I don't know whether to be angry or frustrated, and whether the target should be journalists who make mountains out of molehills, or the people in Redmond who give them the molehill to start with.
Here's the story. The Windows update software changes sometimes. If Windows update keeps itself in a working state if is in use; that is to say outside well run IT shops which use WSUS, SMS or some other in house way of pushing out updates, and outside those people who turn the service off altogether. Windows update logs changes to itself in the event log. However if the user has selected "Check for updates but let me choose whether to download or install them" updates to the update service don't check with the user first.
One or two readers will go scouring everything I've ever said to find a contradiction for what I'm about to say. I don't think people should automatically trust Microsoft. I don't think they should automatically distrust us either. We need to earn trust, and sensible people will keep re-evaluating "In this case should I or shouldn't I". There are plenty of people out in the world who think no-one should ever trust us, a great many of them post on line to discussions and blogs, some write for magazines. Giving these people ammunition is stupid. And any manager in Redmond who does should be made to write out "I should never do anything which undermines public trust in my employer" 10,000 times. Preferably while sitting in a set of stocks (I'd locate these under the campus flag poles outside Building 10)
To me, the whole premise of this argument is stupid. First off when I went to grab the screen shot I've modified here it says at the bottom "Note: Windows Update might require an update before you can update Windows"Granted I had to read that twice, as obviously WU can't update the OS if there are no updates, the word "Itself" should be in there. But I've been imagining a conversation with some of the people who are making this fuss, (who seem to want to the WU dialog to appear like this version)
Me: You selected a radio button which said check for updates, so do you want it to stop checking if we change something at the server ? Them: No... but... WU shouldn't change a single byte on my computer without my permission ! Me: Not one ? Them: Not one.Me: So how does it maintain a list of available updates to offer you ?Them: Err... Well that doesn't count, it shouldn't change Executables Me: So you told it to just get the list of updates Them: ... yesMe: and to take the steps that are needed to get the list ?Them: ... obviously, yes. Me: Even if that means updating the software that gets the list ...
Scott Dunn, got some key facts wrong when he started the story. He opens with Microsoft has begun patching files on Windows XP and Vista without users' knowledge, even when the users have turned off auto-updates.
Having a commitment to his story which can't be inconvenienced by facts (or lack of them) Dunn turns to invention "Many companies require testing of patches before they are widely installed," [true] "and businesses in this situation are objecting to the stealth patching."
Un-named, businesses object. No. Because companies which test patches before letting be widely installed don't use Windows update. That would rely on users seeing the "New Updates are available" message and only processing the items IT told them to, when they were told. Not a system you'd rely on is it ? Over on Microsoft watch at least Joe Wilcox got that aspect right (and did get a quote), but he downgraded it from "Stealth" (Dunns term) "sneaky", and included screen shots which reveal - shock horror - if you tell the Windows update service to look for updates, then it does start up and it records in the event log that Windows update has updated "Windows Update". Stealth ? Sneaky ? Records it's actions in the event log ? Reminds me of this story
Meanwhile over ZD Net Adrian Kingsley-Hughes was positively screaming "If Microsoft (or other companies) start updating systems without consent, this will lead to all sorts of trouble. On top of that, it paves the way for companies to make silent updates to technologies such as DRM and anti-piracy features." seems to me to be equivalent to saying "If Microsoft make sure users can find about new updates, that means they could smash up your system if the don't like you"
Kingsley-Hughes like Dunn and Wilcox (and Andrew Garcia who checked the facts for him) conveniently ignore the "Windows Update might require an update before you can update Windows" message.
Over on the Windows Update team's blog Nate Clinton, explains what's going on. Sorry Nate, despite feeling the reporting has been pretty shabby, if it were left to me you'd be in the stocks for giving them the ammo.
Your missing one very simple point -
Present the update as an update. A required update. One which prevents you installing or being notified of any other updates until you accept it.
It happens with a fresh XP install. You did it again with the BITS and Installer 3.1 updates. What's the difference here?
That sounds like a very good solution. If there is a reason why it couldn't be done, I'm not party to it.
The whole point is unauthorized modifications to another parties property. That is malicious behavior whether or not there is malicious intent. WU is behaving the same way any malware (virus, root kit, etc.) would.
Micro$oft is not entitled to simply modify Windows code on a non-Micro$oft corporately owned computer without obtaining express consent to do so. The expected behavior of the WU software is that users may control when and if updates are applied to their personal property, including the Windows OS running on that property. Micro$oft does not own that instance of Windows, the purchaser does.
If the WU application itself is so poorly implemented that past clients are completely incompatible with the most recent version, then Micro$oft should completely disable it until it can be properly designed to function as expected--notify updates to itself first and then look for other updates.
Micro$oft should be keenly aware of the impact that unilateral actions may have to both its perceived trustworthiness and its bottom line. This unilateral WU behavior certainly does nothing to bolster trust. On the contrary, it bolsters the belief that Micro$oft has only its business interests in mind and that it believes that it retains absolute control over its products, even after purchase. It does not!
$arge. First off using $ sign in the way you have done in the comment, is usually done to annoy people who work for MSFT. Normally that kind of rudeness gets posts deleted...
Sorry to bring facts in but, the code isn't your property - you licensed it to run on the hardware that you do own.
As for behaving like Malware.
(a) You can turn off ALL updates
(b) If you have updates on the dialog box tells you that WU updates itself.
(c) It records what it has done in the event log.
I think very few people would say that installing something required to support something you opted in to was obsessing on our buisness interests or asserting absolute control...
We can argue that we have the right to do it; we can argue that only in this way can we guarantee the service will keep on working ("we know best")
We can argue that the behaviour is explained on the settings dialog box (albeit badly).
But I'm not developing any of those arguments because frankly building up the expectation that no code will be changed and then changing code is damn silly, rude, and bad for trust and we shouldn't have done it. If WU really must work this way then we needed to spell it out so no-one could be in any doubt. And we didn't do that.
Which is why I said I'd put those repsonisble in the stocks.
Simple solution and Microsoft has done this in the past: Let the user choose to update Windows Update. As in, Windows Update sees an update for itself and let's the user choose to download and install it.
I've seen this done on several occasions prior to downloading the latest patches. Windows Update lists an update to itself as the only update available. You download and install it and then you get a list of other updates that are available. You download and install those.
So why do something different? This is a secret Windows Update. The first of its kind. And the only way we will make it the last of its kind is to stop it NOW. By complaining about it. LOUDLY.
The only real way I'm aware of to get Microsoft's attention is to affect them financially. Lawsuits are generally so small that it doesn't dent them. We need a $400 billion class-action lawsuit, be in court tomorrow, win the case by default, AND serve an injunction to the bank to immediately transfer the funds (I say we drop 10% of the total in the judge's lap). Tomorrow is Saturday. That's the only way I know of that would get the entire company's immediate attention. Anything less than $20 billion and they'll ignore it.
I really find this nonsense about the so-called stealth update to Windows Update to be ridiculous. That "update" has been done. You know about it NOW. So get over it. It needs to work in order to get the critical updates etc. So Microsoft FORGOT to tell people. Well people now know it's been done. Users are going to do that update anyways. So it's done. Get over it. People out there who are complaining were going to update that anyways.
I find it so hypocritical that there are people who are clamoring for updates for other non-Microsoft software they have and are so very disappointed when there aren't any updates to download. And then they start getting pissed off because of this update to Windows Update which you need anyways if you want to download the latest windows critical updates. Users can be such silly, idiotic, two-face hypocrites when comes to this updating nonsense.