Windows Auto Update Continues To Aggravate
The Windows Automatic Update might be a patch management and change control issue, observers say.
- By Jabulani Leffall
- October 19, 2007
The Windows Automatic Update brouhaha that arose last month and erupted again this week is not so much a problem with the program itself but perhaps a patch management and change control issue, observers say.
"This is really a cue, if you're an admin, to look at control over configurations of AU as well as user access rights," said Gil Kirkpatrick, chief technical officer of Phoenix, Ariz.-based NetPro, a Windows security and infrastructure consultancy,"It appears that if this is something that happened to specific users, it should have been audited beforehand or known beforehand."
The controversy has its roots in complaints from a recent discussion thread on AeroXperience.com -- a Windows enthusiast portal -- where it was revealed that some users had configured Windows Update to download but not install updates. These users discovered that their machines had rebooted overnight after installing updates automatically, causing some to lose critical application data. Further, the users reported that the Windows Update configuration had somehow reverted to the "install automatically" setting.
Microsoft this week denied any wrongdoing, stating in a blog entry that a detailed inspection of customer logs found that none of the patches doled out during this month's Patch Tuesday release"have made any changes to users' AU settings."
That wasn't the case last month, as Redmond conceded that it had silently updated the Windows Update apparatus in various OS versions without alerting customers.
As for this week's events, Microsoft suggested that components outside of Windows Update may be responsible for the changes, which is puzzling to some since Microsoft has just about corned the market in terms update programs for a Windows environment. In August, Microsoft's legal department even went so far as to contact independent vendors such as AutoPatcher.com and order them to stop developing mechanisms to help in updating Windows programs and applications.
"In this week's case it may very well be a foreign application that's causing this but to say Microsoft's absolutely not at fault would be simplistic," said Gerret Grajeck, founder and chief operating officer of Irvine, Calif.-based IT security firm Multi-Factor Authentication, Inc."The AU has a great impact about how programs on the OS are allowed to run and I'm concerned not just for my customers but about how my product might be affected by such unwanted updates."
Overall, servers running Windows in a complex processing environment might find it more expedient to use AU, but as Net Pro's Kirkpatrick points out, regardless of what Microsoft finds in subsequent investigations about AU, IT pros on the ground need to be thorough.
Grajek agreed, noting that enterprises usually take special precautions with update verifications during gestation periods for new programs and applications at the server level. He suggests that maybe it's time to go deeper and apply the same approach with OSes, hardware and workstations.
"When you look at companies that do regression testing at the server level, you kind of think that enterprises may need to look at how to do the same thing on the client side," Grajek said."This would put that extra assurance in place and prevent something like this from happening."
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.