Beware of automatic updates for XP

Microsoft Windows Update may not be the blessing it appears to be - there are many reasons why it may be better to add patches manually
Written by John McCormick, Contributor
On Oct. 25, 2001, Microsoft pulled out all the stops in launching Windows XP in New York City. The following day, it was announced that around 20MB of patches and updates for Windows XP Professional (around 12MB for the Home Edition) were already available for download directly from Microsoft. While these patches are important for XP users, the way in which Microsoft prefers to deliver them -- using Windows Update -- has dubious value for IT departments. It is quite easy to download and install these patches using the Windows Update service; however, it is cumbersome and challenging to locate, download, and then install the XP patches on an individual basis. While you may think I am nitpicking, the difference between the former and the latter approach is the difference between a push and a pull update. I'm going to show you what's in the XP update, and then I'm going to tell you why you should opt for the pull rather than the push method of applying it. What's covered by the update?
If you have new PCs with XP installed or have already installed or ordered the OS upgrade for some of your machines, this update is not something to ignore. Although some of the downloads are probably not applicable to businesses -- for instance, Windows Movie Maker requires a 3.2MB download to run properly -- other pieces of the update have important security implications. The most important download is a 1.9MB patch needed to fix a security hole in Internet Explorer 6. There is also a 5.2MB download that fixes a vulnerability in Microsoft Virtual Machine. Other problems addressed by the downloads include incompatibilities with some UPS units, an upgrade to the CD-R utilities, a 2.2MB download to improve third-party software compatibility, and several other downloads that are probably necessary for most businesses running XP. Automatic updates may spell trouble
Over the past few months, there has been a lot of talk about Windows XP's Product Activation feature, which forces users to lock each XP copy to specific hardware (unless you purchase a corporate volume license). However, with XP, Microsoft is advancing an older but potentially more onerous technology even harder: Windows Update. For business networks, Windows Update means a change from pull to push technology for systems updates and patches. This poses a major threat to both corporate security and to system stability and usability. With Windows Update, Microsoft gives users the option of having their OS automatically find, accept, and install patches and updates downloaded from the Microsoft Windows Update Web site. With Windows XP, this feature is intertwined with the OS even further than in past versions of Windows. In fact, it's much more difficult and cumbersome to find and download the needed patches for XP mentioned above than it is to use the Windows Update feature. But in my opinion, relying on Windows Update is a very bad idea. Can any security specialist or IT manager concerned with simplifying system maintenance really trust Microsoft to make automatic patches to their systems? If you have any doubts, just recall that the recent Microsoft bulletin MS01-052 was only the latest example of a Microsoft patch where the cure turned out to be worse than the illness. Reasons not to use Windows Update
I can think of four very good reasons why you don't want to choose the Windows Update option:
  • The patch itself may be flawed and may not do what it was intended to do. This was the case with the initial MS01-052 W2K patch, which closed down Terminal Services instead of fixing them. Being quick to download and install that patch (the benefit of Windows Update) was not a good move in this case. Microsoft has a long history of releasing patches (and software) that need more in-house testing. Those who adopt push patching will become inadvertent beta testers, and their systems will suffer.
  • Many updates (Microsoft and otherwise) can result in unknown conflicts with other system services, third-party software, or hardware. It is tough enough to deal with this when you discover it through in-house testing. Now consider how much worse it would be if all of your systems got a bad patch simultaneously, and it brought down a large portion of your mission-critical systems.
  • Someone at Microsoft might intentionally or accidentally insert destructive code or perhaps a back door into a patch that is pushed with Windows Update. Microsoft will say that this is farfetched and that it has many layers of protection designed to prevent this, but recall that Microsoft servers have been compromised internally in the past. Also, remember that just last spring, someone who claimed to work for Microsoft was able to obtain fraudulent digital certificates.
  • Many businesses still don't have broadband Internet connections that are shared across every computer in their company. Even if all my other objections are meaningless, consider how much downtime you will experience with periodic large downloads being forced into your PCs. Many Microsoft patches run into the megabytes. Since the download is a background task, this isn't a problem if you are connected to a T-1 pipe, but a couple of multimegabyte downloads can seriously tie up a low-bandwidth connection.

  • Final analysis

    In a previous column, I took security personnel to task for failing to patch their servers even after several rounds of attacks by the Code Red worm. Nevertheless, automated push patching from Microsoft is definitely not the answer to this problem, even though many managers who don't think through all the implications may jump to adopt this technology -- and not just with Windows XP. See the Windows XP Resource Centre for the latest news on Microsoft's new operating system. Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Microsoft forum. Let the editors know what you think in the Mailroom. And read other letters.
    Editorial standards