back to article Windows 8 aims to make security updates less painful

The next version of Microsoft's Windows operating system will introduce changes that are designed to make automatic updates less disruptive by eliminating popup notifications and reducing the number of times machines must be restarted. In a blog post published on Monday, Microsoft Program Manager for the Windows Update Group …

COMMENTS

This topic is closed for new posts.
  1. Turtle

    Funk dat!

    To hell with updates, make file management less painful.

    1. Anonymous Coward
      Anonymous Coward

      @Turtle

      Oh, sorry, did you miss that? It was in XP... ;-)

      Win 7 does drive me nuts on several fronts, not being allowed to share you own drive is insane. I can understand why they would want to prevent people sharing the entire C drive on security grounds, but I have all my personal files on the D drive, and I'm not allowed to share D, no I have to share all the folders separately... Grrrr!

      1. Andrew Baines Silver badge
        Facepalm

        Sharing a drive

        You sure? I click advanced sharing, and there it is!

      2. Fuzz

        Not sure where you get that idea

        My home PC has the entire drive M: shared maybe it's a pro vs home thing

      3. The BigYin

        @AC at 05:21

        Windows shares all drives by default. I have just checked my Win7Pro install and I can indeedy see C$ and D$ as shares. Fair enough, you need to know a password for an admin account (or of a local user who is admin). But the fact remains - all your content is on the network for anyone to (potentially) see.

        Compare that to other operating systems that actually implement security.

        1. TeeCee Gold badge
          WTF?

          God alone knows WTF you did there.

          There are no drive level shares exposed to the network from my installation and I certainly didn't do anything during the install to prevent it.

          1. Anonymous Coward
            Anonymous Coward

            https://en.wikipedia.org/wiki/Administrative_share

        2. Daf L

          "All your content is on the network"?

          Just because you mark your drive as able to be shared doesn't then hoist all the information on it and started it streaming around some magical highway just waiting for someone to pick bits off it to decrypt at their leisure.

          Your drive stays in the same place but gives someone with appropriate authority to access and view the files - similar security to most remote login systems that require just passwords to access a machine - whether it is PC, MAC or Linux.

        3. Ken Hagan Gold badge
          Thumb Down

          @The BigYin

          Make up your mind. EITHER you don't need to know an admin account password, OR your content isn't available for just anyone to see. Based on my experience of every version of Windows ever, my guess is on the latter.

          By the way, those "other operating systems" you speak of aren't terribly secure either if you make a habit of dishing out passwords to accounts with root (or sudo) privileges.

          Also by the way, in case you want to scaremonger in other forums, there's also an ADMIN$ share that steers hackers directly to the Windows directory, just to catch out sneaky people who install to somewhere other than C:\WINDOWS.

          1. eulampios

            The original commenter's point was that sharing is done by DEFAULT. And this is a security problem, especially, given the very bad Windows users ' security habits , such as, poor or empty psswds, and their multiple reuse.

            >>you make a habit of dishing out passwords to accounts with root (or sudo) privileges.

            Not sure what you're talking about, however, if a superuser is allowed to login, like on FreeBSD (Debian , maybe Fedora etc) , yes indeed shh-server lets you login as root by default. Ssh-server is not installed by default though. These systems require a little more experienced user, Whereas Ubuntu desktop has sudo by default. Compare it with the Windows.

            1. fiddley
              FAIL

              Do us all a favour, read a book before spreading FUD.

              Jeebus H Christ people! The sharing is only done *BY DEFAULT* in a domain environment, where your administrators should looking after security for you. It can be easily disabled via group policy if you don't have confidence in your password policies.

              If your NON DOMAIN installation has the C$ D$ etc shares, someone has done something twonky as this is not the behaviour out of the box. And if you are confident in your nerd ability, you are able to share the entire drive (any drive, including C) via the advanced sharing button.

              Any behaviour outside of this has been caused by either an administrative policy (if it's a work PC you don't own), the OEM, yourself, someone else who has accessed your PC, or some third party software.

              It really narks me when people blame their own ignorance on Microsoft/Google/Apple whoever the whipping boys happen to be.

              1. eulampios

                >>t really narks me when people blame their own ignorance

                Microsoft is making money on ignorance, it personally promotes and nourishes it in their own users. Stuff (especially) crappy is easier to sell this way.

                I did not realize it, but the article now cleared it up for me again.

                Microsoft has not to this day implemented any painless rare-reboot updates in their OS. They still do not offer any (at least security) updates for the third-party software. This also contributes to insecure nature of the Windows Operating System. (Nor they offer any convenient secure software repository akin to most if not all GNU/Linux or *BSD ports)

                The only way to insure boyancy for Redmond is by staying dirty and ugly monopoly. Hence they shouldn't be hated or despised but condoled.

              2. FIA

                @fiddley

                Enabling file and folder sharing is enough to have the default share created.

                At least this win 7 I've got in a VM seems to be sharing C$, and it's definitely not a member of a domain.

      4. Turtle

        @ACc 1 05:21 GMT

        "Oh, sorry, did you miss that? It was in XP... ;-)"

        I know, I know.

        :D

  2. James O'Brien
    WTF?

    Excuse me?

    “This means that your PC will only restart when security updates are installed and require a restart,” she wrote. “With this improvement, it does not matter when updates that require restarts are released in a month, since these restarts will wait till the security release.”

    Ok a few things I'm alittle lost on here, and the worst part is that I have read El Reg for years and this actually confuses me.

    1) Arnt the restarts required to allow for updating of core files that need to be patched, which are unable to be patched while the system is using them?

    2) In the line of security (which isnt very good with Windows but meh, ill go with it), wont this allow for vulnerabilites to be exploited for potentially upto a month before said updates are finally applied?

    3) How any of this better? While restarts can be a pain in the ass with Windows it's not really that big of a turn off for me. So WTF is microsoft thinking...well plotting to make money off this? Making people see how vulnerable Windows really is to exploits and zero-day hacks so they can start pushing people to pa for their unSecurity nonEssentials?

    All I can say to this decision is wow. Just wow.

    1. Andrew Baines Silver badge
      Paris Hilton

      Read it more slowly, and think

      If an update to Outlook isn't related to security, but requires a reboot, it won't reboot. If an update is related to security it will reboot.

      Paris, cos she doesn't think much either

      1. This post has been deleted by its author

      2. eulampios

        Windows makes you be smart in the first place

        Nice operating system it is, to require a reboot for every Outlook (security) update? This would sound ridiculous on GNU/Linux, BSD's or other non-perverted OS's.

        Interesting, that after all these annoying requirements to force reboots many millions of Win servers remained unpatched for some time before they picked up conficker.

  3. jake Silver badge

    Clueless. Utterly clueless.

    Adding still more broken features in an attempt to fix what is broken right from the git-go? How is that going to help the fundamental problem?

    Trying to be all things to all people is contraindicated ... No two users use a given computer in exactly the same way. That's why my Mom & Dad (who share a PC) have different user accounts. Attempting to "fix" this reality only leads to shovelware/kitchensinkware. Canonical and Cupertino have the same problems as Redmond, and for the exact same reasons. They all need to re-think the problem.

    Yes, I'm doing something about it, not just yapping about it. Look for the "Chachware"[1] installation system for Slackware on a mirror near you sometime in the next half-decade or so ... I'm close to a pre-release, but it's not high on the priority listie; Winter's coming & I have ditches & drains to clean out ...

    [1] Long "a" ... My daughter couldn't pronounce "Rachel" properly when she was first learning to talk, and the nickname "Chach" stuck ;-)

  4. JeffyPooh
    Pint

    I hope that they remember the following points...

    Not everyone has high speed. Some may be stuck with dial-up. They need to allow for that condition and make design decisions that won't drive people to violence.

    Even for those with high speed, it may only be 1Mbps. Updates should not barge onto the network when the user has just started the machine. Windows could even enforce this on other applications. There should almost be a Bugger Off button to stop all network access except the ones requested by the user.

