Technique
Save Time By
Dealing with the Security Center’s automatic update biases
Knowing when to update — and how
Protecting yourself against bad updates
Any large computer program has bugs. Heck, any small computer program has bugs. When a program gets as large as Windows — Microsoft claims Windows XP contains 50 million lines of code — the bugs start stacking up like planes at O’Hare in a snowstorm.
Microsoft releases dozens of updates each year. Some of the updates fix bugs that make Windows crash. Many of the updates plug security holes. Most of the updates come in the form of patches: Fixes to an individual Windows program that wasn’t working right. Some of the patches are small. Most are big — and Windows XP Service Release 2, which contained hundreds of patches, was tantamount to an entirely new version of Windows XP.
You wouldn’t need to worry about keeping Windows XP up to date with the latest patches if it weren’t for one unavoidable fact: The bad guys are watching. You can bet that some cretin out there, somewhere, will take advantage of one of the patched security holes, and come up with a virus or worm that exploits the hole. If you haven’t installed the latest patch to plug the hole in Windows XP, your computer is vulnerable to the cretin’s creations.
The only possible way you have to keep up with the latest security patches is Windows Update. I swear by Windows Update, but you have to use it properly.
What happens if something goes wrong and Microsoft’s latest update causes yet more problems? It’s happened many times before and it’ll happen again. Indeed, as I write this, fully 20 percent of the security patches Microsoft has released so far this year caused major problems on a significant number of PCs.
This technique includes ways to protect yourself against the updates themselves. Caveat updator!
Reining In Windows Update
When you install Windows XP Service Pack 2, or when you first start a new PC that’s running Service Pack 2 or later, Windows greets you with one of the most biased questions in all of computer-dumb, er, -dom. Windows asks if you want to “Help protect my PC by turning on Automatic Updates now” or “Not right now” (see Figure 55-1).
• Figure 55-1: A truly loaded question.
Moreover, when you look at your Windows Update setting in the Windows Security Center (choose Start Control Panel Security Center), you’re only given the option of turning on Automatic Updates (see Figure 55-2). If you click the banner that says “Check Settings,” the Security Center doesn’t do anything at all. You have to dig deep to get at the more reasonable options, as I explain later in this technique.
• Figure 55-2: The only option available: Turn on Automatic Updates.
Microsoft wants you to turn on Automatic Updates. Heck, most Windows gurus suggest that you turn on Automatic Updates. One of those gurus says that it’s better for Microsoft to automatically install its software on your PC than to leave your system wide open for some malicious kid to install his software on your PC.
He’s got a good point.
Still, I disagree. I believe that Microsoft has proven conclusively that it can’t be trusted to produce reliable security fixes. If Microsoft distributes an automatic patch that’s so badly flawed that thousands or tens of thousands of PCs suddenly stop working, the people with those PCs won’t have the slightest idea that the culprit was a bad patch from Redmond. In my opinion, savvy Windows users should let the Automatic Update service advise them when new patches are available — but they should wait to apply those patches until there’s enough real-world experience with the patches to make sure they solve more problems than they create.
It’s one of those dammed-if-you-do-dammed-if-you-don’t situations that salmon seem to encounter every year (if you’ll pardon another fishy metaphor). On the one hand, if you apply Microsoft’s patches as soon as they’re available, there’s a chance that your PC gets all screwed up. On the other hand, if you don’t install the patches, some cretin who learned about a security hole when a patch was issued could come along and blast you with a worm. In my experience, at least at this point, your chances of getting clobbered by a bad patch are higher than your chances of getting zapped with a worm. So it makes sense to avoid applying Windows updates until you know that they’re solid.
Your first big step in taking control of Windows Update is to turn off Automatic Updates, and instead have Windows merely inform you when updates are available:
1 Choose Start Control Panel Security Center.
Windows XP displays the Windows Security Center, as shown in Figure 55-3.
2. In the Manage Security Settings For area at the bottom, click Automatic Updates.
The Automatic Updates dialog box appears (see Figure 55-4).
• Figure 55-3: The Windows Security Center.
3, Consider the ramifications of each of the settings, as I explain in Table 55-1. Choose the entry that works best for you.
4, Click OK.
