My last couple postings were about a bug fix for Windows, that I think is best avoided. Dealing with this particular fix, raised the issue, for me, of how to best deal with installing all patches, from a Defensive Computing standpoint.
I spent 10 years in the mainframe world administering to DB2 databases. The conundrum with installing patches is the same on mainframes as with PCs. Should you install every bug fix as soon as it's released or should you hold back a bit? And, if you do hold back, for how long?
The problem, in both environments, with installing bug fixes ASAP is that some will inevitably cause more problems than they fix. And when they do cause a problem, it may be a biggie, because a work-around could be days away. The problem with holding back, again in both environments, is how long to wait until you are reasonably sure that a patch won't break something accidentally. Do you install bug fixes a week after they were released? A month? Two months?
Mainframers have some advantage over Windows users when it comes to installing patches.*
For one, they can opt to not install patches until they "ripen" (my term). Assuming, for example, that patches are released monthly, a mainframe administrator can, if they want, install March patches in May and April patches in June. Windows/Microsoft update has no such date-oriented feature.
Another advantage is that mainframe patches are usually overseen by someone expert in the software being maintained. That is, a DB2 expert reviews the DB2 patches and can decide to omit some, if for example, they apply to features not being used. Likewise, patches for the operating system (z/OS) are typically reviewed by an expert in the OS before being applied. Needless to say, most PC users can not evaluate for themselves whether a particular patch is really needed or not.
Patching for non-techies
So, what should non-technical PC users do?
There is no one right answer. If non-techies install patches as soon as they are released, they are the least qualified to deal with problems caused by buggy patches. Yet, leaving their computers vulnerable to newly discovered bugs is risky too.
Many people recommend that non-techies let Windows automatically install patches as they are released. To recommend this is to trust Microsoft a bit more than I do. But, if the computer is used for non-essential things, and being without it for a period of time is no big deal, then installing patches automatically is the way to go. If the computer in question is used by children a lot, then again, installing patches immediately is probably the best approach.
But, some non-technical users make their living using a Windows computer, and they can't take the risk of a buggy patch causing a problem for which a fix may be days away. These people are probably better off waiting until a computer nerd can assist them, even if means being vulnerable to a newly discovered bug.
Patching For Techies
If you have the technical skill and the inclination, then I suggest turning off all the automatic processing offered by Windows/Microsoft Update. Don't even let it check for updates without downloading them. On top of this, I would also disable the underlying Automatic Updates Windows service (In XP, Control Panel -> Administrative Tools -> Services).
Once a month, I would enable and run Windows/Microsoft Update manually, then immediately disable it again.
When to run it? Installing patches a few days after Patch Tuesday gives Microsoft time to fix or withdraw any patches that caused widespread problems. Sometimes patches can be easily un-installed, but not always. Unless you make a disk image backup beforehand, I'd be very wary of installing patches on Patch Tuesday.
The classic trade-off has always been between security and convenience. Manually running Windows Update once a month is, admittedly, a nuisance.
To run a completely disabled instance of Windows/Microsoft Update in XP, you start by enabling the Automatic Updates service. This requires both setting it to start Automatically (note that it must be set to an "Automatic" startup, for some reason "Manual" is treated the same as disabled) and then manually starting it. Then run the update, selecting "Custom" rather than "Express" processing (see above). Before shutting down Windows, stop and disable the Automatic Updates service again. The Background Intelligent Transfer Service can be left at Manual startup at all times.
Disabling the Automatic Updates service has two added benefits. The minor one is that it enables XP to start up a bit faster.
The major one is that it also helps to protect you from Microsoft, which last September, forced updates on computers that were configured not to be automatically updated. I blogged about this at the time, see Windows is spyware and Defending yourself against Microsoft. I also recommend reading the September 13, 2007 edition of the Windows Secrets newsletter, specifically the lead article by Scott Dunn, Microsoft updates Windows without users' consent.
On a related note, as I wrote in April, Windows XP users should not be in a rush to install Service Pack 3. In fact, if someone suggested installing SP3 soon after it was released - don't take advice from them in the future. The problems that cropped up after its release were as predictable as the sun rising in the morning and the benefits are, by all accounts, minimal.
Patching Other Software
But what about the tons of other software, besides the operating system, that also needs to be patched?
In the Windows world this is a mess, if not a disgrace. Every software company re-invents the wheel when it comes to updating their software.