    Or the user may be on a non-wired access system that costs 10p per kilobyte.

    All of these should be auto-detected, or listed as settings, so that the disadvantaged user can get to the darn Tornado Warnings webpage before it's too late.

    1. Anonymous Coward
      Anonymous Coward

      RE: I hope that they remember the following points...

      Troglodites that still use Winblows probably do have dial-up.

  5. Jean-Luc Silver badge

    Once again we are told that, next time, it will be different

    Sorry, been there, done that.

    Promised in Windows 7 - quick boot, fast, optimized, secure. I'll perhaps grant it more secure, though I haven't had a virus in ages anyway. For the rest? Much promise, little delivery. I don't find Windows 7 much better than XP, which I liked well enough. And it certainly is a hog booting and shutting down for me.

    Instead of all this cleverness with reboots, how about 2 "simple" changes:

    #1 - figure out a way to not need reboots, at least most of the time. Linux does that, OS X does that, why can't MS? Sorry - MS is too busy doing ribbon interfaces.

    #2 - identify clearly in advance which patches need a reboot, not just that lame "your system may need restarting". Does it or does it not? It's _your_ patch, guys.

    1. AndrueC Silver badge
      Thumb Up

      Win7 started well but now it's as bad as XP. Seems like half the updates require a reboot. Worse still though are those that seem to need two reboots. XP and Win7 both have those now and again. Several times I've rebooted only to be told ten minutes later than new updates are available. It's madness I tells ya, madness!

    2. Anonymous Coward
      Anonymous Coward

      OSX does that? Nope

      OSX certainly doesn't do updates without requiring reboots. I regularly see updates which have an icon next to them saying they require the machine to be restarted.

      1. The BigYin

        @AC at 09:44

        I think you might be misunderstanding (assumption: OS X behave like GNUN/Linux and given the Unix heritage of both, I think this is a fair bet).

        When a file on a Unix-like system is updated, it can be moved to a new inode (a point on the disc). Anything using the "old" file can carry on using the "old" inode and see that version. When the program closes and then opens, when it gets the file it will get the "new" inode and thus the new version. (This is not quite technically correct, but good enough for now).

        The upshot is that you only need to reboot when some critical system (kernel, vital system service) gets file updates and needs to stop in order to grab the new files. Even then, there can be ways to restart critical systems and grab the update without doing a reboot.

        Windows cannot do this as its file system works in a fundamentally different way.

        1. Malcolm 1

          Windows can do this...

          ...it just prefers not to: http://technet.microsoft.com/en-us/magazine/2008.11.windowsconfidential.aspx

          1. Eddie Johnson
            FAIL

            It Absolutely Could

            There have been numerous times when I was following MS instructions for a particular task (eg relocate print spool folder) and their instructions include a reboot. Instead I just stop/start the related service (eg spooler) and everything goes fine.

            They are just lazy and can't be bothered to test dependencies that way so they go with the nuclear option of always rebooting. It's just laziness and poor organization that led them to lose track of dependencies. 95% of the reboots can be handled by starting and stopping services and/or processes. A lot of other "required" reboots that involve reloading modified registry settings in HKCU can be done just by killing the shell and your running applications survive, you don't even have to log out. But MS will never tell you that.

        2. Anonymous Coward
          Anonymous Coward

          @The BigYin

          You don't even need to reboot for a Kernel update if you are using Ksplice.

      2. Anonymous Coward
        Anonymous Coward

        RE: OSX does that? Nope

        Only some updates require a reboot...

  6. Medium Dave
    Windows

    "Reducing the number of times machines must be restarted."

    They could hardly *increase* them.

    "Your computer has just installed a new font. Click 'restart now' to restart immediately, or 'restart later' to have an annoying f---ing popup in 30 minutes to remind you'"

    1. Anonymous Coward
      Anonymous Coward

      You're cynical

      They'll reduce it from every single blooming time to extremely frequently.

      And the sad thing is that I'm so darn sick of this crap that I'll gladly take it!