Microsoft updates Windows Update so often that you need a scorecard to keep the versions straight. This bit is a brain-twister, but if you don’t turn on Automatic Updating, Windows can’t update Windows Update itself until you specifically give your permission.
• Figure 55-4: Turn on Automatic Notification here.
To avoid an endless loop of chickens and eggs, you might want to log on to the Windows Update Web site, windowsupdate. microsoft.com, from time to time and allow Windows Update to install patches to itself.
Table 55-1: Automatic Update Settings
| Setting | Timesaving Recommendation |
| Automatic (recommended) | Only use this setting if you trust Microsoft to deliver patches that won’t clobber your system. |
| This is a good choice if you don’t have time to stay on top of the latest updates — because | |
| never patching is the worst choice of all. | |
| Download, don’t install | A reasonable choice if you have a slow Internet connection, or you don’t want to tie it up with |
| downloads while you’re working. The only downside comes when Microsoft re-issues a patch, | |
| effectively creating a “version 2.0″ patch or a patch of a patch. In that case, you have an extra, | |
| useless file hanging around. | |
| Notify, don’t download | Your best choice if you have a fast Internet connection. Wait until the patch seems to be |
| working and when the coast is clear, go for it. | |
| Turn Off Automatic Updates | The worst of all possible worlds. Avoid it. |
Microsoft officially releases new security patches on the second Tuesday of every month. (Except when, uh, it doesn’t.) If you hear of a security patch coming out on any date other than the second Tuesday of the month, chances are good that Microsoft has heard about somebody attempting to take advantage of the security hole.
Downloading the Big Updates
Every few months, Microsoft releases a big Windows XP update. There was a giant download for Service Pack 1, another one for Windows Media Player 9, another for Windows Movie Maker 2, then Service Pack 2, then Windows Media Player 10. . . well, you get the idea. You find out about the big updates from the press, or from the Windows Update pop-up in your notification area (next to the clock on the taskbar) that says updates are available.
If you have just one PC that needs updating, you can simply click the notification bubble and follow the instructions to apply the download to the PC that needs it.
If you have more than one PC, downloading the same update file over and over again is a huge, time-consuming chore. For those of you who have unlimited broadband access and enjoy lightning-fast 100MB downloads, I applaud your resourcefulness. Literally. For the rest of us, the idea of downloading a 270MB file four times for four different machines is a bit daunting, to say the least. (Windows XP Service Pack 2 weighed in at 270MB; Service Pack 1, by contrast, ran a sprightly 138 MB. On a 56K dial-up modem it would take about a year to download one of the big service packs, if you lasted that long.)
You can’t post the updates on the Web for other people to download, but you can hand them around. Microsoft always sells the big updates for the price of shipping and handling
for the CD, but it can take weeks for the update to arrive in the mail. There’s nothing wrong with downloading say, the Service Pack 2 update, and burning it on a CD. Then you can give copies to your friends (housewarming present?). You also can download one copy of Windows Media Player 10 and update all the computers on your small office network from that single copy. Microsoft’s big service packs and product updates are always free.
Automatic Update works by running a “sniffer” program on your PC, to see what versions of the software you have installed. If you don’t want to permit Microsoft’s update sniffer program to run on your PC, download and save the updates this way — big ones or little ones. You have to keep track of the patches manually, but no sniffer ever phones home with a list of your hardware and software.
Fortunately, you can download the big updates as a single file and save them on your PC, so you can use the saved file multiple times. It isn’t worth the effort to find and download small updates — ones that can be downloaded in a few minutes. If you aren’t concerned about Microsoft’s Windows Update sniffer (and I’m not), let Windows Update do the work of finding and keeping those little ones in line (Windows Update keeps a great list of available updates, even if you don’t install them; see the next section). The way to save a whole bunch of Internet time is to look for updates that take 30 minutes or more to download.
To see if a particular update is available for download in its own file:
1 Choose Start All Programs Windows Update.
Windows sends you to the Windows Update Web site (see Figure 55-5).
2. On the left, click Administrator Options.
3, Click the Windows Update Catalog link.
• Figure 55-5: In spite of what the Windows Update Web site says, I do not have Automatic Updates turned on.
Internet Explorer takes you to the catalog page (see Figure 55-6).
• Figure 55-6: The main page of the Windows Update Catalog.
4. Click the Find Updates for Microsoft Windows Operating Systems link.
The Windows Update Catalog lets you select your operating system.
