OSNews

Yes but the shear amount of security flaws in the last six years in XP is just incredible and now 14 critical ones. Surely after six years they would be ontop of this.

It's really no wonder that Microsoft want people on to Vista and quick.

Most of these flaws are not the OS, they're Microsoft applications / services that sit on top of the OS.

Plus I suspect the move to Vista is more a financial one

Edited 2007-05-09 11:17

"""
Most of these flaws are not the OS, they're Microsoft applications / services that sit on top of the OS.
"""

Well, it seems like every time someone does one of those silly vulnerability counting "analyses" they want to include Gimp vulnerabilities right along side Linux kernel ones.

So I'm not inclined to cut MS much slack just because some vulnerabilities happen to be in *apps* that most Windows users use by default, and not in the system libraries or the kernel.

That's one of the major reasons why I consciously choose to use Windows over other operating systems. I know I'll be getting patches and fixes regularly, and that these patches will be obtained in the background for me to install at my leisure.

To be honest, I don't even know how many patches I've got since I bought XP, because they're largely invisible to me, something I skim over and approve or deny as part of my regular maintenance.

Poor me - it's so different in Linux. There are updates for OS and any software you happen to install from repositories. Alas we don't have patch tuesdays - updates are frequent and we have no pleasure to stay with whopping security holes for month. And yes, we are depressed because we don't have to reboot everytime update is applied for any component...

Then why don't you switch back?

emmmmm... was your sarcasm detector switched off ?

That's one of the major reasons why I consciously choose to use Windows over other operating systems. I know I'll be getting patches and fixes regularly, and that these patches will be obtained in the background for me to install at my leisure.

OK, now just tell me how that's actually different from what any modern Linux distro does. Except for the fact that in Windows it only applies updates for Microsoft software instead of everything you've installed. There are plenty of reasons to choose Windows, but automatic updates isn't one of them.

Although some nuts here scream about the perils of security in Windows and how their operating system of choice is superior, what I can assure you is that the position of most people here don't sit that camp.

The issue isn't the vulnerability but the length of time between the vulnerability and the patch being issued - take DNS vulnerability, for example. It was found in April, a exploit was developed, and the patch wasn't developed until today - I don't know about you, but that is terrible; what are companies meant to do who rely on that piece of functionality?

If vulnerabilities were found, there was a fast turn around with the patch, and the patch didn't cause further problems - there would be no issue, but it seems that with Microsoft you either get a patch that is quickly but problematic, or late, but quality - but at the risk of exposure to exploits that exist out there.

A few weeks from discovery to pushing out service isn't incredibly bad. It's better than the pathological case where a bad patch turns an obscure VB macro vulnerability into a system that won't boot. I'm not a fan of Patch Tuesday, but you can't generally push out service within a week of defect discovery. You might hit a hot streak and get it right a bunch of times in a row, but you're gunna pay for that haste eventually.

Big software vendors keep track of how many times they blew it and issued a bad fix. This is just about the worst thing that can happen from a quality perspective, worse than having the original bug in the first place. Besides being embarrassing, it's a surefire way to lose customers.

There are two main ways to put out a fix. If the problem is really critical and customers are yelling and screaming, you can rush the fix and allow voluntary application with loud disclaimers about being not-so-well tested. Otherwise, you have to do everything in your power to make sure the fix will get rid of the problem without causing any new ones. There's no middle ground here, and little room for error.

You make the fix available as soon as it's ready, no sooner, and certainly no later. That's why Patch Tuesday makes no sense to me. If the customer wants to apply service on the second Tuesday of each month, that's an understandable policy. But it's not for Microsoft to decide. If it's ready, why are they waiting to ship it?

The only one even remotely related to Vista is the IE7 update.

Microsoft touts Vista as the most secure Windows OS ever, and that may very well be true.

What, does [insert your operating system here] have no bugs?

Not really, not many people liked jack the ripper either. And if he apologised a thousand times, I'd still call him a murderer!

Their track record is pathetic, it would take a thousand years for people to forget how bad they've been!

"

"

That's a very very poor analogy.

Depends...

How many businessmen have been so stressed out by Windows screwing up, that they jumped off the building ?

Is there any sites that count these people ?

Not exactly murder on Microsofts part, but if it came out in a court, it would be manslaughter.

How many businessmen have been so stressed out by Windows screwing up, that they jumped off the building ?

If you can find me even one verified case of that happening I'll be very very surprised.

Of course I cannot find a verified case, or even a theoretical one. It was an example.
Sometimes people take things a little too seriously.

"

"

If Windows has lead to them killing themselves, then I'd suggest that they had other stresses in their lives as well (or they were so ill equipped to handle the real world that they would have taken their own lives inevitably anyway)

To blame deaths down to stress caused by Windows is like blaming Ford for the deaths of irresponsible drivers.

Edited 2007-05-09 12:02

That's an even worse analogy.

Yeah, dunno why I wrote that, must have had a brain fart.
You know what's really funny though? It got me a vote up Go figure? ROFL!

That image was created by the Microsoft itself. So don't complain about it. They have what deserve.

I'm not uninstalling Spyware from people's Macs on a daily basis.

not trying to be flamish, but whats the point of even writing spyware for a mac. it may be different where you live, but where I am its easier to find a nuclear warhead in someones house than a mac (ok exaggeration, but you get the point), and malware writers know this. Not to say thier security isnt better, it has an excellent bsd-ish base to go by AFAIK, but people go for what they can target, and chances are, windows pcs are the easiest to find.

Windows suffers from years of ignoring that allowing its user total access for general computing is utter stupidity, and let everybody else base thier products around that model before deciding it might be a good idea to keep a lock on what programs can and cant do in userspace.

Lots of people who don't want to know how the computer works, and don't want to mess with the internal details of the system, own Macs. They almost certainly haven't locked down their systems, and (since they bought a Mac) they almost certainly have an average disposable income higher than the average PC user's.

Dunno about you, but if I were a spyware author, I'd want into that market big-time.

Lots of people who don't want to know how the computer works, and don't want to mess with the internal details of the system, own Macs. They almost certainly haven't locked down their systems, and (since they bought a Mac) they almost certainly have an average disposable income higher than the average PC user's.

Dunno about you, but if I were a spyware author, I'd want into that market big-time. "
I see your point, macs are generally more expensive and the people who use them and buy all the extras for them would generally have more money and would be a more lucrative adventure for any malware author. but not all chances to phish someones machine, or to trick them into buying something bogus work, so say you reel in 5 macs in an hour, and 50 windows machines, and half your attempts on each successfully lure in cash, your still pulling in way more targeting the pc market. there needs to be numbers, and attention, and apple does get the attention, but not for thier computers. The marketshare doesnt really exist in comparison.

somewhat offtopic
too bad, because the newer macs look very nice, and macosx looks slick, it would be nice if they opened the hardware up to 3rd parties again (remeber that?) so the average person could actually buy a nice mac, instead of refinancing thier mortgage and dropping 5 grand, when you could build a pc much faster for half that.

instead of refinancing thier mortgage and dropping 5 grand, when you could build a pc much faster for half that.

Macs cost 5 grand? Wow, I must be real lucky to find mine for under a grand.

1999 just called. They want their crappy excuse back.

I didn't say all macs cost 5 grand, I said one comparable to a quite powerful pc cost that or more. sure you can buy a mac for under 1000 dollars, with a smaller screen, and middle to low range performance, which is fine, and there is a market for it. but if you want something made for serious computing, your in for a financially devistating adventure. I was actually able to configure one for over 10 grand recently, where at dell the same specs came around 5k with a much bigger lcd screen and a tb more of storage. I know its hard to compare the two, but when you look at numbers alone its quite substantial.

oh and btw they had macs for under a grand in 99' as well, so im not sure what excuse you are talking about. I dont hate macs, I just dont see where all the extra cost comes from, brand name hype should not be associated with cost. But thats Ilife

Heh. I have a mac and my income is certainly not enough to be disposable. This idea that Macs are only for the rich is absurd. I bought a MacMini for £300. You can't buy much of a PC for less than that, AND it came with a full software set. (No crapware either [see: crapware allows OEMs to reduce the cost of PCs])

Lots of people know how to get rid of spyware on a Windows box. If your Mac was running spyware, what would you do? What tools would you use to verify your system was clean? How often does a Mac user take his machine in to a shop that's going to be scanning for this stuff? It'd be forever before anyone even knew there was spyware out there for the Mac and it'd be even longer before there was a systematic fix.

At least that's my guess. Windows DOES have a huge piece of the market.

You don't have to worry about it in the first place. Once I start seeing random pr0n popups in Safari and such, I'll be convinced.

Very true, but that's adware. Spyware is generally better at hiding. No, it isn't out now, and it probably wont be out for a long time, but it'll more than likely happen some day.

"Lots of people know how to get rid of spyware on a Windows box."

I may tell you from Germany: Most of them do not know. They don't know what spyware is and what it does, they don't know how to check. So they can't tell if they're running spyware. If they knew, they would not care anyway. At least that's the usual way among "Windows" users here. The majority is not able to do system updates and security fixes. They don't do them or leave it to somebody else. That's why "Windows" is so easy to use. :-)

In difference, Mac users do know spyware exists, but they seem to be sure their systems cannot be affected. They seem to be aware if the system acts different, maybe this is because of the consistency of the Mac OS X GUI?

Very true, definitely most people don't know much about SpyWare or how to remove it.

Right. And when they eventually realize that there is something wrong with their computers, they will blame viruses immediately and then whine that the antivirus couldn´t catch that one and then sing praises to those "all-in-one monsters" (firewall, antivirus and antispyware thing that does nothing other than slow down the machine) that Symantec and McAfee push down their throats.

Actually, I used to get into heated discussions just because I dared to say that some of those free antivirus apps out there are much better than Symantec´s or McAfee´s expensive ones. Nowadays, I just don´t bother anymore and let them turn their brand new Core Duos into Pentiums 1...

There are professionals who prefer the suites? Oxymoronic!

Well, I run Sophos on my Mac, it has a number of Mac virus definitions, and provides links to online articles on removing any viruses that are found (not that any have been so far).

Unfortunately, Sophos does not market to the home user.

Yeah, its 14 years and counting for me with no anti-virus on my Mac. I'm sure that there have been plenty of vulnerabilities since MacOS 7 but it hasn't caused me any heartache.

On an article related note though; my biggest problem is not that MS doesn't patch there systems, they do. But what I see happening in my corporate environment is that our WSUS server is doing a really bad job of actually getting the patches out to the workstations.

Yeah, its 14 years and counting for me with no anti-virus on my Mac. I'm sure that there have been plenty of vulnerabilities since MacOS 7 but it hasn't caused me any heartache.

No surprise. Nobody targets operating systems that are used by a tiny fragment of the computing population.

A market share of approx. 2-5% (depending on source) is not exactly tiny. We are talking many millions of users. OS X is being targeted and so is Linux. These attacks are just less succesful - so is spyware and malware targeted against Vista.

OTOH, I don't know how much fighting spyware and malware will help. The weakest point in the chain is the end user.

You are correct, but more correctly, the reason why many don't take open source software (and some cases, proprietary software from non-Microsoft vendors) is because the window between the release of the vulnerability information and the patch is very small.

For a exploit to be successful, there needs to be a sufficiently big enough window as to allow exploit writers to write their malware and deploy it within a quick enough time.

The problem is that open source projects tend to get their vulnerabilities fixed, in some cases, within hours of the vulnerability being made known, with compiled packages made available through distributions within 24 hours.

It isn't the fact that there are vulnerabilities in windows, but the fact that there is a massive delay between the knowledge and patch being made available - the DNS vulnerability has been known for a month, an exploit was made available, and yet, there is this slow, slovenly attitude when it comes to getting fixes out in a timely manner.

You are correct, but more correctly, the reason why many don't take open source software (and some cases, proprietary software from non-Microsoft vendors) is because the window between the release of the vulnerability information and the patch is very small.

First, I'm sure you don't mean to include Apple when you say "non-Microsoft vendors" because their track record on average discovery to patch time compares with Microsoft's pretty closely.

Second, patch availability doesn't equate to patch installation on an end-user's box. Shortening the cycle time merely increases the number of patches; it doesn't mean that the software you're using is "more secure".

Actually, in some cases I'd say they're worse - take a look at the Month of Apple Bugs, if it weren't for that - how long would of it had been for those issues to be fixed?



Hence the reason you'll never hear me bash Microsoft if they release a patch and there are idiots who fail to maintain their computer by checking for updates and installing them.

If Microsoft releases the patch in a timely manner, they can then say, "hey, we've done our end of the bargin, the ball is now in the users court" but the simple fact is, there is such a delay that in many cases, end users become infected before the patch is released.

Edited 2007-05-09 21:32

Most modern Linux distros (And I set my Mac to to this as well) check the security-update channels daily. So the mean time between a patch being published in a channel, and the user being informed of it is ~12 Hours.

A market share of approx. 2-5% (depending on source) is not exactly tiny.

Sure, it is tiny, when compared to the hundreds of millions of Windows boxes.

[deja-vu] Always compare Oranges to Oranges[/]

you cannot compare (a proportional value) 2-5% to (an absolute value) hundreds of millions.