    2. Anonymous Coward
      Anonymous Coward

      Windows 7 lets you postpone the notice for 4 hours (and then another 4, and then another etc.)

      1. Dan 55 Silver badge

        Windows XP is actually less annoying

        It pops up but then you slide it off to one side of the screen with just a slight border showing and forget about it till the next restart.

        Windows 7's has to be repeatedly postponed.

  7. Goat Jam
    Paris Hilton

    Attention! Captain Obvious is making an announcement!

    “This means that your PC will only restart when security updates are installed and require a restart”

    And this differs to current behaviour in what way?

    Perhaps all the restarts we have at the moment are not necessary and are just there to provide a level of annoyance that is commensurate with the typical expectations of the befuddled users of microsoft products?

  8. Mark 65
    FAIL

    Impossible for 3rd party software

    So, how does linux do it? Nobody said you had to do it for all software, but the option (in 2011) would sure as hell be nice.

    1. The BigYin

      It doesn't

      Linux has no centralised way of updating software, nor can it ever have one. GNU and it's ilk do provide such systems - "package managers" (apt-get, pacman etc.). Even these have limitations though. One must either have originally installed the software from the package managers, or installed it from some kind of approved package (e.g. ".deb") so that the package manager knows about it. If you are using software that you have just downloaded as a TAR or something, then it will not get updated unless you do it yourself. This is why GNU/Linux users are urged to use repositories rather than download random crap off the Interwebs like Windows users are. Repositories and their downloads are also often signed to prove that they are legit and thus not malware (it's not perfect though, nothing is).

      However the package manager finds out about what you have installed, it will periodically check the version currently installed against the version in the repository. If the version in the repository is newer, that fact is remembered and at some point the user will be asked if they wish to download and install (or some job will update the system or whatever).

      Once the download happens, things update and no reboot is required due to the way the file systems work. When an updated program closes, the next time it starts it will be running the new version. The only time you need to reboot is if Linux itself (the kernel) or an in-use module (e.g. graphics) gets updated. And even then you only need to update if you want to use the new version right now. Bar one message at the end and perhaps an icon changing, there is no nagging.

      The actual details of the above will vary slightly from distribution to distribution, but the general ideas remain the same.

      1. Anonymous Coward
        Anonymous Coward

        Plus...

        The point Microsoft make is that all the time the machine is not actually *using* the new files (i.e. file is in use, Windows could not update the file, or in the case of Linux, the file was in file, file was updated but isn't used until things using it restart) then the machine is vulnerable to the security problem that required the update. Like it or loathe it, Microsoft's way of actually trying to get the user to reboot so that the vulnerable files are used for as short a time as possible does seem sensible from a security point of view.

        1. The BigYin

          @AC at 09:44

          *sigh* The same is true on Windows as one is not forced to restart. I assume you are the same AC as before - you clearly do not know how non-Windows updates work, I suggest you do some research before commenting further.

          In enterprise systems, one would be using some kind of management system (e.g. Puppet) to push and control updates (i.e. only applying them after testing them).

          For office systems there would (should!) be a policy about when reboots happen to suck in the updates.

          For home/end-user-controlled system - it's up to that user. In the vast majority of cases, simply bouncing the service (e.g. Samba) or stopping/starting the program is enough.

          MS's way of doing it is, IMO, the worst one as it leads to people disabling the whole thing to stop the bloody nagging. I also despise the way Win7 sneaks in updates with little when I go to shut down. I want to know what the updates are and why they are being applied, I may have very good reasons for NOT wanting an update (e.g. compatibility with other systems).

      2. Def Silver badge
        Happy

        "When an updated program closes, the next time it starts it will be running the new version."

        That's because of the fundamental difference between how POSIX and WIndows systems start processes. POSIX systems load the executable file into memory each time, so there is always a copy in memory, which means the disk file can be modified while an process is running. (At least, I presume this is what they do - someone please correct me if I'm wrong.)

        Windows, on the other hand, merely memory maps the executable file, which is the fastest way to load data from disk in Windows. It also has the added benefit that no executable code ever needs to be swapped out to the swap file because Windows knows it's already backed by the file it was mapped from.

