Don't get burned by Windows Update

It's the very definition of irony: bugs in the application designed to install bug fixes. Such is Windows Update, which in the two instances described below installs known buggy software--and tells you that all is well when it is not.

Installing IE7

I use Firefox for pretty much everything, so my main desktop and laptop (both running Windows XP) still had Internet Explorer version 6 until recently. I also run Windows Update manually, so keeping IE 7 off my machine involved nothing more than unchecking a box once a month. But now that IE 7 has been out for roughly a year, and I'm addicted to tabs, I finally got around to installing the browser.

Since I was up-to-date on bug fixes, IE 7 was the only thing Windows Update had to install. The installation process includes the option shown below about installing "the latest updates for Internet Explorer," which I did. All went well, at least according to Windows Update.

The first thing I noticed afterward was that IE 7 turned on the language bar toolbar on the task bar. It doesn't take up much room, but I have no interest in the language features and the fewer things running the better.

To get rid of the language bar, go to the Control Panel, click on Regional and Language Options (the globe), then click on the Languages tab, then the Details button, then the Advanced tab. Finally, put a check in the box to "Turn off advanced text services".

All seems well at this point, but it's not. A critical bug fix having to do with something called VML is missing. The fix goes by the names KB938127 and MS07-050 (see Critical Vulnerability in Vector Markup Language Could Allow Remote Code Execution) and dates back to August 2007. Yes, Microsoft has had eight months to make Windows Update smart enough to install this critical bug fix when it installs IE 7. Or, at the least, warn us to run Windows Update again. But no, it instead installs known buggy software.

.Net Framework Version 2

The same thing happens when you install version 2 of the .Net framework. There are three versions of the .Net framework, and all are optional--until, that is, you try to install software that requires it.

Again, I started with a Windows XP system that was up-to-date on all bug fixes and installed nothing but version 2 of the .Net framework using Windows Update. As before, I ran Windows Update manually (Tools -> Windows Update in IE) and opted for a Custom install. All went well, and I rebooted afterwards, just for good luck.

Though all seems well, I ran Windows Update again. Sure enough, the just-installed .Net framework needed updating. And not just one bug fix; it was missing an entire service pack (KB110806). Installing the service pack was uneventful other than the required reboot.

Back to Windows Update and, finally, everything is up to snuff.

There is no excuse for a software update application, such as Windows Update, to install known buggy software. No excuse, but there is a reason: either incompetence or a corporate laziness that sets in when a company is not challenged in the marketplace. I am not sure which applies in this case.

See a summary of all my Defensive Computing postings.

[ruminator]

You forget the 3rd reason: the infamous disgruntled employee who slips in things like easter eggs [http://www.eggheaven.com/] in your morning software. It would be just like an underpaid Microsoft malcontent to hide a bug in debugging software to bug the heck out of the unsuspecting lemmings. [CNET editors' note: personal attack deleted]

[xPantheon]

There's actually a much better explanation, it's not just consumers that use windows update, enterprises use a very similar option, but always need the ability to do very specific updates, in the case of the .NET framework, it's possible a breaking change occured to a specific company's application by installing the service pack, in which case that company would have to wait until their app is fixed before rolling out the update, so when you roll all that up into a single update, you risk causing enterprises and consumers a lot of problems, you also have no ability to roll the change back in case it causes a performance or security issue, but with seperate installs, you just uninstall the patch and you're good to go.

[mdpa]

"But, now that IE7 has been out for roughly a year, and I'm addicted to tabs, I finally got around to installing IE7."

This lead-in to installing IE7 makes no sense to me. Did you not know after all this time using Firefox that it has tabs as well?

[Leria]

He might have been using Firefox, found it has some annoyances (like random lockups), and wanted IE7 instead.
Personally, I have Firefox and IE8 Beta 1 installed on my machine.... I VERY rarely use Firefox anymore, except on sites that IE8 has problems with (CNet being one of them).

[mhinnewyork]

What I meant was that even the very few times I used IE, I found the lack of tabs annoying.
Michael

[Derftoy]

I can't believe your complaining. Windows update is pretty good compared to the old days when you had to order fixes on disk. As a software developer I find it harder and harder to please the customer. I can write some code that can do some work that normaly would take 8 hours to complete. 6 months later, that 30 seconds is just too slow and I need to optimize the code to run faster. Users are just never pleased with what can be done. I understand the logic with Update... It looks, and verifies that you need an update. So it updated, but now you have the latest update, you should always check to see if that update has been updated since you took a year to do any updates. You Hate Change and progress... so stick with Firefox... It has updates and bugs as well, but I am sure you were on top of those when they came out... DORK!

[The_Decider]

So because things were really bad 10+ years ago, than there is no legitimate reason to gripe about serious flaws in the updater?

That is the logic that MS wants its users to use. MS thrives on keeping its minions stupid and reliant on MS.

[bugjooce]

So let me get this straight.... you are associating Microsoft with change and progress? We are talking about a company that has been in need of an overhaul for years and is seriously suffering from lack of innovation. Get a clue.... oh, and let's not overlook the "DORK" comment.... what are you, 12 years old?

[tchristoff]

Well, as I read your comment I thought, maybe you know what you're (not your) talking about. But when I got to the end, I see you're just an immature person. No reason to add DORK! to your comment. Just shows your immaturity. I'll disregard everything else you wrote.

[Greg5A]

I have IE6 on my year-old XP system. When I first bought my HP Pavilion desktop, it came with IE7. The system crashed three times in the first two months, requiring restoration to factory defaults and wiping off all my user-installed software.

HP tech support said IE7 was causing the crashes and suggested using IE6. I've been using IE6 since then and my system has been stable with no more crashes.

I also started using Norton Systemworks after the crashes. The first time I ran it, it found over 300 registry and shortcut errors. I don't know if they had something to do with the crashes. I run Systemworks on a regular basis now. So far, all is well.

However, I am afraid to install IE7 on my system. Windows Update periodically tries to install it, but I pick "Custom Install" and uncheck the box. The same thing for Vista--I'm sticking with XP.

[Leria]

I'm sorry, but there is no way that IE7 should be causing your ENTIRE SYSTEM to crash, or to need a restore to factory settings, period and done with.

HP Tech Support was just taking the easy way out, and blaming IE7 instead of looking for the REAL reason that your system was crashing on a regular basis (faulty memory and faulty hard drive are more likely explanations if it was damaging things that had nothing to do with IE7).

[mhinnewyork]

I agree with Leria. IE7 should be stable by now and is probably not the real cause of your problems. Take things any tech support department says with a grain of salt. See this for more:
http://www.cnet.com/8301-13554_1-9923976-33.html
I also recently blogged about repairing IE7, something HP should have tried with you.
Michael Horowitz

[john55440]

How about doing a Security Review of the new HP Upline online backup service? The below link includes access to a free-limited version of the service.

https://www.upline.com/plans/index.shtml

[ulric2]

Greg5A: those tools that report 'registry error' are snake oil. There are no errors in the registry, these tools simply do not understand how the registry is used by many third party software, and want to delete the keys. This breaks applications, including our application. Do not EVER run registry clean up tools, there is nothing to clean. Norton is in the business of fooling people into believing they need their tools.

IE7 does not cause the 'system to crash'. It runs on all newly shipped computer in the last three year. It's just a web browser. If you're running IE6, you're in a position where you're exposing yourself to more security problems and obsolete support of web standard. Install IE 7, and if you hate it, use FireFox to browse the web. But don't have IE6 installed instead of IE7

[Leria]

Those 'registry error' things are not 'snake oil', ulric2. They are usually finding obsolete keys in the registry that are left behind when you uninstall a program or update to the latest version of the program.
I use TweakNow's Registry Cleaner, and it finds things on a regular basis, and when I look at the keys it has found that are 'safe to be cleaned'.... it's keys that are left behind by software uninstallers that do not do their job correctly in the slightest.

[jctjct]

If you're a novice, you should simply let windows update automatically update itself.
Updates are released in an order and are installed in an order. It would have installed during the next update window and for most people it would have been transparent.

If you're a power user or administrator, you should know better and realize that if you have old updates or applications you are installing, there is a probability of subsequent updates that will follow. You should know that you run windows update again. Problem solved.

Microsoft has plenty of faults, but this isn't one of them.

[biffhenerson]

I am a power user and have used automatic updates for years. I have never had a problem with any of the updates. If you choose to micro manage the updates, you may have other personal issues that are not the fault of the computer. The automated patching available today is light-years ahead of the way things used to be. The good news is that it will only get better and better over time. I have zero sympathy for corporations who write very poorly designed software that then gets broke when a patch is applied to any product. It is not the patching vendors fault. They are fixing their product. Is the morons who write the add-on software that are to blame 99.9% of the time.

