WDS and WSUS fallout

Well folks, if you are a System Administrator running Windows Server Update Services (WSUS), then you have had to deal with Windows Desktop Search 3.01 and the havoc it wrecks on computers and networks.

Now, Bobbie Harder, the Program Manager for WSUS, has responded. He states “revisions are only titled as such, when metadata or applicability rules of an update package change, never the binaries.” However, this is a lie.

Quick Background

For those of you who don’t know what all of this is about, here is the quick and dirty. Desktop machines has Windows Update available to allow those machines to connect to Microsoft’s servers, get updates, patches, new tools, and other fun stuff. This can be set to run “auto-magically” and just get everything Microsoft sends out, or it can be told to download the updates, but let you choose what to install, or even not get any updates, just let you know they are there, and finally, not do anything with it at all. That last option allows you go to the Microsoft Update website, and download and install any updates yourself.

This setup works fine for desktops and small businesses, but medium sized businesses, and larger, need something a little more robust. Why? First, think of how much of an Internet connection a single computer updating uses, now think about 150 computers; now think about 1000 computers; now… you get the idea. You need a way to download those updates once, and then have all of your computers talk to the machine that downloaded the update. Also, what if one program your business uses does not work with some of the updates? You would need a way to control which updates are installed, and which are not, for all of your computers.

Now, you have the idea behind Windows Server Update Services. This software is supposed to allow you to approve updates, and then download those to one computer, and have the rest of your computers connect to that one for those updates. You can even create multiple groups of computers, so you can create a test group to send updates to, before sending them out to everyone.

By default, WSUS automatically approves four types of updates: Critical Updates, Security Updates, updates to WSUS itself, and new revisions of updates that have already been approved. Some administrators will turn off the automatic approval for Critical and Security updates, but normally do not turn off the updates to WSUS and new revisions of updates.

What Happened

Microsoft released a new version of Windows Desktop Search for Windows XP and Server 2003, which competes with Google Desktop Search. Both offer the ability to search through your files, including emails, documents, spreadsheets and the like, just like you were searching the web. Also, the search system helps tie in the keywords in your files to web searches, to help you better find related information.

This version was released as 3.01, in WSUS it showed up as a new version. However, under the hood, the WSUS system was told this update was a revision to the 2.6.6 update from January 29, 2007.

Since WSUS defaults to automatically approving all revisions to previously approved updates, many sysadmins found WDS 3.01 approved without their knowledge. Also, there have been sysadmins who proclaim that the previous updates of WDS were not approved, so it still remains to be seen what the final outcome of some complaints are. This does not change the fact that a new version was released as a revision to a previous update.

How is this bad?

The new version of WDS tries to index items such as emails, local documents, networked documents, and information about files such as music and photos. This has caused older machines to slow down considerably while indexing, but the worst problem has been with networks with hundreds, or thousands, of machines. These networks have seen servers become unstable or unusable because of the number of user machines trying to read all of the data on the servers for WDS to index.

For sites with sensitive information, such as hospitals, schools, and businesses with customer information, can find that information copied locally to an index. This index can be on a desktop, or a laptop. Theoretically, a site which has taken steps to guarantee that sensitive information is not kept on laptops, could find that the WDS has copied components of that information to those laptops.

While there have been no data theft due to this, there have been system slowdowns and network downtime/server crashes due to this software. Worse still, sites that have implemented “roll out” or testing environments to test new updates before installing on all systems, have found this “revision” being sent out to their production environments, completely negating the use of test setups.

While there have been ways of removing the software from desktops, there are a number of problems with this. First, if an update is declined, even after it was approved, then WSUS will not show which machines have already installed it. Second, if WDS is installed, and then un-installed, Quick Launch disappears from user’s taskbars. This has caused some confusion on behalf of users who launch basic programs from the taskbar, and may not remember where to find the software otherwise.

What does Microsoft Say

The post mentioned above does say a few things. One, it does confirm that the update was sent as a revision, and that revisions of approved updates are auto-approved by default. It also confirms that this has caused concerns and that the criteria for updates “will be tightened.”

However, Bobbie Harder maintains that “revisions are only titled as such, when metadata or applicability rules of an update package change, never the binaries.” This would mean that revisions consist of only:

• changes to the descriptive text of an update.
  
• information about an update being superseded (replaced) by another update.
  
• an update is approved for use on other products, such as an update approved for Server 2003 and then adding approval for Server 2003 Datacenter Edition.
  

The statement mentions that a revision is not a change in the binaries, which is the actual executable program. Since the new version is significantly different from the old version, either the Program Manager for WSUS is misinformed about the new WDS version which would mean he is lying, but is not intending to be, or he is intentionally lying.

Update

As of Monday, October 29th, the WDS 3.01 update has been expired. Note, a new version has not been released, the update has simply been expired and is no longer available.

This does not change the fact that the problem has already happened.

Advertisement