Saturday, December 08, 2007

Understanding Microsoft Updates

Regular readers of Security Garden are familiar with the "first Thursday of the month" advance notice that I provide prior to the monthly Microsoft security updates. A great question was posted as a comment by a reader after the latest MSRC Security Bulletin Release:
"Corrine: I get so confused. I understand there is more than one way to update my operating system. I usually let the auto update download the files then I choose when and which ones I want to install.

My question is there is also a "windows update" on the computer xp pro sp2 do I need to periodically use that also? Am I getting all the updates I should be? Thanks"
When collecting references for this topic, I could easily see how anyone would be confused between the various names and options. An understanding of the terms being used is a good starting point. From the FAQ linked below:
  • Microsoft Update is a service that helps you keep Microsoft Windows, Microsoft Office, and other programs current.
    • It supports Windows Vista, Windows XP, Windows 2000 SP3 or later, and Windows Server 2003.
    • It provides updates for Microsoft Office 2007, Microsoft Office XP, Microsoft Office 2003, Microsoft SQL Server, and Microsoft Exchange Server.
  • Windows Update is a service that helps you keep Microsoft Windows current. It supports Windows Vista, Windows XP, Windows 2000 SP3 or later, Windows Server 2003, Windows 2000 SP2 or earlier, Windows Me, Windows 98, Windows 95, and Windows NT Workstation 4.0 current.
  • Automatic Updating is a feature that automatically delivers the latest high-priority updates to your computer for both Microsoft Update and Windows Update.
To seamlessly get updates not only for the operating system but also Microsoft Office and other products, use Microsoft Update with Automatic Updating. With Microsoft Update installed on the computer, both security updates as well as updates for Microsoft software are included in Automatic Updates. Without Microsoft Update installed or with it deselected, the additional updates must be checked for manually.

To determine whether Microsoft Update is installed on a pre-Windows Vista operating system, go to Microsoft Update. The first time you visit Microsoft Update you will install the software on your computer. Depending on your system, this might include installing two ActiveX controls, which are small pieces of software that help Microsoft Update talk to your computer.

change your Automatic Update settings, you must be logged on as a Microsoft Windows administrator, and then do the following:
  1. Exit all programs.
  2. In Microsoft Windows, click the Start button, and then click Control Panel.
  3. Do one of the following:
    • Windows Vista Click System and Maintenance, and then click Windows Update.

      Note In Classic view, double-click Windows Update.

    • Microsoft Windows XP Click Performance and Maintenance, click System, and then click the Automatic Updates tab.

      Note In Classic view, double-click System, and then click the Automatic Updates tab.

The following Automatic Update options are available:
1) Install updates automatically
2) Download updates but let me choose whether to install them
3) Check for updates but let me choose whether to download and install them
4) Never check for updates
Using a dial-up service, I have the third option selected on my computer: "Check for updates but let me choose whether to download and install them". With language packs, drivers and other software updates available via Microsoft Update, I want to have control over what is downloaded as I certainly don't need 19 different language packs installed, nor do I wish unnecessary downloads over a dial-up connection.

I have also experienced difficulties with various non-Microsoft driver updates. As a result, I always download and install non-security updates separately. Even though drivers are generally uninstallable, I still take the extra precaution of creating a full System Restore point prior to installation.

Recommendation: Use Microsoft Update with Automatic Updating turned on.

Keep in mind that important software security updates are not limited to Microsoft products. To name a few, there are serious vulnerabilities in Adobe Reader, Apple Quick Time, Microsystems Sun Java that also require updating.

To check if your system is missing security updates or has insecure applications installed, visit Secunia Software Inspecter. The Secunia Software Inspector runs through your browser with no installation or download (other than Java) required and does the following:
  • Detects insecure versions of applications installed
  • Verifies that all Microsoft patches are applied
  • Assists you in updating your system and applications
Lastly, did you know that malware can change your Automatic Update settings? Learn how to Detect Changes to Windows Automatic Updates with WinPatrol.


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Anonymous said...

Corrine: Thank you so much for such a great explanation!! of the difference between Windows update and Microsoft update. The multitude of links were most helpful too.

I needed Office 2003 sp3.

Secunia site is awesome! Found Adobe reader and Quicktime needed security updates.

Happy Holidays to you. Wishing you a prosperous and productive New Year.

Corrine said...

Hi, Cel!

I am very pleased that the explanation was helpful. I hope that others find it useful as well.

Since I know you are also a WinPatrol fan, remember, if you do make any changes to Automatic Updates, tell Scotty "No" when you get the WinPatrol pop-up warning about the change and WinPatrol will leave your changes untouched.

Warmest wishes to you and my Schenectady "neighbors" for a Merry Christmas and Happy New Year.

Anonymous said...

"Even though drivers are generally uninstallable..." - see 'driver rollback' at device manager / driver props. :)