A closer look at Windows Update problems
Two weeks ago, I reported on widespread problems with Microsoft's Automatic Updates and Windows Update services. Microsoft confirmed those problems a few days later, assuring Windows users that the delays in downloading updates were "perfectly normal."
The more I look, the more I'm convinced that there's a substantial problem with Microsoft's update process. But they're not willing to talk about it.
I've put together an image gallery that documents problems I experienced, and which were confirmed by other people in newsgroup posts, comments, and via e-mail. Problems include lengthy delays before receiving updates, missing updates, and errors when connecting manually to Microsoft's update servers. In this gallery, I document how you can use some widely available tools to investigate how well the update process is working for you.
I tried to arrange a phone interview with a security expert at Microsoft who could explain what's going on. Unfortunately, the person I needed to talk to wasn't available, so I was invited to submit a list of questions to a representative of Microsoft's public relations agency, who promised to get them to the right people and assured me that I would get "transparent responses, with no waffling or sugar-coating."
The answers arrived in an unsigned e-mail reportedly prepared by a group of Microsoft employees working in Windows and security groups. Unfortunately, they didn't answer most of the questions I posed, and my request for a follow-up was turned down.
Microsoft insists there's no problem. Delays are normal, they say, especially when they choose to prioritize one update:
it is our goal to align security threats and distribution. Some of your questions asked about how long customers should expect to wait before receiving patches. The Microsoft Security Response team works to align the severity of a security threats with an appropriate speed for update distribution. It’s really an extension of a core security practice – as Microsoft assesses a security threat it determines whether it is appropriate to release an update during a standardized patch Tuesday, or whether there is a need to issue an update out of band from the regular cycle.
According to Microsoft, one of the errors people experienced on Windows Update earlier this month might have been caused by a unique scenario.
The threat presented by the vulnerability addressed in MS06-040 prompted us to do everything possible to ensure that customers received the update with the highest possible priority. We are aware of one scenario –which may explain what you observed. If a PC has been off for several update cycles, an AU scan will happen as soon as you log in, resulting in longer time for AU scan, inventory and downloads applicable updates.
That doesn't explain why I and many others were completely unable to reach the Windows Update servers for several days at a time.
Finally, Microsoft is sensitive to its responsibility to not overload the Internet. This theme was repeated throughout the replies I received:
[W]e believe our approach is a responsible use of the Internet. As you know, the Internet is a shared resource. As an infrastructure, it has capacity limits and the organizations that use it in the course of their business must act responsibly to ensure that high bandwidth use does not impact or slow down others use. As is further detailed below, Microsoft’s updating infrastructure is highly scalable and we purchase additional bandwidth capacity if that is required to ensure that the distribution of updates is aligned with the perceived threat. That said, we can’t let our use of the Internet impact or slow down others.
As I noted in my original post, I've kept meticulous records of the performance of Automatic Updates on a test machine since late 2004. For the first year, updates routinely arrived within 1-2 days. This year, the average time between the release of Critical updates and their arrival via Automatic Updates has slipped to 4-5 days, and in August it took a full week. Microsoft won't answer any questions that address this issue.
They also won't answer the simple question, "How many days does the Automatic Updates cycle take? How long after updates are released (typically on Patch Tuesday), should a customer wait before assuming something is wrong?" Last year it was a day or two. This year it's a week. Will some customers have to wait even longer next year?
According to Microsoft, "hundreds of millions" of people connect to the Automatic Updates servers each month. They deserve more information about what, exactly, they're getting.
See image gallery for a closer look at problems with the update process...