Number 249 - February 2004
Tech Talk - Windows Updates
By Brian K. Lewis, Ph.D.,
Sarasota PC Users Group, Inc.
   How do I know when I should download an update to Windows? Should I do it automatically, or should I just ignore the update notice? Should I set my Windows software to look for critical updates or should I wait until I think I need an update? The answer to these questions is generally "It depends". So, how do I make these decisions?

   How does Microsoft's Update site know what updates I need? Let's take a at how we can get information on Windows updates that will allow us to make a more informed decision. In Windows XP, Windows Updates can be configured to check for critical updates at regular intervals. Then you can decide whether you just want to be notified of the updates, download the updates automatically, or automatically install the updates. Once you have configured it to check for updates and notify you, you then have the option to review the updates and download only the ones you want. In earlier versions of Windows you need to click on Start->Windows Update or Start->Settings->Windows Update. You can also find an icon for Windows Update in the Control Panel.

   Next is the selection process. The update notice or the Windows update site will have a short summary of each available update (sometimes referred to as patches), whether critical or not. The critical updates are all identified and in their summary they will tell you why the update is considered critical. For example, if the summary contains the words "blocks a hole which would allow an attacker to take over a computer running Microsoft Windows", then you know that this update is really essential!

   If the information in the summary is not sufficient for you to determine its importance to your system, then there is usually a link containing the word "more". Clicking on this link will take you to a Security Bulletin directly related to the update. :'This bulletin will have more detailed information about the patch and the vulnerability it is designed to correct. For example, Microsoft Security Bulletin MS03-032 discusses a cumulative patch for Internet Explorer. It lists a maximum severity rating of "critical". It also states that there are two new vulnerabilities in IE the most serious of which would allow an attacker to run arbitrary code on a user's system. It goes on to list the versions of IE that are affected (IE 5.0 thru IE 6.0).

   This should be enough warning to indicate that you really want to download and install this patch. This bulletin also has several pages of technical discussion of the problem. However, the introduction to this bulletin has provided enough information for most users to determine the severity of the problem.

   The Windows Update site also has updates Windows software that are not related critical issues. These are listed under product updates and driver updates. The user can review these, again, by reading the complete summary related to update. If you need more information, there is usually a link that will provide you with a more complete description of the nature of the update.

   One thing you will always note when you go to the Microsoft update page is that it checks your computer to see what updates have been installed. It also knows what hardware you have and if a new driver is available. Your download history is stored on your computer in a file in a subfolder under the Windows Update folder. This history contains the information for any critical update, program update or driver update that has been downloaded and installed on your system. It is this series of subfolders on your computer that Windows Update checks in order to determine what updates you need to download.

   Your computer also has a hardware information folder that contains all the ID numbers of the plug-and-play hardware on your computer. This folder is created at the time the operating system is installed. Windows Update compares its list of driver updates to the hardware list for your computer to determine if any updated drivers are available. The second step is to compare the driver updates to those already installed on your computer.

   During these processes, there is no personal information transmitted from your computer to Microsoft. The update selection is solely based on the information stored in the hardware list and the previous update installation files. Microsoft has listed the specific information collected from your computer and published it on their update Web site. Their statement is in the following paragraphs:

   "The following information is collected from your computer.

   "1. Operating-system version number

   "2. Internet Explorer version number

   "3. Version numbers of other software for which Windows Update provides updates

   "4. Plug and Play ID numbers of hardware devices

   "5. Region and Language setting

   "The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics.
   "Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.

   "Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session.

   "To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above." One of the most common recommendations that can be found relative to Windows Updates is "ignore them until a service pack is available". Unfortunately, this is not adequate. Microsoft releases patches and "hot fixes" which are necessary to prevent vulnerability to hackers, viruses and worms. These should always be installed as soon as possible. Had everyone followed the "service pack only" advice, the damage caused by the Blaster worm would have been far greater. In fact, if everyone had installed the critical update Microsoft released in July 2003, there would have been no computers with openings for the Blaster to exploit. Consequently, it is far better to install any security patches when they are released.

   "Admittedly, there have been security patches that have caused problems on some computers. For example, a patch issued in April 2003 designed to fix an error in the OS kernel caused systems to slow to a crawl. If the patch was not installed, the damage that could be done by an attacker would have been far more damaging than the reduction in speed. However, Microsoft also designated this fix as important, not critical because of the difficulty involved in exploiting this vulnerability. As with many of these updates, this one could be uninstalled and the speed problem disappeared. The uninstallation can be handled through Windows Update site or, in Windows XP, from the Control Panel (add/remove software). Before you download an update, you can also click on the "Read this first" link. This takes you to a page that has more info on the update as well as specific uninstall information.

   "Some users have had problems with the update process. You should be aware that Windows Update will not work with internet browsers other than Internet Explorer. The IE version must be 5.0 or greater. If you use Opera, Mozilla or Netscape, you must reset IE to be your default browser and then access Windows Update. You can restore your original default browser after you have completed the update process.

   "The primary reason for using IE instead of a third party browser is that Windows Update uses two ActiveX controls for this process. If you have turned off your ActiveX controls in IE or set your security setting too high, you can not complete the update process. You must use IE with a security setting of Medium or lower. As Microsoft states: 'Windows Update uses ActiveX controls to check what software is installed on your computer in order to provide you with a correct list of updates and other software you may want to download.'"

   Additional problems can occur if you do not disable your anti-virus software before attempting a Windows Update. Microsoft has specifically listed Norton, McAfee and PC-Cillin as software that should be disabled before starting the update process. You should also disable any Web accelerators or download assistants. Microsoft has listed at least 16 accelerators that will prevent the update process from succeeding (article 241234).

   If you need more information on this process, Microsoft has a number of Knowledge Base articles that you can obtain from their Web site. One of the most useful is "How to Download Windows Updates and Drivers From the Windows Update Catalog" (article 323166). You can also get more information on security updates from www.microsoft.com/security/home. Another reliable source for information on critical updates is www.winguides.com/security. You can also sign up for a free newsletter from WinGuides related to security issues.

   Windows Updates are necessary to help prevent problems with viruses, worms, etc. However, they should be used in combination with constantly updated virus definitions, firewalls, parasite removal and frequent backups of your important data. It takes a combination of all of these to keep you, and your computer, happy and functional.

   Copyright 2003. This article is reproduced from the October 2003 issue of the Sarasora PC Monitor, the official monthly publication of the Sarasota Personal Computer Users Group, Inc. Dr. Lewis is a former university and medical school professor, has operated a computer consulting firm in Sarasota for the past 19 years and has been working with personal computers for more than 30 years.
  Number 249 - February 2004