Options
Windows Updates breaking IE and Anti-virus
Here is the sad and sorry story.
Client has a HP Laptop running Windows Vista SP1. About 4 months ago, she was able to surf the Internet but was unable to login to secure websites such as Yahoo Mail, Hotmail and Online Bank sites.
Anyway, after a lot of investigations, I found out the problem was an update that was installed, namely, update KB974455 (MS09-054: Cumulative security update for Internet Explorer). After, I uninstalled the update, everything was fine. I hid the update so it would not be downloaded again and kept Windows update at the default setting of download and install updates automatically.
4 months later I get a call and guess what, the same problem of not being able to login to secure websites was occuring again. When I check the laptop again, I could not see any evidence that the KB974455 update had been installed again. However, I did notice that it was no longer a hidden update so it theoretically could be downloaded and installed again.
Anyway, after uninstalling a bunch of updates that had been recently installed, I found the culprit, namely update KB976325 (MS09-072: Cumulative security update for Internet Explorer). As you can see, this update supersedes KB974455. This would probably explain why the update was no longer hidden. Both updates are referred to as "a cumulative security patch for Internet Explorer".
Well, feeling very proud of myself that I had once again defeated Windows Updates, I noticed that Avast 4.8 Free was not updated. I tried to update it though the management console and got a message of "cannot connect to 767sl.avast.com". I downloaded the latest definitions file on another computer and then run the update executable on the problem laptop. The update worked and AVAST was up-to-date. I then tried a full uninstall and reinstall but same proplem was occuring.
During troubleshooting, I noticed that IE was now totally broken with all pages coming back as "DNS error". I then uninstalled AVAST and IE was working perfectly again.
I decided to try out AVG Free to see if it was an AVAST problem. Well, guess what, same problem, AVG cannot update automatically or through management console. However, at least with AVG, IE still performs normally so at this stage it is the preffered option.
Where to from here guys?
I have tried a "sfc /scannow" with no luck. I am thinking of installing IE8 and then SP2 for Vista but I hate the fact of having to install more updates to correct previous buggy updates.
I really am over Windows updates completely and have started disabling them on most of my client's (home user) machines. From my experience, for the average home user, most updates are redundant and provide little security improvement.
The only thing is, my business is now suffereing because all my client's machines are running flawlessly now that auto Windows updates have been disabled.
Usually, I update the major updates manually. These would include the following:
1) Service Packs for Windows
2) IE8
3) Junk e-mail filter for Outlook
4) Windows Media player for multimedia users.
Sorry for going of track guys but I have been wanting to say this for ages.
Anyway, your ideas of how to proceed would be appreciated.
Client has a HP Laptop running Windows Vista SP1. About 4 months ago, she was able to surf the Internet but was unable to login to secure websites such as Yahoo Mail, Hotmail and Online Bank sites.
Anyway, after a lot of investigations, I found out the problem was an update that was installed, namely, update KB974455 (MS09-054: Cumulative security update for Internet Explorer). After, I uninstalled the update, everything was fine. I hid the update so it would not be downloaded again and kept Windows update at the default setting of download and install updates automatically.
4 months later I get a call and guess what, the same problem of not being able to login to secure websites was occuring again. When I check the laptop again, I could not see any evidence that the KB974455 update had been installed again. However, I did notice that it was no longer a hidden update so it theoretically could be downloaded and installed again.
Anyway, after uninstalling a bunch of updates that had been recently installed, I found the culprit, namely update KB976325 (MS09-072: Cumulative security update for Internet Explorer). As you can see, this update supersedes KB974455. This would probably explain why the update was no longer hidden. Both updates are referred to as "a cumulative security patch for Internet Explorer".
Well, feeling very proud of myself that I had once again defeated Windows Updates, I noticed that Avast 4.8 Free was not updated. I tried to update it though the management console and got a message of "cannot connect to 767sl.avast.com". I downloaded the latest definitions file on another computer and then run the update executable on the problem laptop. The update worked and AVAST was up-to-date. I then tried a full uninstall and reinstall but same proplem was occuring.
During troubleshooting, I noticed that IE was now totally broken with all pages coming back as "DNS error". I then uninstalled AVAST and IE was working perfectly again.
I decided to try out AVG Free to see if it was an AVAST problem. Well, guess what, same problem, AVG cannot update automatically or through management console. However, at least with AVG, IE still performs normally so at this stage it is the preffered option.
Where to from here guys?
I have tried a "sfc /scannow" with no luck. I am thinking of installing IE8 and then SP2 for Vista but I hate the fact of having to install more updates to correct previous buggy updates.
I really am over Windows updates completely and have started disabling them on most of my client's (home user) machines. From my experience, for the average home user, most updates are redundant and provide little security improvement.
The only thing is, my business is now suffereing because all my client's machines are running flawlessly now that auto Windows updates have been disabled.
Usually, I update the major updates manually. These would include the following:
1) Service Packs for Windows
2) IE8
3) Junk e-mail filter for Outlook
4) Windows Media player for multimedia users.
Sorry for going of track guys but I have been wanting to say this for ages.
Anyway, your ideas of how to proceed would be appreciated.
The oxen is slow but the earth is patient!!!!
Comments
-
Options
tiersten
Member Posts: 4,505
You're advocating that users don't do updates automatically and that you manually install specific ones? Umm... okay...
I've always used automatic updates and everybody else I know does as well in a home environment. I've never had any of the problems you've listed before.
The only time I don't do that is in a business environment where updates are pushed via a WSUS server and are checked by a member of the IT department first. -
OptionsMarkie
Member Posts: 54 ■■□□□□□□□□
I've always used automatic updates and everybody else I know does as well in a home environment. I've never had any of the problems you've listed before.
Ok, so you are saying that because you have never had a problem with particular updates, that would imply that they are flawless and will never cause problems?
I am not advocating anything but rather trying to find a solution to the problem listed.The oxen is slow but the earth is patient!!!! -
Options
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
I would never recommend disabling automatic updates in order to possibly prevent some obscure problem that's very unlikely to occur. That's just asking for trouble.
It sounds like there was a deeper issue (i.e. malware) and the update only brought it to light. You would want to test updates prior to installing if you were using some touchy custom applications (as Tiersten mentioned), but you would be hard-pressed to find applications tested more thoroughly than IE, Office, etc. -
Optionstiersten
Member Posts: 4,505
I'm saying that having a general rule of disabling automatic updates for everybody isn't a good idea.Ok, so you are saying that because you have never had a problem with particular updates, that would imply that they are flawless and will never cause problems?
If Microsoft pushed out an update that broke SSL and AVG/Avast then I'd expect there to be a large amount of publicity followed by a fixed patch. Look elsewhere for the problem. -
OptionsMarkie
Member Posts: 54 ■■□□□□□□□□
Hi Dynamik. Thanks for chipping in. I always respect your posts.
It looks like things have been resolved by installing IE8 so I dont think the issue was malware related.
I am a little bit surprised by your comments given the fact that you only have to google Auto Windows Update problems to find thousands of posts in relation to them.
I am not necessarily against them but I have never been able to find a clear explanation of their overall benefit (besides the obvious arguments).
From my experience in the field, I cannot say that fully updated machines have less problems than machines that are behind in their updates (e.g. a Vista SP2 machine vs a Vista Sp1 machine).
In fact, I woud say it is about a 1:1 ratio between installing an update to correct a problem and uninstalling an update to correct a problem. A great example of this is Internet Explorer where IE updates and IE rollbacks are often required.
If you can maybe expand on your comments or direct me to some other sources of information, it would be greatly appreciated.The oxen is slow but the earth is patient!!!! -
Options
JDMurray
Admin Posts: 13,034 Admin
If these problems are occurring on only one laptop then there is something pathological with that laptop, such as a damaged registry, mis-installed update or driver that can't be properly uninstalled, low-level defect on the disk drive. This is not an indication of a deign or implementation flaw with Microsoft Updates as a whole.
I've wrestled with several Windows systems plagued with Microsoft Updates and BITS problems. The only successful fixes was to find and remove the damaged information in the registry, or simply backup the computer data, perform a low-level check of the drive, and reformat and reinstall Windows, and reapply all updates.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray -
Optionstiersten
Member Posts: 4,505
Doesn't mean anything. People rarely post to say that something works. With any kind of change to a piece of software that is complex like Windows there will be issues and problems along the way. It doesn't mean the entire update system is flawed and should be disabled. People have issues when applying updates to totally closed systems like games consoles. In that environment you should know exactly what configurations and setups exist out there because the hardware and software are tightly controlled by a single company. There are still thousands of complaints and various other sites about it online.I am a little bit surprised by your comments given the fact that you only have to google Auto Windows Update problems to find thousands of posts in relation to them.
If you're patching piecemeal then you will be ending up in configurations that may not have had as much testing done. You may eventually have to apply a patch you skipped because later patches depend on that one being present. If you or the users ever needs to call for support then one of the first things they'll ask you is if you're fully updated. This is in addition to the fixes for bugs and security holes.I am not necessarily against them but I have never been able to find a clear explanation of their overall benefit (besides the obvious arguments).
The potential downsides to updating are that the update may expose an existing bug that was hidden before or that it may contain a new bug.
I'd still recommend that automatic updates are enabled.
I have rarely backed out any patch. The last one I remember doing was back in the Win98 days when there was a patch that affected the memory manager if I recall correctly and made the system significantly slower. The temporary fix was to back out the patch and the permanent one was to just wait for the updated patch from Microsoft.In fact, I woud say it is about a 1:1 ratio between installing an update to correct a problem and uninstalling an update to correct a problem. A great example of this is Internet Explorer where IE updates and IE rollbacks are often required. -
Optionsdynamik
Banned Posts: 12,312 ■■■■■■■■■□
I was a sys admin for 3+ years at one location and then went on to a managed service provider where I managed over a dozen other clients, and I configured them all to use WSUS where all updates were automatically approved and installed. None of them had any sort of configuration where I felt like that would be a problem, and I never had any problems throughout all that time.
Here's the deal, updates undoubtedly will cause problems from time to time. I'm not denying that. I'm saying that the harm from not installing updates can be catastrophic in comparison.
Like this: http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx
You go to my website where I take advantage of that, and I own your machine. I'm not going to irritate you and make your applications randomly crash or anything like that. I'm going to install a key logger or a back door, rifle through your personal files, etc. You will *think* everything is working normally. What is really going on though? What personal information have I been able to glean? How many accounts of yours have I gotten access to? That should terrify you. -
OptionsMarkie
Member Posts: 54 ■■□□□□□□□□
If these problems are occurring on only one laptop then there is something pathological with that laptop, such as a damaged registry, mis-installed update or driver that can't be properly uninstalled, low-level defect on the disk drive. This is not an indication of a deign or implementation flaw with Microsoft Updates as a whole.
I've wrestled with several Windows systems plagued with Microsoft Updates and BITS problems. The only successful fixes was to find and remove the damaged information in the registry, or simply backup the computer data, perform a low-level check of the drive, and reformat and reinstall Windows, and reapply all updates.
Thanks guys for all your comments but I think the above probably sums up my position the best.
I agree that updates are not necessarily the cause of the problem but rather highlight a deeper system problem.
The only problem is that in real-life, very few machines don't have some sort of registry or driver corruption.
Also, most customers dont have the time or budget to match the amount of labour required to debug the system or start from scratch.
I guess what I am saying is that most clients just want to have their system up and running as quickly as possible. So although it may not be best practice, there may be times when simply removing the problem update and possibly disabling auto updates is the next best option.
Depending on the client, I will discuss the issue with them before taking such action.
Thanks again for all your comments.The oxen is slow but the earth is patient!!!! -
OptionsMarkie
Member Posts: 54 ■■□□□□□□□□
Thanks Dynamik for the link. I think we must have been posting at the same time.The oxen is slow but the earth is patient!!!!
