The Promise--And Problems--Of The New Windows Update

TechWeb - InformationWeek ^ | July 12, 2004 | Fred Langa

[Eagle9]

XP and Windows 2000 users soon will get a new version of Windows Update. Here's the full story, and remember, this is beta software, so be careful, Fred Langa says.

A new version of Windows Update is about to debut. It first appeared as part of the prerelease versions of Service Pack 2 for XP, which is still in beta as of this writing. But the Update software was separately released on its own in a free public beta about two weeks ago. The new Update process (comprising the software that resides on your PC and a new Update site that coordinates with that software) has different defaults and behaves differently from the Update you're probably used to: I suggest you read all the way through this article before deciding whether or not to try the beta on your system.

(click image for larger view)
Screen One The new Update site sports a fresh look and requires installation of a new Update applet.

But beta or not, one way or another, you're going to have to deal with these changes to Windows Update. In the next weeks or months, the final form of this software will be offered to you either as a normal Windows Update for XP and Windows 2000 or as part of the final released SP2 for XP. Once the software is complete and out of beta, Microsoft will work hard to get you to use it, so it's worth the time to learn about it now. Let's take a look:

When you click to the new Update site from Windows XP or 2000, you'll immediately notice that Update looks different. (See Screen One.)

	(click image for larger view)
	Screen Two The new Update site and software may initially require several steps to get set up fully, but the process is straightforward and reasonably well-explained.

When the Update site loads, you'll see a new site layout and graphic design, and you'll be offered a download of the new Update applet, which is mandatory if you wish to use the new site and features.

By the way, the new Update site and process is, at least for now, only for Windows XP and 2000. If you access the new Update site from Windows ME or 98, nothing happens; those versions of Windows revert to the current (old) Update software and site.

But XP and Win2K bring you to the new site. Your initial access to the new site may require several incremental downloads to install the new Update applet and then to install a catalog of available updates. (See Screen Two.)

(click image for larger view)
Screen Three The new Update offers you two major subchoices: Express or Custom installation of updates, giving you either a highly automated or a more manual approach to managing updates for your PC.

Once the new Update software is fully installed and running, you'll reach your first decision point: You must choose between Express and Custom installs for the updates you'll be downloading. The Express Install searches for and installs only "High Priority" updates, roughly analogous to what used to be called "Critical Updates." The Custom Install gives you more flexibility and potentially offers you more Updates: Not only the High Priority updates, as above, but also "Optional Updates," roughly analogous to the "Recommended Updates" in the old Update process. (See Screen Three.)

Note the "Automatic Update" panel in Screen Three. The new Update software defaults to full automatic mode: With no user input required, the software will detect, download, and install whatever updates it deems appropriate for your PC. This setting is convenient for some but can cause problems for others. We'll explore this more fully in a short while.

Unlike the old (current) Windows Update, which tends to be terse and fairly uninformative about the updates it offers, the new Update is far more friendly and open, with plain-English explanations of what the updates are and what they do. (See Screen Four.) And if the explanatory text is still insufficient, a "Details" pull-down provides additional information. (See Screen Five.)

(click image for larger view)				(click image for larger view)
Screen Four The new Update tries to explain the benefits of any available downloads more clearly than the classic Update does...				Screen Five ... with fuller, more technical explanations, including links to relevant Knowledgebase files, available via a "Details" pull-down.

Select An Update Mode

The actual update process hasn't changed much from that of the classic Update, although the appearance of the dialog boxes has been freshened. (See Screen Six and Seven.)

As we mentioned previously, the new Update process is quite conservative: Its default settings assume that everyone will want all "High Priority" (aka "Critical") updates to be downloaded and installed as soon as they're available, with no user input, intervention, or vetting.

(click image for larger view)				(click image for larger view)
Screen Six The new Update installation dialogs function much the same as those in the classic Update process...				Screen Seven ...... but the dialogs have been visually updated to match the look of the new Update site.

This may indeed be a good default choice for "average" users, as many of them never download or install any updates at all! (Witness the many worms in the last year or so that exploited Windows security holes that had been detected and fully patched before the worms were released: The worms succeeded solely because tens of millions of PCs had not been updated, and thus remained vulnerable.)

