How fast does Windows Update update?

Watch for our new logo

By Brian Livingston

Our newsletter and Web site will sport a new logo, shown above, beginning with our next regular issue on Sept. 14.

We wanted to surprise you, but we figured we’d better give you some warning. We didn’t want you to open your e-mail next month and think unknown people were sending you some new, weird newsletter. Nope, it’s just the same old weird newsletter.

By the way, you can always tell when a message really is from us. Every newsletter and every news update will always contain your reader number near the top and/or the bottom. Spammers couldn’t possibly know your number, so this assures you that messages from us are genuine.

Our current logo, with the happy computer users and their dancing PC, will be retired. That design was created when Woody’s Windows Watch merged with Brian’s Buzz on Windows on July 8, 2004, to create the Windows Secrets Newsletter. That design was intended to be temporary, but you know how easily temporary solutions become permanent.

We hope you like our new logo but, if not, don’t worry — we’ll probably have another one a year or two from now!

PC World debates on live radio

The Computer America radio program has arranged for two PC World editors to appear with me to debate my Aug. 10 article. I said in that story that PC World chose not to test security suites on their “behavior blocking,” an important new protective technique, because most suites don’t yet have it.

PC World editor-in-chief Harry McCracken and senior associate editor Narasu Rebbapragada have agreed to be on the program with me on Aug. 28, according to co-host Carey Holzman.

Computer America is broadcast every weeknight on hundreds of local stations in North America and several other countries. For those who aren’t in range of a participating station, anyone with an Internet connection and Windows Media Player can listen to the program live.

The show airs at the following time and date:

PC World and Brian Livingston—
Mon., Aug. 28, 10 pm Eastern/7 pm Pacific

To determine which U.S. stations carry Computer America, use the ZIP Code Search Page at the Business Talk Radio Network.

If you find a network-participating station near you, check that it does broadcast Computer America at the scheduled time. To do this, tune in at 10 pm Eastern/7 pm Pacific on Aug. 24 or 25 to see whether Computer America is coming through.

Whether or not there’s a broadcast station near you, you can listen to Computer America’s live signal. Visit the show’s Web page and use its “Listen to the Streaming Audio” link. The feed requires Windows Media Player. (Free upgrades are at Microsoft’s download page.) If you’ve never streamed Internet radio via your browser before, test your player at the scheduled time one or two nights before the show.

Windows Secrets News Update

Issue 81a

2006.08.24

Contents

INTRODUCTION
Watch for our new logo
PC World debates on live radio
News updates have no paid version

TOP STORY
How fast does Windows Update update?
How to monitor auto-update’s speed
MS06-042 re-released for IE6 problem
MS06-051 can’t find personal files

WACKY WEB WEEK
Be careful what you discover

ABOUT YOUR SUBSCRIPTION
Your address and preferences

Newsletter Control Panel
Windows Secrets home page
How to subscribe
Change your delivery address
Change your preferences
Access past free issues
Access past paid issues
Search for info (WinFind)
Submit a Windows tip
Get subscription help
How to unsubscribe

Circulation: over 140,000

How fast does Windows Update update?

By Brian Livingston Readers have asked me, “How quickly is my computer protected after Patch Tuesday, if I have auto-updates turned on?” The question arises because most of the patches that Microsoft posted on Aug. 8 took a lot longer than usual to download. It appears that Windows Update, when configured to download and install patches automatically, didn’t start downloading most patches until three days after Patch Tuesday. Some PCs didn’t auto-install all of the security patches until nine days had passed.

How to monitor auto-update’s speed

I asked for an opinion on this from Shavlik Technologies, the maker of what is currently the top-rated independent patch-management software, NetChk Protect. (This product, which has a one-year free trial version, is listed in the Security Baseline section of the Aug. 10 newsletter.)

Shavlik’s Eric Schultze and Jace Mclean told me Microsoft had given its MS06-040 patch a higher priority than the other patches. This caused Automatic Updates to ignore the other patches until a later check-in date, which was more than a week later in some cases:

• “We found several machines that run auto-update that we were able to review log files. (Most of our employees use Shavlik at home, so it’s tough to find machines that run AU — but several of our folks run AU on different machines for comparative purposes.)

  “The windowsupdate.log file can provide the forensics for this issue.

  “It looks like Microsoft gave the 06-040 patch a priority of ‘3’, which is more important than priority ‘2,’ which was assigned to all the other patch-day patches.

  “The priority 3 patch (06-040) was downloaded on our systems on Tues., Aug. 8.

  “As of Aug. 12, AU still wasn’t downloading the other patches. The log file shows this message:

  ” ‘Update is not allowed to download due to regulation.’

  “By Aug. 13, AU finally downloaded the patches for this system.

  “Other systems we looked at downloaded the patches even later — as late as Aug. 17, when it finally downloaded the other patches on one of our systems.

