A couple weeks back, Windows expert Scott Dunn warned that the repair feature in Windows XP was knocked out of alignment when Microsoft silently deployed a batch of new support files for Windows Update (WU) in July and August. As a result, those who rely on XP’s repair function were unable to install 80 Microsoft patches.
It appears Microsoft’s Automatic Update services continue to do things without the permission of IT administrators, some of whom are venting about it in the blogosphere.
The latest report of auto update trouble comes from Dunn, associate editor of the Windows Secrets newsletter. In a new article on the Windows Secrets Web site, he reveals that installing Windows Live OneCare changes the settings of Automatic Updates without notifying users.
And so, he writes, “Windows has been mysteriously installing patches and rebooting itself, even though users had completely shut down the Automatic Updates function.”
Nate Clinton, a program manager with Microsoft’s product update team, denied in a recent blog entry that its software is to blame for the updates and reboots. “I want to stress that the Windows Update client does not change AU settings without user’s consent,” he wrote.
However, he continued, AU settings can be set or changed in the following scenarios:
–During the installation of Windows Vista, the user chooses one of the first two recommended options in the “Out of Box Experience” and elects to get updates automatically from Windows.
–The user goes to the Windows Update Control Panel and changes the AU setting manually.
— The user goes to Security Center in Windows Vista and changes the AU setting.
— The user chooses to opt in to Microsoft Update from the Microsoft Update Web site.
–The user chooses to opt in to Microsoft Update during the installation or the first run experience of another Microsoft application such as Office 2007.
Dunn did his own research and reported the following:
“My finding is that Windows Live OneCare silently changes the AU settings,” he wrote. “This explains at least some of the complaints that have been reported so far. Users could have installed OneCare — even a free-trial version — at any time in the recent past and been unaware of any changes until Automatic Updates forced a reboot in the wee hours.”
In repeated tests on Windows XP and Vista, Dunn said, he installed Windows Live OneCare and found that in every case, OneCare changed a machine’s Automatic Updates settings to fully automatic.
“It did so even when Automatic Updates had been completely disabled,” he wrote. “In Windows XP, this state is known as ‘Turn off Automatic Updates.’ In Vista, it’s called ‘Never check for updates.’ In no case did the OneCare installer give any indication that a machine’s Automatic Updates settings would be changed. Worse, OneCare silently enables Windows services that had been carefully disabled using Microsoft’s own configuration utilities.”
Clinton’s assertion that the trouble’s are user-initiated doesn’t sit well with some bloggers, including a writer in the The GTA Patriot blog.
“Microsoft says users just don’t realize that their machines are set to update,” the blogger wrote. “They think users are to blame! Is Microsoft completely incompetent or are they lying?”
For admins looking for away out of the current problem, Dunn offers some guidance:
“If you wish to use OneCare but you want updates to be installed only when you’re first notified, the only workaround is to install the program and then change Automatic Updates back to your preferred settings,” he says. “If you install OneCare when Windows is not likely to phone home, you should be able to change AU before any updates are automatically installed. (Installing OneCare at any time other than 3 a.m. should do the trick.)”
After OneCare is installed, Dunn says it doesn’t change the user’s Automatic Updates settings again, but it does peg the disabled Automatic Updates as an “urgent” matter in need of addressing. “In this situation,” Dunn says, “the OneCare icon in the taskbar tray turns a bright shade of red, which you may find annoying.”
He said an alternative workaround is to buy and use security software other than Microsoft’s.
While XP is affected by the trouble, this is also another complication for those trying to get their arms around Windows Vista. In my ongoing series on Vista deployment pain points, a recurring theme has been the compatibility issues suffered by those trying to deploy the OS en mass. But most of the trouble has involved Vista clashing with third-party products, including some security tools.
It’s ironic that in this case, the solution is to ditch Microsoft’s own security program in favor of third-party products.
Dunn does offer some helpful examples of security software admins can turn to.
He says he installed Symantec’s Norton 360 and Norton Internet Security, McAfee Internet Security Suite and the ZoneAlarm Internet Security Suite.
“The McAfee product and both of the two Norton products flagged Automatic Updates as a security problem if it was disabled, and provided ways to turn it back on, but none of them changed the setting,” he says. “The ZoneAlarm suite did not note a disabled copy of AU as a problem, nor did it change the setting. For now, it appears OneCare is the only security package changing users preferences without warning.”
Until Microsoft comes up with a better arrangement, avoiding OneCare appears to be the best bet.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at firstname.lastname@example.org.