says "MS03-026: Buffer Overrun in RPC May Allow Code Execution: (823980) - Microsoft originally released this bulletin and patch on July 16, 2003, to correct a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. The patch was and still is effective in...." It's only after clicking on that link that one receives any indication that this could be the patch. Unfortunately, there's no line at the top that says, "If you're looking for information on how to protect yourself from the Blaster Worm, you've come to the right place." Instead, one has to scan the page and see that the term "Blaster" occurs three times and then must assume that they've found the right place.
Acknowledging the difficulty in retrieving the information needed to determine if a machine was up-to-date for the latest vulnerability to hit the news, Dadzie and Meulemans agreed that turning the entries in the installation history into clickable links makes a lot of sense. Users of Windows Update should expect that simple change soon.
Even if this was all you had to do to confirm you were protected (and it wasn't), this user interface leaves much to be desired. Unfortunately, reports that the patch wasn't taking correctly surfaced at Security Focus, with the biggest complaint being that supposedly patched systems continued to indicate that they were vulnerable. One large IT consultancy contacted me to say that its testing of the patch revealed that in some cases, while the patch seemed to work properly, the date stamps for the files (rpcrt4.dll, ole32.dll, rpcss.dll) that were supposed to be updated were reflecting that no update may have taken place. To confirm beyond any doubt whether the files were indeed updated (even if their date stamps hadn't changed), one could go to the Windows registry and drill down into a software branch that gets updated with new entries each time a Windows Update is performed.
My problems with Windows Update didn't end here. While attempting to use Windows Update to make sure I was protected from Blaster, I noticed that there were several other "recommended" updates. Windows Update categorizes updates according to their criticality.. There are three categories: Critical Updates and Service Packs, Windows XP Recommended Updates, and Driver Updates. While there, I took the opportunity to install many of the updates that appear in the Windows XP category under Recommended Updates. Windows Update allows you to select multiple updates at a time, which is what I did. Things were going along swimmingly until I encountered an error (see screen shot). I was told "Setup cannot copy the file acgenral.dll." The error dialog goes on to show the directory from which it was attempting to copy the file; c:a4b0d38d10f8bb5817732427c. I didn't even bother investigating this one. I had no idea which of the multiple updates that I checked was the source of the problem, nor were there any clues. As a mechanism for keeping Windows machines secure, which technically falls within the domain of Microsoft's Trustworthy Computing initiative, I can't exactly say that the performance of Windows Update was engendering trust.
Microsoft suspects, but isn't sure, it knows why this happened. As was reported following the big Blaster weekend, one way Microsoft dodged the Blaster bullet was because of the way the worm's author hard coded the windowsupdate.com domain into the worm's source code. Windowsupdate.com is a domain used by Windows Update. It automatically redirects users to windowsupdate.microsoft.com. To thwart Blaster's pending Distributed Denial of Service (DDoS) attack, Microsoft temporarily disabled that redirection. However, to make sure that Windows Update itself continued to function, it did not disable another important destination--that of downloads.windowsupdate.com. Downloads.windowsupdate.com is critical to the successful operation of Windows Update, but access to it didn't need to be terminated since the worm's author didn't specifically target that destination.
Meulemans suspects that when many ISPs found out that windowsupdate.com was the worm's target, they programmed their systems using a wildcard (*.windowsupdate.com) that prevented access to all of windowsupdate.com (including downloads.windowsupdate.com) instead of just http://windowsupdate.com itself. As a result, when I ran Windows Update and it tried to phone home, home was no where to be found and the installation process failed. To be fair to Microsoft, this sort of coordinated effort to thwart a DDoS that involved cooperation from ISPs is uncharted territory. Nevertheless, the failed installation could have provided me with more details on precisely what component failed to update and how to recover from that failure.
If all of the above wasn't enough to undermine my faith in Windows Update, or Microsoft's initiative, the next warning drove nails into the coffin. I had barely finished patting myself on the back knowing that all of the systems on my network were fortified with anti-Blaster venom when news started to surface of another vulnerability in DirectX that Microsoft was fretting over. News of the vulnerability surfaced in July, preceding the imminent threat, and Microsoft classified the vulnerability as critical. In what appears to be a response to the vulnerability, a secure version of DirectX (version 9.0b) is available from Microsoft's Web site and via Windows Update. But, as shown in my screen shot, the DirectX 9.0b end-user runtime, which lists security first in its list of updates, appears in the Windows XP Recommended Updates category instead of under Windows Update's Critical Updates and Service Packs category. So, while Microsoft is warning the world of a critical security flaw in DirectX, its Windows Update site --- designed to make sure we're covered for such critical vulnerabilities (especially if we don't read the news) --- appeared to downplay the criticality of the problem.
Windows Update program manager Nate Clinton instantly spotted the source of my confusion. "The update that appears in the recommended updates section on Windows Update is strictly for brand new machines that shipped with Windows and just came out of the box. It's a complete refresh of DirectX and not just a security update. That's why it's a recommended update. The security-specific update, which your installation history indicates you have on your system, was listed in the critical updates section before you updated your system. It's the one in your history that has the code 819696."
After hanging up the phone with Microsoft, I realized that, unlike with the Blaster worm where the name Blaster wasn't around when the update was issued, Microsoft could easily have called this update "Critical DirectX 9.0b Security Fix" instead of "Security Update for Windows XP (819696)." In this case, there was no excuse for not providing something more contextual.
There's no question that the Windows Update service is a big step in the right direction over what we once had with Windows--a bulletin board where we were on our own to manually retrieve and install patches but never received a prompt to do so. Red Hat offers a service that's similar to Windows Update for its distribution of Linux.
Hopefully, Microsoft will do as Meulemans says it will do and take the criticisms to heart. Maybe then we'll be able to depend on Windows Update and, for that matter, Microsoft. But I'm not ready yet.
Are you an IT manager that was burned after relying on Windows Update to keep your users' systems up to date? Or are you just a frustrated user? Share your thoughts with your fellow readers using ZDNet's TalkBack. Or write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.