Why Microsoft cannot open Windows Update to third-party developers

This morning I saw a post from Larry Seltzer rehashing the argument that Microsoft should be allowing the deployment of third part updates via Microsoft Update.  (He uses the older term “Windows Update” which is for Windows products only.   Microsoft Update is the term for the update server for the broader group of Microsoft products).  He argues, there are so many vulnerabilities that it is time consuming to keep up with it all.   Additionally it is difficult to verify the source of programs.  

The ink hadn’t even tried on that post when antimalware firm ESET reported on malware they had found in the Microsoft Update Catalog.  

Microsoft actually does include some third-party developed things in Microsoft Update.   They do this so you don’t have to install drivers every time you add new hardware, or plug something into the USB port.   Windows can updates drivers from Microsoft Update.   In this case Microsoft was serving up a remote access trojan when it installed battery charger management software.  

That is just a small example of what is feared both by the consumer and by Microsoft when we talk about opening up Microsoft Update to third-party developers.

ESET has a followup post from someone with insight on the antimalware scanning process for files available publically at Microsoft.   Their author feels it is impractical to scan the TB of update files Microsoft already has posted, and not respectful to Mother Earth.   I think it is rather easy to say ‘let the consumer’s desktop antivirus detect it’ when it is no longer your reputation on the line and no longer your desktop getting infected and you work for a desktop antivirus company.  

As the ESET blog posts say, this is a rare event.   I fear it would be many times worse if Microsoft were also allowing multiple venders to push their updates through Microsoft Update.   This is why MIcrosoft cannot open Microsoft Update to third-party developers.

6 Comments

  1. I don’t think the desire is to have microsoft push the updates so much as to have a standard interface by which a person can see all available updates. Clearly identifying where they come from is reasonable (if not expected). This doesn’t add risk (third party programs already have all sorts of auto update routines), it just means that instead of playing “guess the update routine” a person can simply go to one place. I actually can’t think of any downside to a standard interface for advertising updates, as opposed to the complicated mess that exists on windows today.

    • I’ve seen plenty of articles where the idea was specifically to have microsoft push the updates.

      Your idea where microsoft appears to endorce third parties pushing updates is worse for them. Liability without control.

      I think most people are advocating a Google Chrome model of updates. Just do it and dont bug me about it. Not my favorite model, but statistics show it does get the update done.

  2. “and not respectful to mother earth”? The author tries to touch on some issues with scanning multiple terabytes of data, no trees were hugged in the making of that article. Perhaps you have a grudge against the guy that we don’t know about?

    In the end, once Intel’s “next-gen game changer” is released, it will be a snap. Right? Ha.

    • The ESET author suggested excessive energy consumption is a good reason for not scanning the files you serve to people. I say Microsoft has a corporate responsibility not to be serving up malware from Microsoft Update.
      Contrary to what you suggest Rick, I found Randy Abrams’ post at ESET to be very interesting and knowledgeable. But on that one point it was laughably politically correct.

  3. I think its annoying having soo many programs that do the same thing running. EG. I have an adobe updater, apple update, MS update, as well as a load of programs I have to update manually.

    Making windows update work for all programs would save my computer a lot of backround resources.

  4. Why not A seperately branded ‘Windows 3rd party updater’. With a tie in to your virus scanning package to make sure everything coming in has been checked, and to ensure that positives are fed back to MS and software updates are flagged as dodgey. At least this way updates would all go through the front door, with someone keeping an eye on their behaviour.

    Liability laws protect some things and ruin everything else. It’s a shame many people have a mentality of thinking everything is someone elses problem.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>