But odds are, if you're reading this text, you're not exactly an average user, and the default settings may not be ideal for you. That's because, sometimes, security patches introduce new problems or create new instabilities and conflicts. It's been fairly common practice among more experienced users to delay installing security patches for at least several days, so that any unexpected problems with the patch could come to light. In other words, let other users be the guinea pigs for new updates and patches!

Although the new Update defaults to "install everything automatically as soon as it's available," you can fairly easily tame it and thus remain in control of when and how updates will be detected, downloaded, and installed, as Screen Eight shows.

	(click image for larger view)
	Screen Eight The Automatic Update dialog shown here, plus the Settings and Administrator Options in the left-hand navigation bar of the main Update window, provide welcome flexibility in controlling what updates will be detected, downloaded, and installed on your PC.

The Automatic Update agent itself has four modes: It can operate in the default fully automated mode; it can detect and download new update items but not install them until you've given your explicit permission; it can merely inform you of new updates without actually downloading or installing anything; or it can be turned off completely.

Any of the options except the fully automatic one are fine for security-conscious users: These options put you in charge of what gets loaded onto your PC; you can postpone installation of new updates until you're reasonably sure the software is stable and worthwhile. But for casual users, the "set and forget" default mode is probably safer.

You can adjust the Automatic Update Agent settings at any time by clicking on "Pick a time to install updates" in the Automatic Update information panel that appears on the upper right portion of the main Update window. (See Screen Three.) Once the time-setting dialog opens, click on the "More Options" button and you'll then see the full, four-option Automatic Update dialog, as shown in Screen Eight. You also can reach the same dialog by clicking on the "Configure Automatic Updates" link that may appear at the end of an update, as shown in Screen Seven. As is usual with Windows, there are multiple ways to accomplish any given task, and the one that's "right" is whatever works for you.

The Update site itself also offers some additional customizations and controls: The "Settings" option lets you pick.

 

 

Beta Means Unfinished

The new Update seems promising, but there are a couple of caveats:

First, although everything ran smoothly on the six systems I tried it on, this is beta--which is to say, unfinished--software. There almost surely are bugs, and the software may change in major ways before final release. It's always wise to prepare for the worst with any beta software: Don't install it on any machine unless you have a full, current, and bulletproof means of rolling the system back to the way it was before you installed the beta. (For an example, see this article.)

Second, if you do install this beta, take a moment to adjust the Automatic Update agent, as described above, or you may find yourself getting more than you bargained for. For example, if you use XP, and if you accept the default for full automatic installation, then you may find yourself unexpectedly test-driving not just the new Update, but also the huge, potentially problematic beta version of XP's Service Pack 2, which is one of the updates available through the new Update agent. (We'll cover SP2 in future articles, closer to its release date.) To prevent this kind of surprise, turn off or restrict Automatic Updates so that, at the very least, you get to approve which updates are allowed to install on your PC.

Finally, whether or not you try the beta, this new Update (or something very much like it) is almost certainly in your future. You may wish to bookmark this article or otherwise make note of it so you can return here at the appropriate time to refresh yourself on the options the new Update offers.

But for now, please join the discussion: Have you tried the new Update? What has your experience been? Has any of your installed software been broken or adversely affected by the Update Agent or the "sniffing" routines used by the agent to detect and catalog what's on a PC? Have you found instances where Update suggested inappropriate software or failed to report necessary updates? Please share your knowledge by joining in the discussion!

---

To discuss this column with other readers, please visit Fred Langa's forum on the Listening Post.

To find out more about Fred Langa, please visit his page on the Listening Post.

[Glenn]

Service Packs are major updates

Good evening, my uber-deluded nemisis.

Still spouting the corporate line, I see.

[HipShot]

Why would you not patch your systems? That's irresponsible.

All my servers and workstations stay patched. You should do the same.

[HAL9000]

Service Packs are major updates

They're not "major" enough to charge money for. And XP SP2 is pathetically late.

[js1138]

All my servers and workstations stay patched. You should do the same.

The world of servers is a bit different from the world of PCs. If you are behind a reliable firewall you patch only if your application will benefit from it. Lots of servers run only one application.

