September 15, 2007 at 8:40 am
One of the fundamental rules of a stable, controlled production system is that you apply updates singly, after they've been tested, and you document the change. This way you can ensure that if a problem occurs, you can do some backtracking to see what might have caused instability.
So when I saw this piece about stealth updates, and a related opinion piece, I was stunned.
As much as I like many of the people at Microsoft, this is the type of arrogance and "we're smarter than you" attitude that needs to be stopped. And this alone, this one thing, would make me support some regulation of Windows as an OS by the government. Make some bureaucrat sign off on all patches.
I don't care if these are the best, most stable, secure, well written patches ever built anywhere. DO NOT UPDATE MY PC without my knowledge. It's a family show, so I've removed the four letter bombs that originally decorated this editorial.
Now I know most people use automatic updates, and that's ok. For the average user, this might cause some issues, but it's acceptable if they choose to use automatic updates. But if they don't, then don't force anything on them. If anyone's doing the forcing, it should be a government, and I don't even like that.
There's a blog entry from Microsoft PM Nate Clinton that attempts to explain things. It does an ok job of explaining that the "stealth" install doesn't happen if automatic updates aren't installed. It says that it does stealthily install if you download, but ask to be notified. Why?
According to the Mr. Clinton (not the ex-President, but an answer worth of the same), "The answer is simple.".
You can read his explanation, but basically he says that users would think they were being updated, but they wouldn't be able to because the client wasn't updated.
Huh?
You notice they didn't have any trouble telling you that without WGA you wouldn't be patched. What a load. You messed up (substitute your own four letter word here).
I have to think this violates the Sarbanes-Oxley laws for companies and they should be complaining. Every single patch or change to a financial system, which are Windows based in many cases, needs to be tracked and noted. Microsoft can't be making changes to any desktops or servers without an administrator for a company agreeing to the change.
And those days of patches causing problems? They're not gone. Think about the Skype outage recently. I know one of my main SQLServerCentral.com programs, the one that loads articles, has changed behavior twice in the last few months. It's a simple .NET app and it started acting differently a little over a month ago, with dialogs not coming to the front of the screen. That wasn't a big deal, but after the latest patches, it won't even run anymore.
Now that's not something I was looking forward to dealing with.
For an interesting look on this release, read about Microsoft's PR blogging.
Daylight savings time will be late this year, not moving until Nov 4. So if you haven't updated your machines and did the manual switch (twice), then get ready to do it again (twice). Instead of Oct 28, it will be Nov 4 this year.
If you are worried, Microsoft is working on some tools that you have to apply yourself. No stealth changes here.
Steve Jones
Steve's Pick of the Week : - This was tough with the stealth updates, but I decided on this link from Paul Randall. He's now at SQKSkills after leaving Microsoft and posting again. This one is definitely worth the read. |
September 17, 2007 at 1:37 am
Steve, thank you for this article, it explains why I also saw an update happen yet hadn't Ok'd it. It went on the "investigate when there's time" list as I just assumed I'd altered the setting somehow without remembering. Maybe I'm not so crazy after all!!
I agree it is completely wrong and a violation of our rights - for all we know they could be putting anything on our pc from illegal pornography to trojans and viruses. It would only take one disgruntled employee to tweak the outgoing software.......
September 17, 2007 at 7:03 am
Adding goverment to the mix almost never makes a bad situation better. A free market is a much better solution to the problem. Microsoft will not do things that will lose money.
Scott
September 17, 2007 at 10:55 am
Sony was persecuted and prosecuted for stealth Rootkits.
Shouldn't M$ for stealth installs?
September 17, 2007 at 2:41 pm
Thanks, Steve! I was going to download the last set up updates on my home p.c. but wanted to wait until I found out if they were safe so as not to incur the wrath from the rest of the family. Lo and behold, when I finally clicked the annoying yellow update reminder, all that was there to download was the "software assurance" dog doo-doo that I keep saying no to.
Thankfully, what they downloaded for me didn't break anything. But geez, last time I checked, my brain was still working...
September 19, 2007 at 2:49 am
As both a customer and a programmer, I'm of the opinion that programs should NEVER do anything like this WITHOUT telling the end-user - even if it's a "currently installing 'xyz' on your PC" message that they can't cancel. For they WILL find out, (as this thing with MS illustrates), and most will turn against that company.
[Luckily for MS, it's very hard for most users to move away from them].
I'm just grateful that it was just a system update this time, not like the sony rootkit of old.
September 19, 2007 at 7:20 pm
This could, however, lead to a rootkit. If MS can do it, why not someone else?
I'm surrpised there isn't more outcry on this.
January 25, 2008 at 9:11 am
I'm not sure that I agree with all the frustration over this. Ultimately MS could of and should have done a better job letting there customers know that IF they are going to use WUS in any fashion that the WUS application would automatically update without their knowledge. However, to consider this such a violation of privacy seems to me to be a pretty far stretch. I can't say for sure but I believe some of the virus software engines will automatically update the engine as well as their detection files and no one really seems to have a problem with this. Seriously, when was the last time that someone monitored exactly what McAfee is updating every time they update their detection files?
As I stated earlier, I believe MS should have communicated this better but to raise it to the level of being a "root kit" or calling this Malware, I just don't see. Wondering if this isn't just some of the MS witch hunts finding something more to tie to the stake and burn.
David
@SQLTentmaker“He is no fool who gives what he cannot keep to gain that which he cannot lose” - Jim Elliot
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply