Thursday, July 2, 2009

Windows may update unexpectedly

Scott Spanbauer By Scott Spanbauer

Dozens of Windows Secrets readers confirm that Windows sometimes installs updates without displaying a list of patches that a user can accept or decline.

If Automatic Updates were set to install patches without user intervention, no notice would be expected, but a bug appears to be installing patches upon shutdown in certain cases, even though Windows is configured to require user approval.

In my June 25 Top Story, I reported that several Windows Secrets readers and editors had experienced a disturbing problem involving Automatic Updates (AU). Users who had configured AU to prompt them before downloading or installing updates found that Windows installed updates at the next shutdown without notification, review, or approval.

The day after the story appeared, the Microsoft Update blog tacitly acknowledged the problem in a blog post. The comment said the company was "investigating the reports and trying to clarify with the community exactly what people are experiencing."

The blog post went on to describe the behavior that should be expected when users select option 2 or 3 of AU's four alternatives:
  • Option 1. Automatically download and install updates;
  • Option 2. Download updates but prompt for review before installing them;
  • Option 3. Check for updates but prompt before downloading or installing them;
  • Option 4. Turn off Automatic Updates.
When either option 2 or 3 is chosen, users should see an icon in the notification area alerting them that updates are available. This should be true whether the updates are already downloaded and ready for installation (option 2) or merely available for download from a Microsoft server (option 3).

As I reported last week, Knowledge Base article 910340, last revised on Dec. 5, 2007, confirms that notification to users may fail if a patch was partially downloaded but interrupted before the download was completed.

Incomplete downloads can occur when Microsoft publishes several updates at once and the company "throttles" its bandwidth to prevent server overload. This happened on June 9, Microsoft's regular Patch Tuesday, when 10 major security bulletins were released.

The throttling of updates from Microsoft's servers can cause some updates to be downloaded but others to be postponed. In such instances, the notification icon may not appear as expected because Windows waits until all pending updates are downloaded before showing a notification icon.

Unfortunately, when a user shuts down an affected PC before all updates have downloaded, other updates may be installed with no opportunity to review and select them.

In this situation, the only way a user can review the updates before installing them is to cancel the shutdown, open Microsoft Update or Windows Update manually, and select View available updates in Vista or Custom in XP. (Note that in XP, this feature requires Windows Genuine Advantage, so if you want to keep WGA off your system, you must use a third-party update service, as described below.)

Microsoft calls this behavior a "feature," but as WS contributing editor Susan Bradley puts it, "This is a bug, sir."

Since the problem involves patch downloads, you'd think that people who select option 3 — notify but do not download or install — would be immune to the surprise installs. However, several readers who chose option 3 report that Windows updates were downloaded and installed automatically anyway. They consider themselves to be victims of forced updates, perhaps more so than users who downloaded everything (option 2) but received no notice prior to installation.

Forced updates can result in headaches

Last week's story struck a nerve with Windows Secrets readers. Scores of you wrote in to say that you had experienced the same issue, and not just on an extra-large Patch Tuesday such as June 9. According to dozens of Windows XP and Vista users, the problem has been happening for months. (See this week's Known Issues column for more reader comments on the bug.)

The overwhelming majority of readers I heard from report the exact behavior that Microsoft describes in KB 910340: when downloads are being throttled by the Redmond company, "The Automatic Updates icon does not display the status of downloads that are in progress."

That bland statement fails to adequately describe a flaw that has a profound impact on many Windows users. As many readers note from personal experience, updates can sometimes disable software or hardware on production systems. Hours of work can be required to restore these machines to full functionality. Even if every patch is wanted, the unexpected installation of updates without notice can surprise you precisely when you really need your PC to shut down or reboot in a hurry.

A handful of readers reported more disturbing Automatic Updates bugginess. The expected behavior is that Windows' shutdown icon and shutdown dialog box should show that updates will be installed when the system is powered down or rebooted. Seeing no such notice, many readers who had selected Automatic Updates' option 2 had no reason to think updates would be installed. After clicking the shutdown icon on the Start menu, however, these users found that updates were being installed unexpectedly.

Several readers who'd selected option 3 (notify but do not download) found updates being installed when they shut down their systems, with no notice that any patches were even available for download.

Some readers who had deselected one or more updates — indicating that these updates should not be applied — reported that Windows installed the updates at the next shutdown anyway.

Finally, many readers who selected a menu option to "shut down without installing updates" found that updates were installed despite their wishes.

(Some readers reported that they'd originally selected AU option 2 or 3, but their systems had somehow been changed to option 1 so AU would download and install updates automatically. This can be caused by such programs as Microsoft Live OneCare and Norton Internet Security, as described by WS contributing editor Scott Dunn on Oct. 25, 2007, and editorial director Brian Livingston on May 25, 2006.)

Microsoft isn't saying exactly what's going on

Last week's column stated that the large number of patches released on June 9 could have triggered the forced-update behavior. It's still not certain precisely why update notifications are failing to appear in Windows systems around the world. But this much is clear: the phenomenon has definitely occurred both before and after June 9.

One workaround to prevent surprise downloads was recommended last week: every time you plan to shut down or reboot a PC, first run Microsoft Update (a superset of Windows Update) and select each patch you wish to install or not install. This should download and apply whatever you selected, leaving no files to be installed without notice.

For some Windows users, however, their machines must be protected against any changes before each new patch is researched for side-effects. These extra-cautious users are disabling Automatic Updates entirely and then running Microsoft Update or a third-party update service manually, as often as needed.

Disabling AU causes an irritating red warning to be displayed repeatedly. If shutting off AU appeals to you, the right way to implement it (and avoid the constant nagging) is as follows:
  • Step 1: Disable Automatic Updates. In XP, open the Automatic Updates Control Panel applet and select Turn off Automatic Updates. In Vista, open the Windows Update Control Panel applet, choose Change settings in the left pane, and select Never check for updates (not recommended).

  • Step 2: Turn off the red warning. Open the Security Center Control Panel applet, click Change the way Security Center alerts me, and choose Don't notify me and don't display the icon (not recommended).

  • Step 3: Check for updates manually. Run Microsoft Update or an independent update service at least once a month (preferably just after reading the analysis that Windows Secrets publishes two days after every Patch Tuesday). Third-party update tools such as the Secunia Personal Software Inspector and the Shavlik Google Patch Gadget can identify critical updates that both Windows and your major applications require.
It should be noted that corporate IT administrators can avoid forced updates by using Microsoft's WSUS (Windows Server Update Services) or a competing server-level patch-management program. Such services allow admins to centrally control the deployment of patches, bypassing Automatic Updates entirely.

See the Windows Secrets Security Baseline and Susan Bradley's May 28 Top Story for more on third-party Windows update services.

Although the precise workings of the bug are still unclear, it's obvious that AU is downloading and installing some updates without the required notification. Even when a user manually runs a download tool before a shutdown occurs, it's been reported to me that, in rare instances, even this failed to prevent an unwanted update from being installed.

No comments:

Related Posts Plugin for WordPress, Blogger...