Windows Update downloads insecure versions
I’ve just run a manual Windows update on three Windows boxes today that are normally run by non-admin users. This is still necessary since, although they are all set to ‘auto-update’, the updates get downloaded but the actual updates do not take place unless an admin logs into the machine. I wonder how many PCs around the world are delayed in installing critical security updates because of this? However, that is an aside as it is not the reason for this post.
On all three machines, as well as the critical update, I also installed updates for .net 1.1, .net 2.0 and the latest Windows Media Player. After installing and rebooting, I always make a habit of logging in again as admin and forcing a recheck for any other updates: on all three machines it was then identified that critical security patches were required for all three of these new items installed.
This means that the initial downloads made available by Microsoft were not patched, despite the fact that Microsoft knows they need it because it has the patches ready for them.
Since the initial install involves the mandatory Microsoft ‘your mouse has moved, please restart to update changes’ reboot, it is quite likely that anyone installing it will then leave the machine to a non-admin user to continue using, blissfully unaware that the new software has a critical flaw.
Surely it makes perfect sense to have the initial download fully patched.