Critics Say Microsoft Patch Download Site Has Faults

Problems with the consumer version of an online extension to Windows that's aimed at making patch installation easier are prompting concerns about the reliability of an upcoming corporate release of the Microsoft Corp. technology.

But Steve Lipner, Microsoft's director of security, claimed last week that the concerns are misplaced and said that the corporate version of the Windows Update technology is working fine in beta-test trials.

Russ Cooper, moderator of NTBugtraq, an online mailing list covering Windows NT security, advised users to stop using Windows Update for downloading patches, claiming that it's unreliable.

Windows Update is basically designed to give users a way to quickly locate and download software patches for fixing security vulnerabilities on individual systems.

Cooper said it's dangerous for users to rely on the technology for several reasons.

For instance, sometimes the Windows Update Web site informs users that they're adequately patched when in fact they aren't, he said. At other times, it asks them to patch systems that have already been patched, or it doesn't install a patch fully, Cooper claimed. Windows Update's method of determining successful patch installation can't be trusted either, he added.


Update Downsides

Critics charge that Microsoft’s Windows Update:

Can’t be trusted to always display the most current and updated versions of software patches.

May cause users to waste time downloading patch components that have already been installed.

Doesn’t always report when a patch installation fails.

Doesn’t verify what it has installed.

Source: Russ Cooper, Moderator, NTBugTraq


Susan Bradley, a Microsoft Certified Professional and certified public accountant at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif., said she recommends that network administrators not use Windows Update for security patches. However, "there are certain critical hot fixes that are not security-related but still needed," she added. "It is very easy to download these for the XP machines [using Windows Update]."

Microsoft plans to release the corporate edition of Windows Update later this quarter. The technology is being introduced as part of the company's Strategic Technology Protection Program announced last fall.

The corporate version will not only dynamically alert companies of new patches, but it will also give them a way to more efficiently manage and distribute patches across their networks, Lipner said.

Cooper said the problem is that the two versions are based on the same technology, so whatever the consumer version of Windows Update does, the corporate edition does too, "and in the same way."

Microsoft is also working on streamlining its patch releasing process, Lipner said. Currently, patches are available from myriad sources and services, which at times yield conflicting information. "We know there are issues, and this is something that we are certainly working on fixing," Lipner said. "This is not something we can wave a magic wand over."

Pete Lindstrom, an analyst at Framingham, Mass.-based Hurwitz Group Inc., said these are issues that Microsoft is aware of and has been trying to address for some time now.

"I think they worked hard to facilitate [the patching process]. But there's so little trust on the users' part that most [of this effort] has been unrecognized," Lindstrom said.

Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon