Updated to add: Just to make it clear, I think Microsoft should have disclosed that it was installing this update. It was stupid for them not to do so and even more stupid not to have a KB article on this update. But there is a very logical reason why a reasonable manager at Microsoft would choose the strategy they did. Without this patch, Windows Update stops working. If WU stops working, Windows users (Microsoft customers) are more vulnerable. Unfortunately, what’s good for the majority in this case is also ammunition for those who are looking to bash the company.
But leaping from a single update to the conclusion that Microsoft is about to start downloading and installing other sorts of stuff on your machine, as some of the reporters covering this story did, is stupid as well.
As a commenter notes at O’Neill’s blog, Microsoft has a procedure in place to require updates to it Windows Update code and related utilities. If you visit WU manually, you might see one of these updates, which you must approve and install before you get to see the actual updates available for your system. So why didn’t they use that procedure here? Offer me a single update. After I approve and install it, I get to see the rest.
Also, I should note that the Microsoft Update Services Privacy Statement, which governs this component, does not include authorization for silent updates. Whoever authorized this update really screwed up.
There’s ample room for criticism of Microsoft, and there’s a genuine need for them to fix the mess they created. It’s also important to keep the whole issue in context.
OK, back to the original post…
I’ve been somewhat incredulous over the fuss about Windows Update choosing to update itself automatically on systems where users had told it to check for downloads. I was even going to write something about it. Then I read this post by Microsoft’s James O’Neill, who said everything I was going to say.
Two excerpts if you don’t feel like clicking through:
I don’t think people should automatically trust Microsoft. I don’t think they should automatically distrust us either. We need to earn trust, and sensible people will keep re-evaluating “In this case should I or shouldn’t I”. There are plenty of people out in the world who think no-one should ever trust us, a great many of them post on line to discussions and blogs, some write for magazines. Giving these people ammunition is stupid. And any manager in Redmond who does should be made to write out “I should never do anything which undermines public trust in my employer” 10,000 times. Preferably while sitting in a set of stocks (I’d locate these under the campus flag poles outside Building 10)
To me, the whole premise of this argument is stupid. First off when I went to grab the screen shot I’ve modified here it says at the bottom
“Note: Windows Update might require an update before you can update Windows”
Granted I had to read that twice, as obviously WU can’t update the OS if there are no updates, the word “Itself” should be in there. But I’ve been imagining a conversation with some of the people who are making this fuss, (who seem to want to the WU dialog to appear like this version)
Me: You selected a radio button which said check for updates, so do you want it to stop checking if we change something at the server ?
Them: No… but… WU shouldn’t change a single byte on my computer without my permission !
Me: Not one ?
Them: Not one.
Me: So how does it maintain a list of available updates to offer you ?
Them: Err… Well that doesn’t count, it shouldn’t change Executables
Me: So you told it to just get the list of updates
Them: … yes
Me: and to take the steps that are needed to get the list ?
Them: … obviously, yes.
Me: Even if that means updating the software that gets the list …
I agree completely with James that the reporting on this issue has been crappy beyond belief, and that Microsoft deserves criticism for making it so easy to call them EEEEEEEEVVVVVIIILLLLL.
Anyway, read the whole thing.