  “We are guessing that perhaps the ability to download the other patches is mitigated by the overall available bandwidth at the Microsoft server at the time of the download request. Some machines may have received the patches a few days earlier than others because these machines had a random check-in time that was during a lull on that particular server. However, we’re not able to find any machines where these patches were downloaded before Aug. 11 (three days after release).”

Adrian Stone confirmed on the Microsoft Security Response Center blog on Aug. 15 that the company was throttling the other patches in order to get the most serious one out the door first:

• “Prioritizing of the updates is done taking into account the threats identified with each individual release. As we have seen and has been identified by others the threat presented by the vulnerability addressed in MS06-040 prompted us to do everything possible to ensure that customers received the update with the highest possible priority. The is a normal behavior and if you have not seen the rest of this months updates yet on your computer rest assured they are coming and this is perfectly normal.”

In my opinion, it’s understandable that Microsoft would want MS06-040 to be installed on as many people’s PCs as possible before downloading any other patches. The security hole that’s corrected by MS06-040 threatened an Internet-wide, MSBLAST-like remote attack that would work even on XP Service Pack 2 with all previous patches in place. No company’s servers can have infinite bandwidth, and there are hundreds of millions of Windows users worldwide that must download patch files from Microsoft every month.

Having said that, the amount of time it took the average PC to get the August patches shows that Automatic Updates isn’t the best way to protect yourself if you want the latest patches as soon as possible.

I continue to recommend that complete novices, who have no knowledge of Windows, should leave Automatic Updates turned on and hope for the best. But more experienced Windows users should install a third-party patch-management program, which can install patches for many companies’ products, not just Microsoft Windows. At present, Shavlik holds the top ratings for patch management, but if another company wins more Editors’ Choice awards, I’ll change the Security Baseline to reflect that fact.

If you don’t have a third-party patch-management tool, but you’ve decided that you want all the security patches right away, you can run Windows Update or Microsoft Update (which also updates Microsoft Office) manually. Susan Bradley, contributing editor of Windows Secrets, says, “If you run MU/WU, you ‘jump ahead’ of the line and can get all patches.” Susan’s column in the paid version of our Aug. 10 newsletter had warned that installing MS06-040 was this month’s “top priority.”

(If you upgrade to the paid newsletter today, you’ll immediately be sent the paid Aug. 10 issue as well as our next 12 months of paid content. How to upgrade)

Because hackers usually require several weeks to reverse-engineer Microsoft’s patch announcements and distribute their exploits, you do have a bit of time before the latest patches must be installed. We bust our buns here at Windows Secrets to bring you a newsletter only two days after every Patch Tuesday, explaining any negative side-effects and how you can work around them. This means you can read our analysis that Thursday and know what to install on Friday, Saturday, or however soon you choose to patch.

Since Microsoft’s own Automatic Updates routine didn’t start installing most patches until the Friday after Patch Tuesday, we continue to feel that our read-before-installing philosophy is sound. We hope you agree.

MS06-042 re-released for IE6 problem

Among other problems that Microsoft has had with its August patches, the cumulative security rollup for Internet Explorer 6 (MS06-042/918899) had to be re-released today. The original patch caused IE 6 to crash when viewing a Web site that uses data compression (a common technique described as HTTP 1.1).

Even worse, the original MS06-042 opened up a new security flaw that affects Windows 2000 and XP Service Pack 1, according to Robert Lemos in a Security Focus post on Aug. 22. About 23% of the 270 million systems recently scanned by Microsoft’s malicious software removal tool are running those two OS versions, Lemos points out.

To protect against the attacks that are closed by both the original patch and the new patch, all Windows users should install the new patch (whether or not you use IE to visit Web sites). For information on the new patch, see security bulletin MS06-042. However, there are several negative side-effects of installing MS06-042, so you should first read Knowledge Base article 918899.

If the problems with MS06-042 make you decide not to install it, you can work around the crash problem by turning off HTTP 1.1, as described in KB 923762. This completely prevents IE 6 from rendering sites that require HTTP 1.1. But many such sites simply offer data compression as an option, not a requirement. As an alternative, you can request a hotfix from Microsoft, as described in the KB article.

MS06-051 can’t find personal files

Several people have reported that installing MS06-051 (917422), another August patch, prevents Windows 2000 Terminal Services from finding files in users’ personal directories. After the patch is installed, Windows is hard-coded to look only in c:winnt.

This problem is described in a Microsoft discussion group and at Citrix, which has one of the applications that’s affected by the bug.

One poster reported that Microsoft would release a hotfix for the issue. As of today, however, I see no notice of this in Microsoft security bulletin MS06-051 or Knowledge Base article 917422.

We’ll have more on the above problems in the next regular issue of the newsletter on Sept. 14.

To send us more information about these issues, or to send us a tip on any other subject, visit our contact page. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Be careful what you discover

In a hilarious film short, a prisoner makes a surprising discovery — one that may turn out to be life-changing.

The clip is, of all things, from a Swedish insurance company, but you’d never know it until the twist ending. It’s hosted by VeryFunnyAds.com, a service of TBS. Watch the video