[HipShot]

That may be true for windows boxes, but there is no reason to ignore patching a linux box. There is not the risk of breakage that exists with windows patches.

[js1138]

No large corporation installs patches simply because they're available. Lots of patches are of no consequense whatsoever, and don't justify the risk of downtime.

I live in an SBS world and my servers are naked to the world. I install all updates, but not the first day they're out.

[HipShot]

That depends on the vulnerability. If it's remote and relevant to what the box does, it's patched ASAP.

[js1138]

If it's remote and relevant to what the box does, it's patched ASAP.

I never said anything counter to that. But if you have a server running a database, and it runs nothing else, and it is behind a firewall, there's no sense bringing it down for a security patch that doesn't apply to its function. It the patch is required for database security, then yes.

[Musket]

My last 2 attemps at Windows Update failed. The first one(about a week and a half ago)took about 2 hours to install and then hung on a full progress bar. The latest attempt(this evening) after waiting a couple minutes for a 6 meg download, then waiting 3 or 4 hours for installation, hung on a full progress bar. I had to force quit them both.

I don't know what to do with this crap anymore.

[TheEngineer]

Still spouting the corporate line, I see.

Microsoft's free update service is the envy of the open source and mac communities. Call it a corporate line if you want, but that doesn't change the fact that I've received every update for Win2000 since Feb 2000, major and minor, free of charge. (I'm running Win2000 service pack 4.) They promise updates for 7 years on their operating systems, and thus far have delivered.

In contrast, Mac charges for major updates. Red Hat only offered support on any given distribution for one year. After that, they force you to upgrade to the next version. And that's even for their paying customers, like me. Of course, we know how they dumped their desktop line OS altogether, leaving many left in the lurch. How's that

[Bush2000]

Why would you not patch your systems? That's irresponsible. All my servers and workstations stay patched. You should do the same.

You misunderstood. Just because a patch is issued doesn't mean that people are going to patch their machines immediately. Many people will remain vulnerable because either they're ignorant, don't care, or deliberately avoid patching.

[HipShot]

My apologies; I misunderstood your intent.

[Bush2000]

They're not "major" enough to charge money for. And XP SP2 is pathetically late.

HAL, apparently you haven't looked at what's being included in SP2 -- because it certainly is a major update. You're just a little sensitive because every time Jobs pulls your leash and demands a few bucks, you have to ante up. I can understand why you'd be sensitive. I wouldn't want to pay for updates, either.

[HAL9000]

HAL, apparently you haven't looked at what's being included in SP2 -- because it certainly is a major update.

It adds a popup blocker for the web browser - years after the competition. That's what passes for a "major update" in the Windows world?

Even after SP2, Windows will continue to be a second-rate operating system.

[Bush2000]

There is not the risk of breakage that exists with windows patches.

Developers introduce unintentional and/or incidental regressions (aka bugs that break previously working functionality) all the time. Consequently, a decision to patch isn't based merely upon whether the patch is available and whether it can be installed with other components. Regression of functionality has to be a major consideration.

[mhking]

I've had the public beta for more than three weeks now with no problems.

I do like that IE blocks popups now, but for most of my work, I use Firefox.

[Bush2000]

It adds a popup blocker for the web browser - years after the competition. That's what passes for a "major update" in the Windows world?

There's no polite way to say this, so let's get this out of the way up front: You're ignorant. You simply don't know what you're talking about.

Windows XP SP2

[HipShot]

That's specific to your situation, and should be treated as such each and every time.

I got caught twice on a mail server with updates that broke functionality. In one case, a clamav update required a larger allocation of resources for threading, but it wasn't mentioned. As clamav didn't return an error code to qmail-scanner, all mail was delivered, infected or not.

On the other occasion, the perl suid "fix" required a minor change to my inbound and outbound qmail-scanner scripts, which actually delayed mail for awhile.

Patches can be a nightmare, but even so I'd much rather deal with undocumented issues than expose my doze users.

[avg_freeper]

One of those exploits namely the "apache - buffer overflow" might very well effect your mac. It is best to stay informed regardless of what brand of computer you use.

[HAL9000]

Windows XP SP2

I've seen the list. It's a yawner - except for the NX support. That is the most interesting technical development.