I'm not a Mac person, but I believe the situation is basically the same there, Apple's equivalent to Windows Update only updates Apple software. Linux has great potential in this area but I'm not familiar enough with it to judge if the potential is being realized. I do know that a number of Linux distros resisted my attempts to figure out how to update software. At least Windows Update is simple as easy to use, even in manual mode. Recently, a copy of gOS running a new computer totally refused to update anything and the error messages were of little help.
Macs and PCs will always be unreliable without a single patch delivery system for all the installed software.
In the meantime, some businesses make due with assorted commercial products that install patches to a wide range of software. A large computer company has home-grown software for doing this on the machines of employees. Home users have the Secunia Online Software Inspector; flawed though it is, you're much better off using it than avoiding it. FileHippo has a free update checker for Windows machines, but it is in beta test and requires .NET framework version 2. CNET offers VersionTracker, but it is not well rated by the 387 users that rated it.
In the long run this argues for Software as a Service, if for no other reason than, as in the mainframe world, experts oversee the patch process rather than normal, non-techie users. It may also lead to some type of virtualized desktop, again, motivated by the need to increase reliability by controlling software installations. Personally, I'm a huge fan of portable applications, that is, software that can run without being installed (www.portableapps.com has a great collection). And while I'm not a big fan of software like GoBack to rollback system activity, it may justify itself by being able to undo any software installation, be it a patch or not.
Personal computing is a young field and the way patches are handled, shows all too clearly that this is still the Fred Flintstone era.
*NOTE: What Windows people refer to as a "patch" or "update", mainframe people refer to as a PTF - Program Temporary Fix.
See a summary of all my Defensive Computing postings.
As I wrote a couple days ago, Microsoft released a new bug fix, KB932823, on May 28th which seemed suspicious for a number of reasons.
For one thing, the patch was released at the end of the month instead of Patch Tuesday. It turns out, according to a company spokesperson, that Microsoft releases patches twice a month, not just once a month. "While we release security updates on the 2nd Tuesday of the month, non-security updates are usually released either the 2nd or 4th Tuesday of the month." Who knew?
Since KB932823 is not a security related patch (terminology: "updates" means "patch" which in turn means "bug fix"), it doesn't show up in the list of latest security patches. The Microsoft spokesperson was unable to find a web page that explains or documents the fourth Tuesday bug fix schedule.
Still, this particular bug doesn't strike me as high priority, so I wouldn't install the patch. As I wrote previously, there are two workarounds, and according to Microsoft, the problem only "occurs if the Japanese Input Method Editor (IME) is the default keyboard layout."
The Microsoft spokesperson added that the problem only occurs on multi-core machines. So why was my English-only copy of XP running on a single-core processor offered this patch? Doesn't inspire confidence.
In addition, the problem also occurs on Windows Server 2003 where it is considered a "hotfix" rather than a critical bug. A hotfix is a bug fix that not only doesn't get installed automatically, you can't even download it. Instead, you have to call Microsoft and convince them you need it. For Windows Server 2003, Microsoft says:
Apply it only to systems that are experiencing this specific problem ... if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.
In other words, the patch status on Windows Server 2003 is totally opposite from that in Windows XP. Strange.
I also checked the IE blog and the IE home page at Technet. Neither said a thing about this bug fix.
Another Microsoft spokesperson noted that this patch also applies to the Media Center Edition of XP. They said, "Media center is just a variant of Windows XP so all fixes that apply to Windows XP Pro apply to Media Center Editions. Windows Update handles this automatically by delivering the correct version of the fix."
In addition, they pointed out that KB932823 applies to both 32 and 64 bit versions of Windows XP. Quoting: "The x64 version of Windows XP uses the Server 2003 version of the fix - this is true for all x64 XP fixes. Windows Update handles this automatically by delivering the correct version of the fix. (However, only WinXP x86 fix is available from the Microsoft Download Center. Customers who want the fixes for ... Windows XP x64 need to contact Microsoft to get the fix.) "
If you have Windows/Microsoft Update set to operate automatically, then you can't pick/chose the patches to install. Next time, some thoughts on dealing with Windows/Microsoft Update.
Update June 2, 2008: Added comments from second Microsoft spokesperson.
See a summary of all my Defensive Computing postings.
For some reason I felt the need today to run Microsoft Update (big brother to Windows Update) on my Windows XP computer. No particular reason, just felt it in my bones, even though I had run it recently after installing the Word viewer. Sure enough, it found a missing bug fix. It thinks the bug fix is critical, me, I'm not so sure.
