X

Don't get burned by Windows Update

Microsoft commits the sin of installing known buggy software.

Michael Horowitz

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.

Disclosure.

See full bio
Michael Horowitz
3 min read

It's the very definition of irony: bugs in the application designed to install bug fixes. Such is Windows Update, which in the two instances described below installs known buggy software--and tells you that all is well when it is not.

Installing IE7

I use Firefox for pretty much everything, so my main desktop and laptop (both running Windows XP) still had Internet Explorer version 6 until recently. I also run Windows Update manually, so keeping IE 7 off my machine involved nothing more than unchecking a box once a month. But now that IE 7 has been out for roughly a year, and I'm addicted to tabs, I finally got around to installing the browser.

Since I was up-to-date on bug fixes, IE 7 was the only thing Windows Update had to install. The installation process includes the option shown below about installing "the latest updates for Internet Explorer," which I did. All went well, at least according to Windows Update.


The first thing I noticed afterward was that IE 7 turned on the language bar toolbar on the task bar. It doesn't take up much room, but I have no interest in the language features and the fewer things running the better.

To get rid of the language bar, go to the Control Panel, click on Regional and Language Options (the globe), then click on the Languages tab, then the Details button, then the Advanced tab. Finally, put a check in the box to "Turn off advanced text services".

All seems well at this point, but it's not. A critical bug fix having to do with something called VML is missing. The fix goes by the names KB938127 and MS07-050 (see Critical Vulnerability in Vector Markup Language Could Allow Remote Code Execution) and dates back to August 2007. Yes, Microsoft has had eight months to make Windows Update smart enough to install this critical bug fix when it installs IE 7. Or, at the least, warn us to run Windows Update again. But no, it instead installs known buggy software.

.Net Framework Version 2

The same thing happens when you install version 2 of the .Net framework. There are three versions of the .Net framework, and all are optional--until, that is, you try to install software that requires it.

Again, I started with a Windows XP system that was up-to-date on all bug fixes and installed nothing but version 2 of the .Net framework using Windows Update. As before, I ran Windows Update manually (Tools -> Windows Update in IE) and opted for a Custom install. All went well, and I rebooted afterwards, just for good luck.

Though all seems well, I ran Windows Update again. Sure enough, the just-installed .Net framework needed updating. And not just one bug fix; it was missing an entire service pack (KB110806). Installing the service pack was uneventful other than the required reboot.

Back to Windows Update and, finally, everything is up to snuff.

There is no excuse for a software update application, such as Windows Update, to install known buggy software. No excuse, but there is a reason: either incompetence or a corporate laziness that sets in when a company is not challenged in the marketplace. I am not sure which applies in this case.

See a summary of all my Defensive Computing postings.