        1. The BigYin

          @Def

          I thought it was down to the new file being created at a different inode, and the executing program continuing to use the original inode. Or maybe that only happens in some cases?

  9. Steve Evans

    Restarts...

    Best way to reduce restarts is to not allow Adobe to install anything on your machine!

  10. Microphage

    Why does this require a whole article?

    Windows delays reboot to once a month on updates .. there that's conveyed the requisite information in a suitably concise manner for the benefit of the readers of your inestimable gazette.

    1. Ken Hagan Gold badge
      Happy

      Because...

      It requires a whole article because some people have trouble with reading comprehension. For example...

      "Windows delays reboot to once a month on *non-critical* updates"

  11. Anonymous Coward
    Anonymous Coward

    why?

    Wouldn't it be more sane to write the code correctly in the first place?

    Considering the lifespan of Windows XP, If Windows 7 lives as long, they've got 9 years to re-write everything.

    1. dogged
      Trollface

      Okay.

      You write it then, if it's so easy.

      A perfect, totally secure OS that's fully user-friendly and compatible with every piece of hardware and software created since 1995 that will be compatible with all future and software and never need updates, patches or fixes.

      Away you go. Try to finish it in an hour.

      You idiot.

    2. Anonymous Coward
      Anonymous Coward

      Telling people to "just write the code correctly" - that's largely telling them to "just stop making mistakes". This, coming from somebody who erroneously capitalised "if".

      1. The BigYin

        "correctly in the first place"

        What an idea! Let's just do things properly from the beginning!

        Cars will no longer burst into flames after a crash!

        Planes will no longer drop out of the sky due to failure!

        Building will not longer fall down!

        Bridges will no longer collapse!

        Pencil tips will no longer snap!

        Glass will no longer break!

        DO IT RIGHT FIRST TIME! My god! It's a paradigm shift! You should patent that *RIGHT NOW*!!!! You'll be bloody minted you will!

        What did no one think of this before? WHY?????????????

        (idiot)

  12. Anonymous Coward
    Windows

    Big wow, not...

    MS has already made it clear that Metro is meant to be a dimmed-down environment where rights are concerned. Considering how they're aiming on this environment /big time/ I don't think this news should come as a surprise. Not to mention the non-achievement (to a certain extend).

    How hard is it to update something which people can only use in very restricted ways in the first place ?

    I've said it many times on several threads already... I think Windows 7 is a very solid desktop OS and Office 2010 packs quite a punch as well. I guess I somewhat turned into a "microsoftie" where (small) business usage is concerned; Outlook + Business Contact Manager & the regular stuff (Word, Excel) can hardly be topped these days. IMO that is of course. But still; I sent a e-mail to a customer, and when I look into said customers history I can see that I sent that e-mail, can even open it when needed. No extras required. That stuff is invaluable for business usage ("I only got your emailed bill today. Chill bro; I'll pay, no problem" Click, click... "odd, I sent it 3 weeks ago?").

    'Unfortunately' I think MS themselves are going to have a very hard time "topping" their own success here. Quite frankly, having tried the Win8 preview I think we're heading for "Vista revisited".

    And stories like these ("Look at us, we're making things EASIER for you!") only add to that bias. Yeah; easier.. At what costs?

    Give me back my AERO!

  13. Anonymous Coward
    Anonymous Coward

    and what is a "critical application"?

    I hope you aren't running windows as a file server...

    Actually it shouldn't be a problem. All your critical stuff runs on *nix, right?

    1. The BigYin

      That was y thought exaclty

      The only person in a position to decide what is critical is the user (be they an end-user of a sys admin). No one else. Often my PC site here 'idling' but as far as I am concerned Samba is a critical app as I am sat in front of the box watching a movie off the HDD.

      If it chose then to reboot (which it wouldn't, but if it did) I'd be one pissed off geek.

  14. Big-nosed Pengie
    FAIL

    You still have to restart it after an update?

    How 20th century.