Anyone who runs Windows Update manually, as I do, knows not to trust it all that much. It has, for example, found missing patches for software that was not installed. In April, I blogged about how Windows Update installed software with known bugs, converting a secure computer into an exploitable one.
This particular bug (a.k.a. KB932823) doesn't seem at all critical. The sole extent of the problem (see You may be unable to use Windows Internet Explorer 7 to download files on a computer that is running Windows Server 2003 or Windows XP) is that Internet Explorer 7 may not download a file when requested to do so. Here is the problem symptom, as described by Microsoft:
"You may be unable to use Windows Internet Explorer 7 to download files on a computer that is running Windows Server 2003 or Windows XP. For example, after you click Save in the File Download dialog box, the file is not downloaded."
In other words, it's not a security related thing at all.
And, there are two workarounds. One, provided by Microsoft in the problem description, involves configuring Advanced Text Services. The other is simply running another web browser.
The patch for Windows XP was released May 28th, but the problem description was last reviewed 2.5 months ago. I searched Microsoft's website and found nothing new written about it. Microsoft tracks the latest security updates here. It was last updated May 13th and says nothing about the release of KB932823 on May 28th. The Microsoft Update Product Team blog also says nothing about this bug fix. Not exactly a hot item.
Microsoft releases patches once a month, on what us nerds call Patch Tuesday. For a bug fix to be released immediately, as opposed to waiting for the next Patch Tuesday, it has to be the most critical of the critical. Doesn't happen often. And, apparently, should not have happened now. By all measures, this is a trivial dinky problem.
Still, why not just let Windows/Microsoft Update install the patch anyway?
For one thing, any time you install software you are taking a risk. That Microsoft released this as an immediate critical patch makes it fairly obvious they don't have their act together, so I would trust this patch even less than normal.
And, there have been reports that this patch has caused problems (here and here and here). Then again, these problem reports have to be taken with a grain of salt, unless you know the people reporting them.
The bug, it seems to me, is with Windows/Microsoft Update, rather than with IE7.
Update June 2, 2008: See More about patch KB932823 for more on this.
See a summary of all my Defensive Computing postings.
NOTE: Microsoft says the bug applies to Windows XP Home and Professional, but doesn't bother to state if it is the 32-bit or the 64-bit editions or both. For Windows Server 2003, which is also affected by this bug, they do clearly make this distinction. And, Microsoft does not say that the bug applies to the Media Center Edition of XP - almost every bug for XP Home and and Professional also affects the Media Center Edition.
Not everyone wants to, or can, pay for a copy of Microsoft Office. Some of us, instead, chose to run free software that competes with Office, such as Open Office or Star Office or IBM's Symphony.
As a user of Open Office, I can attest that it's formatting of Word documents is far from perfect, and, there is no way to know how good a formatting job it is doing on any particular document. To get perfect rendering, I also use the free Office viewers that Microsoft provides for Word, Excel and PowerPoint. You can download them at microsoft.com/downloads (select "Office" in the left side column).
Despite the name "viewer" these programs also let you print Office files and copy data into other applications. The viewer programs are supported on Windows XP, Vista, 2000 and Server 2003.
The most popular viewers are those for PowerPoint 2007 and Word 2003. The Word 2003 Viewer, like Word itself, can read documents from earlier versions of Word.
The latest Word viewer, released in September 2007, is simply called the Word Viewer, with no version number at all. It's nice to be a monopoly. You can think of the latest Word Viewer as the Word 2007 Viewer since it lets you view the new .docx and .docm file formats. However, to get this functionality, Microsoft also requires that you install the Office Compatibility Pack.
The latest Excel Viewer, released in January 2008 also has no associated version number. A screen shot is below. I haven't used it much, but have noticed that it doesn't let you resize columns.
In part, this posting was prompted by a recent question at ask-leo.com - Do I need MS Office updates if I only have the viewers? The answer is yes, but Windows Update doesn't cut it. Just like with the real Office software, bug fixes to the viewers are detected and installed with Microsoft Update. The Word 2003 Viewer was released in August of 2005 and needs quite a few patches as shown below.
Office documents have often been booby-trapped with malicious software, so be sure to run Microsoft Update after installing any of the Viewer programs.
Many of the Word documents that I'm sent don't need to be edited, only viewed. If that's the case for you too, you may be able to save the cost of Microsoft Office by combining free Office software with the free viewers.
See a summary of all my Defensive Computing postings.
- prev
- 1
- next