5% of hundreds of millions is NO LESS SIGNIFICANT than
5% of 100.

[see: stats 101 ]

You have a twisted and sick definition of tiny.

1/50 - 1/25 of all users are not a tiny userbase. <0.5% might be considered tiny but actually I think it should be <0.1% to be tiny.

Having million of users equals a large userbase.

That is not correct. Apple got flamed a few days ago. And several linux distributions have been flamed by linux users - heck, some have even flamed OpenBSD because of two (2) holes in the default installation.


Nobody complains about Microsoft releasing patches.

People are complaining about the sheer number of patches, the nature of the security holes, the release policy and of course the amount of years many of these bugs have been around.

Of course Microsoft have a terrible public image - and they deserve it. They have delivered piss products for decades (ever since their basic (an illegal rip-off) in the 70'es). People (especially geeks) despise Microsoft for having delivered shit to users for decades (old Basic, DOS (illegal rip off again), Windows until Win2K - not counting the the beating MS has taken over security issues) - and most despise Microsoft for its behaviour and rightfully so. A company that behaves like Microsoft does not deserve any better. Microsoft products has been quite alright technically since Win2K (forget all about good products before '00/'01). Microsoft likes to steal IP from other persons. The old MS Basic (stolen), DOS (BIOS code stolen from CP/M), patenting of grouped taskbar button despite this having existed years before Microsoft suddenly invented it, and of course Microsoft patenting BlueJ. MS did some damage control but fact is that no news has come out afterwards. It was a deliberate attempt to yet again steal IP.

Such a company deserves nothing but contempt.

How was Microsoft BASIC an illegal ripoff? Everything I've read indicates that Allen and Gates wrote it themselves.

Very well said. I am always amazed at how so many Windows and Office exploits get glossed over that are variants on old issues. The recent 'ANI patch that took so long to fix a resurfaced older exploit. Then there are the recent RINBOT, DELBOT, VANBOT, Mdropper.W problems tath are so reminiscent of W97M/Melissa.

Erm... no.

Microsoft BASIC was written by hand. MS-DOS was based on QDOS (Quick and Dirty Operating System); Microsoft outright purchased the rights from the original developers for something on the order of $60,000 (not bad for a single-tasking command-line-only OS), and hired the original developer to work at Microsoft for a total of ten years (about one million dollars, plus nonmonetary bonuses). If paying for something is stealing, then what isn't stealing?

The facts about the early years of Microsoft aren't that hard to get...

QDOS was a copy of CPM that Microsoft then bought.

QDOS was an illegal (and low quality) CP/M rip-off. And Gary Kildall found his code (and copyright) in MS-DOS (CP/M BIOS routines directly copied).

I tried to find a reference to this, and the only thing I found was on Wikipedia. The Wikipedia entry asserts the claim that Kindall was able to prove it through a DOS command. However, neither Wikipedia, nor the podcast (!) they cite as proof, nor ther person who publicised this 'proof of theft' will give out this command.

And if you're using Wikipedia as a reference, you need to find one, because Wikipedia is not known for its accuracy (especially when it comes to computer issues, as a stated goal of Wikipedia's founder Jimbo Wales is to spread copyleft).

Well, that goal doesn't mean it is inaccurate, neither does it imply it is inaccurate or will be because of that goal. I do however agree with you that Wikipedia is inaccurate in many situations - however, Wikipedia tend to be more accurate than other encyclopaedias (no, the ae isn't a speeling eroor - it is just archaeic spelling).

Of course nobody will give you proof of that specific command. Why would they? Why should they? Has Microsoft given any proof for the attempted and aborted patenting (after fierce public outcry)of BlueJ being a mistake?

Google: "cp/m dos kildall bios ripoff" <-- that should give you some hours of reading. But the main source for the claim about DOS being illegal was Kildall himself. His credibility was larger than Gates' will ever be.

I was going to mention that, but did not have my sources at the ready to defend myself against the Microsoft Apologists.

People are complaining about the sheer number of patches, the nature of the security holes, the release policy and of course the amount of years many of these bugs have been around.

Which merely proves that there are a lot of whiners in this world with too much time on their hands -- or too many axes to grind.

Our MS-apologist woke up

Complaining about the sheer numbers of highly critical holes in Windows is not whining. These securiry holes are responsible for worldwide losses of several billion US$. Complaining is a quite proper reaction.

The fact you call complaining about lack of security for whining tells me a lot about your lack of understanding of the issue - and your lack of respect for other individuals.

Complaining about the sheer numbers of highly critical holes in Windows is not whining.

I wouldn't mind, if you and your ilk spent as much time complaining about the similar number of critical holes in OS X and Linux...

See my other thread with you about why Windows vulnerabilities are more severe than Linux ones.

There are no such high numbers in Linux, *BSD and OS X.

Besides that the security policy is different, the flaws much less critical (most are uncritical or only theoretically exploitable) and fixes are released ASAP no matter whether possibility of exploitation has been confirmed or not. Microsoft usually don't releases fixes ASAP - not even when exploits are in the wild. And they only fix holes verified to be exploitable, where as in GNU/Linux and *BSD anything that just might one day perhaps maybe could be might be and so on will be patched ASAP.

There are no such high numbers in Linux, *BSD and OS X.

Since you're trying to carve out an unfair comparison of "Linux" ("it's just a kernel! it's just a kernel!") to Windows, then the Windows kernel has similarly few critical vulnerabilities.

Besides that the security policy is different,

Not compared to Vista.

...the flaws much less critical (most are uncritical or only theoretically exploitable)

Not true, compared to Vista.

...and fixes are released ASAP no matter whether possibility of exploitation has been confirmed or not.

Making a large number of patches available doesn't mean they're being installed. It merely means a large number of patches are being produced. This does not amount to better security.

Microsoft usually don't releases fixes ASAP - not even when exploits are in the wild.

All operating systems have zero-day exploits. Windows exploits are simply better promoted.

And they only fix holes verified to be exploitable, where as in GNU/Linux and *BSD anything that just might one day perhaps maybe could be might be and so on will be patched ASAP.

So, in other words, these patches have no customer value and would only require significant additional cost for testing and deployment. Nice. No thanks.

No I'm not! I haven't in one single point claimed any such thing. I have compared my entire Gentoo system with Microsofts monthly security releases. E.g. I'm counting everything in my GNU/Linux system, incl. proprietary software like Flash and Skype.

Let me repeat: I have not at any time EVER claimed that the comparison is unfair because "Linux is only a kernel". I have all the time made it VERY CLEAR, that I'm comparing Windows with my entire GNU/Linux system (fully fledged Workstation system). At least post the link to the post where I claim such a thing. You cannot do that because I did not claim such a thing!



Microsofts security policy in regard to patch releases is unchanged in regard to Vista. Correct, the desktop security model (UAC) is different, but I was obviously not talking about that. We were ONLY discussing Microsofts policy about patch releases - and nothing else. We were not discussing su, sudo or UAC in this regard. UAC is completely irrelevant in regard to Microsofts policy of monthly security updates. Besides that the vulnerabilities are mostly related to XP and Windows 2003 Server so Vista is irrelevant. And I have already stated several times that Vista is different from the others and do not suffer from the weaknesses of its predecessors.



Again. Vista is irrelevant here. I have already in my earlier post exempted Vista from the discussion since the vulnerabilities are mostly targeting XP and Windows 2003 Server. In regard to Vista, Vista has already seen as many security fixes since February 2007 as my entire Gentoo system has seen since October 2006. But it should definitely be noted that the vulnerabilities for Vista has been much fewer and much less critical compared with its predecessors. That's true and I'm happy to see that.



Completely irrelevant! If the user is dumb enough not to install security fixes then only the user can be blaimed. Microsoft cannot be blamed for users not installing security fixes. The important issue here is whether or not the fixes are found in due time. This happens for GNU/Linux and *BSD but definitely not for Microsoft Windows. Especially the old code base in Windows is extremely vulnerable (while the newer code is of much better quality) but people already concluded that when the codebase for Win2K and NT was leaked.



Irrelevant! And not true in regard to Windows exploits being "better promoted". The problem is the sheer number of these zero-day exploits. I have yet to see one for any package on my gentoo system. Again, Vista can be exempted from this. Vista is in regard to security classes better than its predecessors

It is the number of flaws, the nature of the flaws, the critical level of the flaws and the insufficient patch release security policy of Microsoft that is the reason for Microsoft being "flamed". Microsoft doesn't fix anything until the attacks _have_ happened.



Woot? Are you insane? How can you possible come to the conclusion that fixing a possible vulnerability contains ZERO customer value? Do you really want your customers to lose billions of US$ before you fix anything? According to that logic Windows has no customer value. I don't think that's what you intended to write. But that's what you wrote.