[tchristoff]

One of Microsoft's updates (the DST Patch) broke SalesLogix, one of the most used CRM products in the world. Another product, 4D, a database development product, got broke a few years ago. Just because you've never had a problem, doesn't mean they don't exist.

[mhinnewyork]

For one, if you use automatic updates, you are probably not a power user. Then there is the question of how you define "problem". Having Windows Update make a computer with no known bugs into a computer with known critical bugs is, to me a problem. Perhaps to you it is not a problem as nothing obviously breaks. See the first point.

[biffhenerson]

tchristoff - The problem was determined to be SalesLogix using an unsupported API call. An API left over from WinXP and clearly marked since 2004 as obsolete.

mhinnewyork - Using automatic updates makes me not a power user? Not using automatic updates makes you an relic from 1980 thinking. Put the damn patches on!!! We have a couple of network guys here that live in fear that the patches break things. They are definitely old school. And wrong. They are preventing progress in fear of what might be. Soon they will be unemployed as we move forward and they remain in 1985.

[sal-magnone]

You need to find something more substantial to write about ...

Use the autopatch dude - the service pack installs itsself.

[macintard]

This is pretty silly.

What do you expect when you download an old version of an application? You should realize you need to patch your system after you install a an x year old binary. Sal said it best - find something substantial to write about.

[loudbang]

I have to agree with biff. I don't see the problem with Windows Update. I think your expectations need to be adjusted; your "power user" activities starting and stopping update manually as a service just confounds things.

Update won't be omniscient and update everything in one step: it is iterative and decision tree-like. You need IE7, let's give you IE7. IE7 needs updating, let's update IE7... IT WON'T HAPPEN IN ONE STEP. If you don't stop & start update at your own whim, it WILL iterate and fix all those things.

Power user doesn't mean merely cribbing power user shortcuts here or there from other power users. It means having the full knowledge of a power user, and coping and knowing the consequences of her out-of-the-way activities. This power user prefers to let update do it's thing.

[mhinnewyork]

It should happen in one step. What happened here was a computer with no known bugs was converted into one with known critical bugs. This is what you are defending. As for letting Microsoft auto update whenever they please, see this posting.
http://blogs.cnet.com/8301-13554_1-9778389-33.html
Michael

[Neo Con]

What is this 'X'-'P' of which you speak? Get with the program and get a frickin' operating system that isn't 7 years old. It's called VIS-TA. Get it.

[Dalkorian]

Fista? Are you kidding, or did someone use your breakfast as a toilet? If you want something that "isn't 7 years old", try one of the fine Linux distros. Fista is only for masochists who hate themselves and want more pain in their lives.

[chuchucuhi]

It does happen, such as a recent office update breaking TIF file associations. Or in the instance of KB928365 from 07/10/07 if you ran an application that was using Crystal Reports for .NET after you rebooted the C++ libraries would be deleted from the WinSXS causing A LOT of things to fail. In Mid Feb of 2008 they finally removed the KB from their Auto Update system. I know customers can be demanding for a better product, it's more or less human nature to want better. I don't think a lot of people have an overview of how software works, how data works, how hardware works all to it's very core. You have to have one person for each and neither can speak to eachother very well which probably causes some issues.

[RicABlair]

And the end user/customer suffers because "neither can speak to the other" ... Shannon has said those who can't write software build hardware, those who can't build hardware write software, and those can't do either, blog.

[kevin-j]

I was a long time Firefox user too. But I really fell in love with the IE7 tabbing. If you are concerned by the bug and patch issues with IE7, my advice to you is stick with the IE6 or Firefox. Like any new software, IE7 and Windows Vista need a time to bloom. Remember the XP period before the SP2 released?

[CNET editors' note: offensive material was removed.]

[RicABlair]

The poster never said the problem doesn't exist; if you had read it more closely you'd have noticed he said it does exist because of users who micromanage the updates which is what this blogger always seems to do.-- for whatever reason, or for the reason that he tinkers until he finds a problem to write about. BTW you never said outright the subject problem exists either--you're merely commenting on the poster's logic or lack thereof. With respect to lack of logic, reserve such comment until you review the entirety of these blogs.

[GslMusic]

"I have never had a problem with any of the updates." You have got to be kidding me. You think that your opinion, a sample size of one, is good enough to make such a statement? What about the thousands and tens of thousands of users or corporate users who HAVE had problems CAUSED by a microsoft update? At least by managing the installation of the "updates" an Administrator can narrow down which update caused the problem. Your "nothing to see here, just trust microsoft, move along" attitude is unsafe.