    1. John Riddoch

      If you update the kernel, you have to reboot. If you update a driver, you either have to be able to unload it (and stop using everything using that driver) or you have to reboot. If you update a low level library (e.g. libc equivalent), you will have to reboot or restart all your programs to start using it; if this is for security, you either reboot or have existing processes still potentially vulnerable.

      This is a fact for Windows, Linux and most other operating systems. Very few have been able to update the kernel on the fly.

      1. The BigYin

        Indeed and agreed

        But Windows seems to be much more prone to *requiring* a full restart as opposed to other OSs. Even installing an entirely new app causes it to want to reboot (that might be a fault of the installer I guess).

        Any idea what happened with KSplice? Not heard much about it after Oracle swallowed it.

  15. stefan 5
    Thumb Down

    Hell no

    How about p1ss off its my computer and il restart it when i feel like it.

    1. Anonymous Canard

      Absolutely.

      What little Windows I still do is based in the XP world, but I find it extremely rude that MS decide when I should reboot my system, and nag me incessantly until I do it. Trickling down patches in the background is OK, as well as informing me when critical fixes should be installed, but when to implement them is my decision.

      1. Ken Hagan Gold badge

        @Canard

        You want to Google "NoAutoRebootWithLoggedOnUser", or just hop over to here:

        http://blogs.msdn.com/b/tim_rains/archive/2004/11/15/257877.aspx

        1. Anonymous Canard

          @Ken...

          Thanks, helped me to understand the process.

  16. eulampios

    intersting stuff

    A question " where does exactly MS screw this up in their OS to constantly require reboots after every or most updates?" is still there. A similar question was asked by B. Gates about 10 years ago, it remains unanswered to this day. Crappy OS architecture, poor coding? My GNU/Linux (and any other good OS) for a comparison would ONLY require a reboot when the (security) update is applied to the KERNEL.

    >>the changes are likely to come as good news for users who want fewer interruptions as they use their PCs to watch movies, play games or work.

    Does this only concern the above-mentioned reboot stupidity, or the fact that a PC becomes unusable during the inst. process? If the latter is the case, this is even more ridiculous.

    >>The bad news is that there are no plans for Windows Update to install security patches required by third-party applications.

    OK, the good news that there are a free, open, more secure OS's available that have been doing it for ages. Just recently updated non-free ( as everyone knows, extremely buggy and crappy ) flashplayer by first getting a notification, clicking on the update applet, entering my password (actually did from the terminal via aptitude). Actually, any installation is done via similar interface (package manager) making it more secure less painful.

    So, why do OEM's recommend Windows again?

  17. Anonymous Coward
    Anonymous Coward

    What??

    "if the machine hasn't been shutdown or restarted by then and Windows Update doesn't detect any critical applications are running, it will automatically restart the machine."

    Once again Microsoft forget that the PC sitting in my house is MINE - I decide when to reboot it. Maybe its not running what they consider to be critical applications but there might be a good reason why I've left it logged in and running something when I'm not around. The last thing I want is to come home and find that Microsoft have rebooted my machine and buggered things up for me.

  18. Anonymous Coward
    Anonymous Coward

    Wrong direction

    Microsoft needs to open an ftp for updates with an rss feed so it can be tracked

    ftp.microsoft.com

    Publish updates when they are ready and drop the scheduled maintenance fiasco.

    All the rest of the crap they can toss out.

    1. The BigYin
      Linux

      Err...

      ...you mean enact repositories like in the GNU/Linux world, but do a really bad job of it?

      Join the dark side, we have fishies. Err....cookies.

  19. The BigYin
    Mushroom

    Translation

    "MS lawyers have not managed to get the patents approved for mechanisms that are used on other operating systems to ensure that the OS and applications are updated in a coherent manner. Once the patents are approved, we will sue the F/OSS operating systems into oblivion and then have a big PR campaign about the new paradigm we will have 'invented'".

  20. Anonymous Coward
    Anonymous Coward

    Most important question...

    ... why does Windows need so many updates and patches? Why don't they just write a decent operating system in the first place?!?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020