Fixing possible vulnerabilities BEFORE they can be exploited containts A LOT of customer value. But it does take resources and Microsoft cannot deliver profit if it wants to be pro-active. Microsoft not releasing anything until the damaged HAS happened is a DELIBERATE choice from Microsoft. Microsoft only care about its profit and not about its customer. EOF

Microsoft doesn't need to be aspersed: its marketing policy has always been malicious enough to smear its own name. It's ok if you do business just thinking money, but credit and respect have to be deserved: they can't be bought or extorted.

That said, every OS and piece of software needs patches for one reason or another. If it's not because of security issues, it's because of other flaws. I was never scandalised when IBM released FP's for OS/2, so I think it's good MS patches up its own products. It's just that IBM, for instance, used to release fixes oftener and its OSes didn't die so prematurely (EOL). I never heard about IBM adopting some obscure strategy about when and how to release fixes. I can't say the same about MS, though.

When you're forced to buy something you may not want or need from a monopolist you have every right to be outraged if it isn't even half as good as promised. There's no denying you do pay good bucks to get a MS product and when you find out there's a big hole in it you're entitled to protest some way. Verbally bashing MS is a form of protest and the Redmond folks should take it seriously, before it's too late. I don't love MS, but I feel its demise isn't going to mean all fun.

I do use Windows and I'm ok with those who use it exclusively. Yet, basically, I don't have the same degree of respect for Microsoft as I have for others and I don't think I, or anybody else sharing my views, can be criticised for that.

I have to agree 100% with this one. I have no problem with Microsoft's frequent updates. I think they do a good job of releasing updates even though I am primarily a Linux user. What I do have a problem with is the way they are releasing updates these days. They like to automatically reboot your machine which I believe is a _MAJOR_ mistake. As you say, this could interrupt important work. Also, after updates are installed, they pop up a dialog saying you need to restart. I often click "restart later" because I am in the middle of playing an online game. Now, every few minutes my full-screen game minimizes so I can click the restart later button again! All this does is reinforce the image that you do not own your computer when you use Microsoft Windows, you are just borrowing it from them. They are free to do whatever they think necessary with your computer. I say "PUH-lease" stop that!

The worse thing is when you run a web server that is supposed to have constant uptime, and Microsoft decides to just reboot it on it's own time. Rather than letting any of your users know that the server is going down for maintenance, etc.

Not to mention you have some of those systems that are running domain controllers and they take forever to boot up, as do any machines that need to connect to that domain controller.

Windows is pretty unfriendly to creativity and presentation in general due to its overall neediness. We've probably all seen the old photos of Windows 98 BSODs in airports and other public places, but the system doesn't need to crash or reboot to cause an interruption. If I scroll through the low cable channels that are used for local government and public access (events calendars and whatnot), two of them might have a Windows error message or other dialog on top of the presentation. One of them I saw was complaining that the system was running low on memory, which is pretty bad if all it does is run a PowerPoint show all day. Windows just isn't designed with the concept of uninterrupted workflow.

Windows just isn't designed with the concept of uninterrupted workflow.

Actually, it does fine in the hands of the right user. In my case, I've never had a problem until last night, when MS decided to reboot my computer

But still, that sh*t ain't cool when they start rebooting your machine remotely, not having ANY idea what you might have the computer doing at the time.

It's not like you don't have a choice in the matter. Simply turn off automatic updates via the control panel -- and tell it to simply notify you when an update is available. Problem solved.

The problem is that some installs automatically reboot the machine. Installing manually doesn't help. After installing an update the update will reboot the machine without giving you a choice.

You cannot disable automatic booting. You can only disable automatic download and automatic installation. Disabling Automatic Installation != disabling Automatic Rebooting after Installation.

Actually, there are many verified cases (including one that I had experience of) where Windows Update just ignores your setting and reboots the computer anyway.

After all, who are you to say what your computer should do?

Here's an idea...TURN THAT FEATURE OFF! Have it download, but not install the updates...moron.

It was really raining hard the other day, and my window was down. I got soaked!!! I blame the auto maker for having windows that go down...oh wait, sorry...I can roll the window up.

Well, I won't stoop to your level by calling you names, but that wasn't the question. I already HAVE THAT FEATURE TURNED OFF! The question was how do you stop updates from automatically rebooting the computer after the update is installed.

Reading is fun-damental.

No, no and again NO! It is not up to Microsoft to decide that automatic rebooting is for my "own good". That is exactly the kind of thinking I am talking about. If my application is in the middle of mission critical number-crunching, it IS NOT for my own good to automatically reboot. 'Nuff said.

If your computer automatically reboots after an update...this is something YOU set. You do realize you CAN control how updates are applied? I thought this was pretty basic knowledge.

That's incorrect. You can set the updates to not automatically install. But once they are installed, some of them will automatically reset your PC. I even had my system set up to "Automatically download but do not install patches" and it did it anyway. Not sure, but I think the setting reset it self at some point. I just know I went to bed with my PC booted into Windows one night, woke up the next morning and I was in Linux at the login screen (I dual-boot with Linux being first on the boot menu). When I rebooted into Windows next it said it had to finish applying some updates.

I've had some settings withing Windows just change on their own before too. Can't recall exactly which ones, but most of them have had to do with Windows Updates.

The fact that they even have ANY updates that force you to reboot your computer is a good enough for me to prove that their programming is bad form. Literally the only time that a reboot should be required is when there is a kernel update. Something like the DNS server being updated should only require that the service be stopped and restarted with the patched one. In fact if you simply quit a program in Windows, then run an update, most of the time it won't ask for your PC to be restarted. If an update simply told you to stop the program (or by gods just stop it automatically, especially in the case of services) then to start it back up after the update, then you wouldn't even need to reboot your computer that often.

If I recall, that was supposed to be one of the things that they advertised being a lot better in Windows XP. But as we can see, it's still there in Vista. The Reboot to Update syndrome.

There are literally only three reasons I have EVER rebooted Linux. 1) Kernel update. 2) Reboot to Windows to play some video games. 3) Very rare occasions when it locks up. This is usually due to X.org and alpha level software like Beryl or Compiz which lately have stabilized quite nicely.

Yeah... I agree that this is a good default setting. I've seen plenty of older machines with the Windows update icon in the systray sitting like that for days because the updates had not been installed. And before some idiot chimes in about how they don't need to reboot their machine after updates on $insert_os_here, consider that your programs use shared libraries that may have been updated and due to the way most OS file semantics work, the new updates will not be picked up by already-running processes. The best way to GUARANTEE that the updates are actually installed is to reboot.

If you have a serious problem with this behavior, here's the fix: http://www.emailbattles.com/2006/01/11/vuln_aacgjahfig_ib/

Actually, there are many verified cases (including one that I had experience of) where Windows Update just ignores your setting and reboots the computer anyway.

After all, who are you to say what your computer should do?

No, no and again NO! It is not up to Microsoft to decide that automatic rebooting is for my "own good". That is exactly the kind of thinking I am talking about. If my application is in the middle of mission critical number-crunching, it IS NOT for my own good to automatically reboot. 'Nuff said.

If it is a mission critical server, why is it setup for auto reboot. You do know you can configure that right?

No you can't. You can configure whether or not updates are automatically installed. I ALWAYS have that off. Apparently what you cannot configure is the automatic rebooting AFTER updates are installed. In addition, I have found nowhere that you can configure windows to quit bugging you every few minutes telling you to reboot. It is very annoying when you are playing a full-screen game. I guess I will just have to wait to install any updates until I know I am ready to reboot. However, I don't like waiting to install them.

"No you can't. You can configure whether or not updates are automatically installed."

You can control all of this behavior via Group Policy for either the domain or the local machine.

Computer Config -> Admin Templates -> Windows Components -> Windows Update. The keys should be self explanatory.

Call me goofy, but I don't understand your directions. Is this somewhere in the registry. I did not find "Computer Config" in the registry, nor in the Control Panel, including the "Manage My Computer" screen. I am running XP at home.

"Call me goofy, but I don't understand your directions."

Start -> Run -> type 'MMC' choose File -> Add/Remove Snap in, select Group Policy Editor. Expand the Group Policy node, then you'll see Computer Config.

Thanks, I'll try it tonight!

Yeah, but there is a difference between 'updates' and 'patches'. With Linux distributions, the 'updates' actually are software updates most of the time, as opposed to Microsoft's security 'patches'.

If there could be just a "Software Update" repository for all the software you have installed on your windows machine that just includes patches or new versions you'd be downloading far more than 1GB a month. Not to mention for new versions of software usually you have to pay for not so many new features most of the time.

It would be rather nice to have a centralized patching system for Windows. The sad thing is though, for example, a lot of video game patches you have to go to places like File planet where half of the time you have to wait in a queue for access to the public FTP or you have to be a subscribing member!

Yeah, but there is a difference between 'updates' and 'patches'. With Linux distributions, the 'updates' actually are software updates most of the time, as opposed to Microsoft's security 'patches'.

You're dreaming. Surf over to Secunia and do some research. Linux-related vulnerabilties are found and patches posted literally every day or two

That's not what Secunia's website says. But funny interpretion though. And completely unrelated to the poster.

Each month Microsoft publishes more vulnerabilities for my Windows 2003 Server than Gentoo does for my system for one year. 14 critical vulnerabilities Windows this time. And for my Gentoo system I've had 6 security related upgrades since October 2006. And this is a fully fledged workstation installation.

That's not what Secunia's website says.

If you limit your search to the kernel, sure. But, when you apply a reasonable standard than an average person would use -- for example, what components are installed with the average Linux distro or OS X installation, then you will find that there are far more critical vulnerabilities in both platforms than you would care to acknowledge.

Compare Oranges to Oranges:

Most default Linux installs include OO.o. So for windows, you should count MS Office updates as well. What about Web servers? They are usually in a default Linux install (albeit firewalled), let's add IIS to the mix.

Also, remember that MOST critical vulnerability in Linux are potential privilege escalation bugs.
Until Vista came out, even the concept of local-computer previleges on Windows was laughable.

It would be like saying that a piece of string that is broken in one place is better than a steel cable that is slightly corroded in multiple places.

Compare Oranges to Oranges

That's precisely what I'm arguing in favor of. But, by the same standard, you need to compare the vulnerabilities within Windows for components that are typically installed by most users. I don't think that most users install MS Office. Sure, it's widely installed, but not that wide. Same for IIS. I think that a fairer comparisons would be to also include Firefox and IE.

I'm certainly surprised that you don't think that Office is installed on most computers! I can assure you that almost all workplaces (in the UK, my only experience base) use MS Office and that they are the places where security is far more important than the home.

I agree with Firefox and IE. Linux has Firefox, many people on Windows have Firefox AND IE, so (by your arguments) you should count both when dealing with Windows vulnerabilities and only Firefox when dealing with Linux. Thanks.

Here's another area where proper like-for-like comparison is not possible. The linux kernel ships with drivers for almost all the hardware out there. However 90% of the drivers are included as modules. Therefore if there is a vulnerability in one of the hamradio drivers, 99.99..% users will not be affected by that, yet you would count it because it is a kernel vuln. Windows ships with FAR fewer drivers, and 3rd party driver (+ the inevitable crapware) vulnerabilities are not counted for Windows.

I have had 6 security updates for my entire Gentoo system since October 2006. And that's all. If you compare critical flaws in a default Windows system with an equivalent Linux system (not just the kernel) Windows has many more critical flaws. Especially remotely exploitable which are rare in Linux and *BSD.

Security holes in Apache should also be counted in for Windows you know

Yeah, I recognize that behavior from svchost.exe on my Win2K3 Server. Nothing to do but let it do its work - and hope the updates don't fail

I encountered this one recently. Had just cloned 30 identical computers, booted them up and found that the Windows Update thread was hogging the CPU indefinitely on each one. Had to go round each of them disabling AU (not fun when they are running on <1% CPU).

This is a known issue (something to do with internet access) so there may be a fix available.

I just encountered (and fixed) this one today.


You need to install Windows Update Client 3.0
http://download.windowsupdate.com/v7/windowsupdate/redist/standalon...

More info here
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?...



Then install Hotfix 927891
http://support.microsoft.com/kb/927891/

Hotfix can be downloaded from
http://www.microsoft.com/downloads/details.aspx?FamilyId=7A81B0CD-A...

I hope this helps...

Well that seems to have fixed it, more or less. I installed those two things as you said, then tried the update, and while it still resulted in svchost.exe taking over 99% of the CPU, I let it ride its course and it was done in about 20 minutes.

The strange thing is that despite the incredible number of posts I'm able to find via Google on this issue, my search doesn't seem to lead to a useful fix or MS Knowledge Base page (even when I search directly from the MS support site). I'm curious to know where you found out about this method.

Of course, even assuming a user manages to find the magic ingredients to get Windows into this "fixed" state, it still exhibits behavior that's incredibly inappropriate and intrusive for software that's supposed to be running in the background.... I feel sorry for all the many newbie users out there who probably think their computer is simply broken and have no idea how to fix it....


...but at least it worked for now, for me. Thanks for the tip!

[general advice] Don't look up in a rainstorm unless you are wearing glasses, you get water in your eyes![/]

:p