Thursday, June 25, 2009

Windows may install updates without asking

Windows may install updates without asking

Scott Spanbauer By Scott Spanbauer

Windows XP and Vista have started installing updates at shutdown, in certain cases, without displaying a warning or requesting permission, according to reports by several readers.

The forced-install behavior has been witnessed at least three times by Windows Secrets editors, but Microsoft says its procedure for Automatic Updates hasn't changed in the last 10 months.

The behavior seems to occur only if a Windows user has Automatic Updates configured to "download updates but don't install them" or "notify me but don't install them." If updates are scheduled to occur automatically, with no notice to users, the silent installation of updates would be expected.

Most Windows patches are desirable and have few unwanted side effects. A few updates, however, are known to disable or conflict with other software. For this reason, many individuals and companies require that all upgrades be researched or tested before anything is installed.

Numerous conflicts have caused users to take a cautious approach to updates. For example, WS contributing editor Susan Bradley reported in her July 10, 2008, column (paid content) that Microsoft patch MS08-037 completely disabled the Internet connection of machines that use the ZoneAlarm firewall. Many users can't afford this kind of interruption of service and prefer to study each update before approving its installation.

Delaying the acceptance of Windows patches allows you to gauge the risk of each individual update. It buys you time to read — in Susan's articles, for example — about any problems that early adopters have reported with specific patches.

The forced-install behavior, in which Windows applies updates at shutdown time without requesting approval, is a concern to people who need to control the patch process. Normally, configuring Automatic Updates not to install patches without approval causes Windows to merely check for updates rated "Important" or "Recommended" whenever the computer is connected to the Internet (optionally downloading the patches for later installation).

Once Windows determines that patches are available, the operating system normally displays an icon in the taskbar's notification area, alerting you that updates are awaiting your review and approval. (The icon is yellow in XP, blue in Vista, as shown in Figure 1.) When the forced-install situation occurs, however, this icon never appears and users receive no prompt that updates are queued for installation.

Updates-available icon
Figure 1. Notifications to users, including Windows' new-updates icon (at left in this image), fail to appear if a forced-update situation has occurred.

Worst of all, when a user initiates a shut-down or reboot process in this situation, all pending updates are installed immediately, ignoring the user's "don't install" setting.

Why 'surprise installs' may recently have begun

One theory to explain the forced installs is that the large number of patches Microsoft released on June 9 overwhelmed the Redmond company's download servers. Ten separate security bulletins, some including numerous versions of patches, were announced that day — an unusually high number.

The extra demand may have caused some downloads to be incomplete. Incomplete downloads are known to disable the notification icon and possibly the approval dialog that's supposed to appear during shutdown.

Microsoft described in Knowledge Base article 910340 on Dec. 5, 2007, how an incomplete patch download can prevent the notification icon from appearing.

The document says: "During periods of heavy download traffic, the Automatic Updates service can reschedule download requests on a day-to-day basis.... The Automatic Updates service is designed to resume and complete the download as quickly as possible. Usually, the update will usually be downloaded and installed in several days."

This explanation is little consolation for Windows users who — due to company policy or any other reason — want to avoid installing the latest build of .NET Framework, Internet Explorer 8, or any other update that has known issues. If the forced-update bug strikes you, however, any updates that are in the queue will be installed without the opportunity for you to review them.

Microsoft has aroused scrutiny in the past for installing upgrades even though users have set Automatic Updates to "don't install." Windows Secrets was the first publication to report in a Sept. 13, 2007, article that Automatic Updates silently installs nine small executable files to upgrade itself, regardless of the AU setting.

In a follow-up story two weeks later, WS associate editor Scott Dunn reported problems caused by a silent AU upgrade that Microsoft began in July 2007. The new executable files prevented security patches from successfully installing on Windows XP if the Repair function of XP's install disc had been run.

Paul Pottorff, senior product manager of Windows Update, stated in an e-mail interview that no similar silent upgrade has been installed by Automatic Updates since August 2008. He explains that there's been no change to Windows' auto-update routine since then that would explain the recent reports of forced installs.

(Microsoft announced its August 2008 silent AU upgrade on July 3, 2008, and Scott Dunn analyzed the AU stealth patch in an article on Aug. 14, 2008.)

"The behavior we expect to see is for users to be notified about updates that are available for them to install," says Pottorff. "If there is only a throttled update, they shouldn't be notified. If there are any other available updates, they should be notified. The presence of a throttled update does not prevent Automatic Updates from notifying users about other not-throttled updates. Furthermore, this behavior has been the same for a long time and hasn't even been touched for more than 9 months."

At this point, I'm unable to make the behavior reproducible or demonstrate the exact conditions under which forced installs occur. Until a better explanation of the aberrant update behavior is provided, however, I'm calling it an unpatched bug.

How to prevent forced installs from occurring

To work around the possibility that Windows will install updates the next time you shut down or restart your PC, you need to understand the update options Windows offers. The update options in XP are:

* Automatic — automatically download recommended updates for my computer and install them.
* Download updates for me, but let me choose when to install them.
* Notify me but don't automatically download or install them.
* Turn off Automatic Updates.

The equivalent settings in Vista (see Figure 2) are:

* Install updates automatically.
* Download updates but let me choose whether to install them.
* Check for updates but let me choose whether to download and install them.
* Never check for updates.

Vista update options
Figure 2. Users who've selected one of the two "let me choose" options are reporting that Windows has forced updates onto their systems.

Choosing the first option, which installs updates without user intervention, is designed to refresh your system with the most-crucial security patches. However, many PC security experts (including Susan) recommend that advanced users choose the second or third option. Either alternative is supposed to give you the opportunity to research the latest updates before you apply them.

The forced-update problem doesn't appear to be rampant, but it can severely affect users whose systems are incompatible with certain updates.

If you consider it important to research patches before they're installed, one possible workaround involves selecting AU's option 2 or 3. Then, run Microsoft Update (a superset of Windows Update, both of which require IE) and specify every patch to be installed or not installed — every time you plan to shut down or reboot. Running Microsoft's updater should eliminate any queued downloads that might install unexpectedly.

You might think that you could eliminate forced updates by selecting Turn off Automatic Updates (in XP) or Never check for updates (in Vista). You would then check manually for updates at least once a month, using Microsoft Update or one of the third-party update services described in the WS Security Baseline.

Besides the headache of having to check manually for patches, however, a problem with disabling Automatic Updates is that Windows constantly nags you about it. A bold red "X" is repeatedly displayed, whether or not you're savvy enough to decide for yourself whether you wish to use Automatic Updates or a third-party patch checker. (See Figure 3.)

Disabled Automatic Updates warning
Figure 3. Disabling Automatic Updates, perhaps because you prefer to use a competing update checker instead, results in constant nag warnings from Windows.

Readers who have additional evidence about forced updates in XP or Vista should report the information using the Windows Secrets contact page.

No comments: