About Windows Updates

[ladyjeweler]

Windows Updates sometimes cause more harm than good.

http://www.informationweek.com/story...icleID=9901256

Langa Letter: Microsoft's Problematic Updates May 18, 2003

Windows Updates sometimes cause more harm than good. What's the best way to handle them?
By Fred Langa

There's good news, there's bad news, and then there's even worse news.
The good news is that Microsoft has an extremely active Windows Update service, delivering a steady stream of bug fixes, patches, and updates for Windows and its essential subsystems, such as Internet Explorer.

The bad news is that Microsoft needs this service to be extremely active, because there are a lot of problems in Windows software and because malicious hackers work harder to find exploitable security flaws in Windows than in any other type of software.

The worse news is that, sometimes, Microsoft patches and updates cause more trouble than the problem they're trying to remedy: The cure can be worse than the disease.

For example, it happened again just in the last couple of weeks with security patch 811493; an NT/Windows 2000/XP update designed to correct a security problem in the Windows kernel. Microsoft described the problem this way:

"The Windows kernel is the core of the operating system. It provides system-level services such as device and memory management, allocates processor time to processes, and manages error handling. There is a flaw in the way the kernel passes error messages to a debugger. This flaw causes vulnerability. An attacker could write a program to exploit this flaw and run code of their choice. An attacker could exploit this vulnerability to take any action on the system, including deleting data, adding accounts with administrative access, or reconfiguring the system."

Microsoft rated this patch as "Important," and it clearly is. Millions of users downloaded and installed it. And then the trouble started: Huge numbers of users saw a tremendous slowdown in their systems after installing the patch. For a hint of the scope of the problem, here's just one (of many) Usenet discussion threads on the subject, this particular example from the microsoft.public.windowsxp.security_admin group.

Eventually, Microsoft reacted, but ineffectually, in a new item called "You May Experience Performance Issues After You Install the 811493 Package on Your Windows XP SP1-Based Computer."

In that item, Microsoft acknowledges the problem, and traces it to "a regression error in the Windows XP SP1 versions of the kernel files (Ntoskrnl.exe, Ntkrnlmp.exe, Ntkrnlpa.exe, and Ntkrpamp.exe) that are included in the 811493 security update." Microsoft also agreed with what the user community had discovered much earlier; that "This problem may be more likely to occur if you use some features of some third-party programs, such as antivirus programs. For example, this problem may occur if your antivirus program is configured to scan all files when you open (or you run) them. This is sometimes called 'real-time' scanning."

But the only fix Microsoft has offered is to wait for a new version of patch 811493 to be released. This is hardly a satisfactory answer, and it's made worse by the two clumsy workarounds that Microsoft has suggested as stopgaps:
You can, for example, simply remove the 811493 update. You normally do this via the Control Panel's Add/Remove applet, but this causes two new problems. First, the usual method of patch removal triggers the "System Restore" feature, which rolls the system state back to a point just before the patch was installed. This removes the patch, but also removes any other system alterations or customizations you may have installed after the patch. This could be an annoyance on a single machine, or an enormous and expensive headache if you're responsible for large numbers of machines. Second, after you've gone through the system rollback, you're left back at square one: The security vulnerability that the patch was designed to fix is now back in full force. The second Microsoft-recommended workaround is even worse: They suggest you "temporarily turn off real-time scanning in your antivirus program." So, you can fix the problem in the Windows kernel, but at the expense of having to run without antivirus protection. That's nuts.

On its own, the Windows user community came up with a better approach that works in many cases:


Update your antivirus software with all current definitions, program updates, etc.
Reboot the PC to make sure all updates are fully enabled.
Use the antivirus tools' control panel or settings to disable all scanning, especially any "autoprotect" or "real-time" scanning.
Reinstall patch #811493.
Reboot.
Re-enable your antivirus tool.
But even if that helps, it's still a time-consuming hassle--bad enough for those with single-machine installations, and a nightmare for those who might have to take the above steps on many machines.

Of course, all the above is the result of just one bad patch, so this leads us squarely to the broader question of what to do about Microsoft updates in general. How can we avoid the time-wasting problems caused by bad patches? Indeed, how can you tell whether a patch is worth installing in the first place?

The hassles with patch 811493 show why I've previously recommended manual installation of all Windows Update items. (See, for example, "10 Ways To Make Windows XP Run Better"; and a related item on making the best use of the "System Restore" feature) With manual installation, you're in control of what gets updated and when. You can defer installation of updates until you've had a chance to see what they do, what they might affect, and how others have fared. (Usenet can be an invaluable ally in this: Simply search Usenet for a given patch, using the patch's numeric designation as the search term, like this. http://groups.google.com/groups?
q=811493&hl=en&btnG=Google+Search )
Plus, configuring all the PCs you control so that they only update on demand--by manual control--means you can try a new patch on a test machine or on your own set up under controlled circumstances. Then, once you're sure a patch is worth having, and that it doesn't cause undesirable side effects, you can roll out the patch on the rest of the PCs. If the patch doesn't work out, you have only one system to restore to pre-patch status.

Some people consider this to be excessively cautious; they prefer to reserve the small-test/large-rollout model only for wholesale system changes such as whole new operating system versions. But I've found Windows Update items to be just dangerous enough to warrant a fairly high degree of caution, such that I never, ever, let my main production PCs automatically update themselves, even for updates that Microsoft calls "Critical."

Instead, I'll check out Critical Updates via the above process, usually waiting at least a day or two before taking any action (so others can serve as bellwethers, and post their experiences on Usenet). Lower-rated updates get pushed further down the to-do list, and get tested and installed on an as-time-permits basis.



Jeannie

[Justin4875]

the links didnt work for me, but i have that update installed on my computer.... how would i go about deleting it?

[ladyjeweler]

Have edited the post.

You go to Add/Remove programs and uninstall it.


Jeannie

[Justin4875]

the 811493 doesn't have that option in add/remove.... some updates have the choice to remove and some don't.

[ladyjeweler]

Update 811493 had that option. I downloaded mine manually so I was able to remove it. Sorry!

I edited Information Week link, it works now.

Jeannie