5. Choose Windows XP (and whatever service pack you may have), and then click the Search button.
The Windows Update Catalog finds all available updates for Windows XP (see Figure 55-7).
• Figure 55-7: All available updates are listed.
6. Carefully select the update(s) by clicking the Add button for each update you want to download.
You’re here to download the big updates that have to be applied to multiple computers. Completely ignore updates that don’t apply to the computers in your care. For example, if you already have Media Player 10, you have no need for an update to Media Player 9.
7. When you have the update(s) you want, click the Go to Download Basket link.
The Windows Update Catalog takes you to the download basket.
8. Click the Browse button and move to a location on your computer for the downloads. Then click the Download Now button.
Windows responds with one of its insufferable End User License Agreements.
9, After you read and understand the License Agreement, nod, nod, wink, wink, click the Accept button.
You may need to click to allow pop-ups. (In fact, as this topic went to press, clicking to allow pop-ups also knocked out the Windows Update site, and you had to go back and download all over again.) If the situation gets overwhelming, click the popup blocking Information Bar in Internet Explorer and choose Temporarily Allow Pop-ups. Windows downloads the updates, sooner or later, and then returns you to the Windows Update Catalog.
In fact, Windows creates a new hierarchy of folders where you asked to put the update: WU\Software\en\com_microsoft. windowsxp\86WinXP and then a folder underneath for each specific download. You’ll find the update somewhere. Just keep drilling down.
10, Click the Close (X) button to exit the Windows Update Catalog, and then run your updates.
Checking for Small Updates
Although there are powerful reasons for manually downloading just one copy of the big updates, the small ones are far too numerous for most carbon-based life forms to keep track of. As long as you don’t mind running Microsoft’s Windows Update sniffer program, it’s easy to deal with those little updates by letting Windows Automatic Update take care of them.
Follow these steps to do a mini update:
1 If you receive a notification, such as the one in Figure 55-8, or one saying that new updates are ready for download, you can click the icon and follow the wizard.
• Figure 55-8: Windows is ready — but are you?
2, Click the notification area icon to bring up the wizard; then click the Remind Me Later button and choose In 3 Days.
Three days gives you enough time to see if the patch is more trouble than it’s worth.
3, If you decide that you want to install the
update, choose Start All Programs Windows Update.
Internet Explorer takes you to the Windows Update site (refer to Figure 55-5).
4 Scroll down and click the Custom Install link.
Windows Update comes back with notification about how many updates it has available for your particular PC (see Figure 55-9).
• Figure 55-9: Windows Update found 1 high priority update, and 3 optional updates.
5, Uncheck the boxes next to any patches that you don’t want to apply. Then click Go To Install Updates.
The patch shown in Figure 55-9 is a particularly fitting example. Microsoft came under a lot of well-deserved fire for this particular patch (associated with Microsoft’s MS04-048 Security Bulletin) because it didn’t solve the problem it was supposed to address. The SANS Institute came up with a much better alternative.
6, Double-check the proposed updates carefully, and uncheck the boxes next to any items you don’t want.
The list that Windows Update offers is far from infallible. I was once advised to install Service Pack 1 on a machine that already had Service Pack 1. I’ve seen device drivers on the list that I wouldn’t touch with a ten-foot pole (see Technique 58 for the skinny on device drivers). Use your discretion — and your brain.
7 When you’re ready, click Install. Follow the instructions to install the updates you’ve accepted.
You may need to install some updates separately, possibly with your PC rebooting. In those cases, make sure you come back to Windows Update after each update gets installed.
Retrieving and Installing a Declined Update
What if you turn down an Automatic Update, and later wonder whether maybe you should’ve accepted?
No problem. Just follow these steps to get that update:
1 Choose Start Control Panel Security Center. At the bottom click Automatic Updates.
If you have declined any updates in the past, the bottom line, which says Offer Updates Again That I’ve Previously Hidden, is no longer grayed out.
2, Click the Offer Updates Again button.
Windows XP asks if you want to restore the declined updates (see Figure 55-10).
3, Click Yes, and then click OK.
• Figure 55-10: Tell Automatic Update that you made a mistake and want to look again.
The next time Windows Update scans for updates, it treats the ones you have declined as new and offers them to you again.
