Windows Update

Windows Update

A component of Microsoft Windows
Windows Update running on Windows 7
Details
Type Network service
Included with Windows 98 and later
Description Windows Update
Related components
BITS, Windows Installer, Internet Explorer, Windows Genuine Advantage

Windows Update is a service provided by Microsoft that provides updates for the Microsoft Windows operating system and its installed components, including Internet Explorer. An optional feature disables access to Windows Update, enabling instead access to Microsoft Update, an expanded version of the service which provides updates not just for the operating system and Internet Explorer, but also for other Microsoft software running under Windows, such as Microsoft Office, Windows Live applications, and Microsoft Expression Studio. Updates are normally provided over an Internet connection, although there is provision for updates to be installed on computers without an Internet connection.

There are different kinds of updates. Security updates or critical updates protect against vulnerabilities to malware and security exploits. Other updates correct errors that aren't related to security, or enhance functionality.

Security updates are routinely provided on the second Tuesday of each month, Patch Tuesday, but can be provided whenever a new update is urgently required to prevent a newly discovered or prevalent exploit targeting Windows users. Windows Update can be configured to install critical updates automatically so long as the computer is connected to the Internet, without the user needing to install them manually, or even be aware that an update is required .

Windows Vista, Windows Server 2008, and Windows 7 provide a Control Panel to configure update settings and check for updates. The Windows Update Control Panel is also the means to download Windows Ultimate Extras, optional software for Windows Vista Ultimate Edition. For previous versions of Microsoft Windows, updates can be downloaded from the Windows Update website, using Internet Explorer.

Contents

History

Windows Update web site

Windows Update was introduced as an Internet web site with the launch of Windows 95. A link to Windows Update on the Start Menu gave access to additional downloads for the operating system. At the time of Windows 98's release Windows Update offered additional desktop themes, games, device driver updates, and optional components such as NetMeeting.[1] Windows 95 and Windows NT 4 were retroactively given the ability to access the Windows Update website, and download updates designed for those operating systems, starting with the release of versions of Internet Explorer 4 for those operating systems. The initial focus of Windows Update was on free add-ons and new technologies for Windows; security fixes for Outlook Express, Internet Explorer and other applications appeared later, as did access to beta versions of upcoming Microsoft software, most notably Internet Explorer 5. Fixes to Windows 98 to resolve the Year 2000 problem were distributed using Windows Update in December 1998. Microsoft attributed the sales success of Windows 98 in part to Windows Update.[2]

Windows Update requires Internet Explorer or a third-party web browser that uses Microsoft's MSHTML layout engine, as it must support the use of an ActiveX control to house the software that is executed on the user's computer. While details have changed from version to version, it has always scanned the computer to find what operating system components and software are installed, and compared the versions of those components with the latest available versions. The ActiveX component then interfaces with Windows Installer to install or update those components, and to report the success or failure of those installations back to Microsoft's servers.

The first version of the Windows Update web site (usually referred to as "v3") did not require any personally-identifiable information to be sent to Microsoft. In order for the v3 ActiveX control to determine what updates were needed, the entire list of available software on Windows Update was downloaded to the user's computer when they visited the Windows Update web site. As the number of updates offered by Windows Update grew, this resulted in performance concerns. Arie Slob, writing for the Windows-help.net newsletter in March 2003, noted that the size of the update list had exceeded 400KB, which caused delays of more than a minute for dial-up users.[3]

Windows Update v4, released in conjunction with Windows XP in 2001, changed this by having the ActiveX control submit a list of the hardware components to Microsoft's servers, which then returns a list of only those device drivers available for that machine. It also narrowed down the list of available updates for the operating system and related components by sending details of what operating system version, service pack, and locale are installed. German technology web site tecchannel.de published an analysis of the Windows Update communication protocol in February 2003, which received wide attention on technology web sites. The report, which was the first to contain extensive details of how the Windows Update communication protocol worked, also discovered that the make and model of the computer, the amount of free disk space, and the Windows product key, were sent.[4]

Critical Update Notification Tool/Utility

Shortly after the release of Windows 98, Microsoft released a Critical Update Notification Tool (later called Critical Update Notification Utility to avoid the unfortunate acronym[5]) through Windows Update, which installed a background tool on the user's computer that checked the Windows Update web site on a regular schedule for new updates that have been marked as "Critical". By default, this check occurred every five minutes, and when Internet Explorer was started, though the user could configure the next check to occur only at certain times of the day or on certain days of the week. The check was performed by querying the server for a file, "cucif.cab", which contains a list of all the critical updates released for the user's operating system. The Critical Update Notification Tool then compared this list with the list of installed updates on the user's machine, and displayed a message to the user informing them of new critical updates if they were available. Once the check executed, any custom schedule defined by the user was reverted to the default; Microsoft stated that this was by design in order to ensure that users received notification of critical updates in a timely manner.[6]

An analysis done by security researcher H D Moore in early 1999 was critical of this approach, describing it as "horribly inefficient" and susceptible to attacks. In a posting to BugTraq, he explained that, "every single Windows 98 computer that wishes to get an update has to rely on a single host for the security. If that one server got compromised one day, or an attacker cracks the MS DNS server again, there could be millions of users installing trojans every hour. The scope of this attack is big enough to attract crackers who actually know what they are doing..."[7]

The Critical Update Notification tool continued to be promoted by Microsoft through 1999 and the first half of 2000. Initial releases of Windows 2000 shipped with the tool, but Windows 95 and Windows NT 4.0 were not supported. It was superseded by Automatic Updates in Windows Me and Windows 2000 SP4.

Automatic Updates

With the release of Windows Me in 2000, Microsoft introduced Automatic Updates as a replacement for the Critical Update Notification tool. Unlike its predecessor, Automatic Updates includes the ability to download and install updates without using a web browser. Instead of the five minute schedule used by its predecessor, the Automatic Updates client checks the Windows Update servers once a day. The user is given the option to download available updates then prompt the user to install them, or to notify the user prior to downloading any available updates. After Windows Me is installed, the user is prompted via a notification balloon to configure the Automatic Updates client.

The Windows Update web site itself was significantly updated to match the visual style of Windows XP.

Windows XP and Windows 2000 Service Pack 3 include Background Intelligent Transfer Service, a protocol for transferring files in the background without user interaction. As a system component, it is capable of monitoring the user's Internet usage, and throttling its own bandwidth usage in order to prioritize user-initiated activities. The Automatic Updates client for these operating systems was updated to use this system service.

Microsoft Update

At the February 2005 RSA Conference, Microsoft announced the first beta of Microsoft Update, an optional replacement for Windows Update that provides security patches, service packs and other updates for both Windows and other Microsoft software.[8] The initial release in June 2005 provided support for Microsoft Office 2003, Exchange 2003, and SQL Server 2000, running on Windows 2000, XP, and Server 2003. Over time, the list has expanded to include other Microsoft products, such as Windows Live, Windows Defender, Visual Studio, runtimes and redistributables, Zune Software, Virtual PC and Virtual Server, CAPICOM, Microsoft Lync, and other server products. It also offers Silverlight and Windows Media Player as optional downloads if applicable to the operating system. A persistent bug in Microsoft Update affecting XP computers with limited internal memory is that it allows the update programs wuauclt.exe and svchost.exe to claim 100% of the computers memory for extended periods of time (up to hours) making affected computers unusable.

MS Office Update

Microsoft Office Update was a free online service that allowed users to detect and install updates for certain Microsoft Office products. This update service supported Office 2000, Office XP, Office 2003, and Office 2007. On 1 August 2009, Microsoft decommissioned the service.[9] Users are now required to use Microsoft Update. However, as Microsoft Update does not work with Office 2000, Office 2000 users no longer have any method of automatically detecting and installing updates. This is not a limitation for existing installations of Office 2000, because the product is no longer supported and so no new updates are being produced. However, it is a serious limitation for anyone re-installing MS Office 2000.

Windows Vista, Windows Server 2008, and Windows 7

In Windows Vista, Windows Server 2008, and Windows 7, the web site is no longer used to provide a user interface for selecting and downloading updates. In its place, the Automatic Updates control panel has been expanded to provide similar functionality. Support for Microsoft Update is also built into the operating system, but is turned off by default. The revised Windows Update can also be set to automatically download and install both Important and Recommended updates. In prior versions of Windows, such updates were only available through the Windows Update web site.

In versions of Windows prior to Vista, updates requiring a reboot would pop up a dialog box every number of specified minutes requesting that users reboot their machines.[10] This dialog box was changed to allow the user to select a longer period of time (up to 4 hours) before being prompted again. The revised dialog box also displays under other applications, instead of on top of them.

In Windows 7 and Vista[11] once automatic updates have finished, the computer will be shut down after a countdown, sometimes causing the countdown to finish and the system to reboot while the user is in the middle of using the computer (or away from the computer and not wanting it to reboot for various reasons), possibly losing data, gameplay advancement, etc.

Windows Update makes use of Transactional NTFS, a file system feature introduced with Windows Vista, when performing updates to Windows system files. This feature helps Windows recover cleanly in the event of an unexpected shut-down during an update, as the transactioning system will ensure that changes are committed to the file system in an atomic fashion.[12]

Statistics

At the beginning of 2005, Windows Update was being accessed by about 150 million people,[13] with about 112 million of those using Automatic Updates.[14]

As of 2008, Windows Update had about 500 million clients, processed about 350 million unique scans per day, and maintained an average of 1.5 million simultaneous connections to client machines.[15] On Patch Tuesday, the day Microsoft typically releases new software updates, outbound traffic could exceed 500 gigabits per second. Approximately 90% of all clients used automatic updates to initiate software updates, with the remaining 10% using the Windows Update web site. The web site is built using ASP.NET, and processes an average of 90,000 page requests per second.

See also

References

  1. ^ Gartner, John (August 24, 1995). "Taking Windows 98 For A Test-Drive". TechWeb. http://www.techweb.com/wire/story/win98/TWB19980625S0017. Retrieved 2008-07-29. 
  2. ^ Strong Holiday Sales Make Windows 98 Best-Selling Software of 1998. . PressPass (Microsoft). February 9, 1999. http://www.microsoft.com/presspass/press/1999/feb99/holislpr.mspx. Retrieved 2008-07-29. 
  3. ^ Slob, Arie (March 22, 2003). "Windows Update is Spying on You!". windows-help.net. http://www.windowsnewsletter.com/html-archive/2003/22mar2003.html. Retrieved 2008-07-30. 
  4. ^ Leyden, John (February 28, 2003). "Windows Update keeps tabs on all system software". The Register. http://www.theregister.co.uk/2003/02/28/windows_update_keeps_tabs/. Retrieved 2008-07-30. 
  5. ^ Schofield, Jack (2002-03-30). "And finally, JOF spotted that | Technology | guardian.co.uk". London: Guardian. http://www.guardian.co.uk/technology/blog/2002/mar/30/andfinallyjof. Retrieved 2010-04-23. 
  6. ^ "Description of the Windows Critical Update Notification Utility (MSKB244420)". Knowledge Base. Microsoft. December 5, 2007. http://support.microsoft.com/kb/q224420/. Retrieved 2008-07-29. 
  7. ^ Moore, H D (January 29, 1999). "How the MS Critical Update Notification works...". http://seclists.org/bugtraq/1999/Jan/0400.html. Retrieved 2008-07-29. 
  8. ^ "Microsoft Update Site Launched". helpwithwindows.com. June 10, 2005. http://www.helpwithwindows.com/microsoft-update.html. Retrieved 2008-07-30. 
  9. ^ "Microsoft Decommissioning the Office Update Service - FAQ". Office.microsoft.com. http://office.microsoft.com/en-us/downloads/FX010402221033.aspx. Retrieved 2010-04-23. 
  10. ^ Atwood, Jeff (May 13, 2005). "XP Automatic Update Nagging". Coding Horror: .NET And Human Factors. http://www.codinghorror.com/blog/archives/000294.html. Retrieved 2006-09-22. 
  11. ^ http://www.microsoft.com/windows/downloads/windowsupdate/faq.mspx
  12. ^ "NTFS Beta Chat Transcript". The Filing Cabinet. TechNet Blogs. July 12, 2006. https://blogs.technet.com/filecab/articles/457811.aspx. Retrieved 22 September 2006. 
  13. ^ "RSA Conference 2005: "Security: Raising the Bar" (speech transcript)". PressPass. Microsoft. February 15, 2005. http://www.microsoft.com/presspass/exec/billg/speeches/2005/02-15RSA05.aspx. Retrieved 2008-07-30. 
  14. ^ "Microsoft Announces Availability of New Solutions to Help Protect Customers Against Spyware and Viruses". PressPass. Microsoft. January 6, 2005. http://www.microsoft.com/presspass/press/2005/jan05/01-06newsolutionspr.mspx. Retrieved 2008-07-30. 
  15. ^ "Introducing the Microsoft.com Engineering Operations Team". Microsoft TechNet. Microsoft. 2008. http://technet.microsoft.com/en-us/mscomops/cc424867.aspx. Retrieved 30 July 2008. 

External links