The real question about

By Larry Seltzer  |  Posted 2004-07-08 Print this article Print

AutoPatcher"> But the question thats been on my mind since I heard about this is how can they do it? Lots of software included in this program has license restrictions against redistribution. Did they give permission to AutoPatcher? I dont know.

For example, AutoPatcher includes the Blaster removal tool (KB833330). The KB article for this tool says:
    Q4: May I redistribute KB833330.exe?
    A4: No. All customers must download KB833330.exe from the Microsoft Web site.

AutoPatcher also includes the freeware tool PsShutDown from Sysinternals, which is a better command-line shutdown tool. The license for this tool makes it clear that you need a commercial license (i.e. one that costs money) from Sysinternals to redistribute it. The Google Toolbar license also clearly prohibits such copying without permission from Google.

I could go on with the specifics, but I suspect there are a lot of similar problems. AutoPatcher doesnt make the user consent to the EULA for each patch as Windows Update does. Maybe this is "better" than Windows Update, but thats not the point.

I asked the guys listed as authors for AutoPatcher about all this. The one who responded was uncomfortable answering all the legal stuff and had just speculation about the missing patch. I also asked Microsoft about AutoPatcher, and they said, "Microsoft does not authorize redistribution of Windows updates in this manner."

Finally, I asked Eric Schultze, head R&D guy at major patch management vendor Shavlik Technologies and a former senior Microsoft security tech guy. Schultze said, "Microsoft has a policy (and a EULA in some cases) that prohibits redistribution of Microsoft security patches. When I worked at MSRC, if we found sites that were rehosting or redistributing patches, wed send that info along to the MS legal team and theyd send letters to the offenders, asking them to stop."

Real commercial patch management vendors like Shavlik dont bundle up the patches like AutoPatcher; they direct the user to the patches on Microsofts site. Obviously at this point you can create your own local cache of patches, but Microsoft argues that its important for you to get the patches from them, rather than from some third party, and they have a good argument. Actually, there are one or two other vendors who have tried this, and these people get cease and desist letters from Microsofts lawyers. The AutoPatcher guy said they have received no such letter.

I got a lot of e-mail from you readers about AutoPatcher, and I do like the product. I just think it would have been done long ago by a for-profit company if it were legal to do.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page:   More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel