Thanks to the many readers of my last column who pointed me toward AutoPatcher. I had been complaining about the lack of a good offline patching solution from Microsoft, and thats what AutoPatcher tries to be. I decided to give it a spin on my own.
First of all, its free. Not, as the anarchist left of the software world would say, as in speech, but free as in beer. You, in turn, are free to make a donation to the project.
Its a series of tools combined with the actual Microsoft patches. Right now there is only a Windows XP version, but the authors say they are working on Windows 2000 and 2003 versions. Theres a lot more than just patches in this package. It also installs a variety of tools and third-party products. Theres the Microsoft Bootvis tool, which is a diagnostic for improving boot performance. Theres the Sun Java VM 1.4.2_04. Theres the Microsoft Baseline Security Analyzer 1.2, the SharePoint Migration Tool, a whole mess of screen savers from lots of sources, the Macromedia Flash and Shockwave players, the Google Toolbar, and, as they say, much, much more!
There are actually four Windows XP versions: Full, Update, Lite and Ultralite. Update requires a system fully updated as of February. The others just have differing amounts of the stuff described above and weigh in at approximately 88MB, 143MB and 260MB. Thats a long time even on a fast connection.
I restored a ghost image of a Windows XP Pro system that I had imaged on March 4 of this year. I turned off automatic updates as soon as it booted. The downloaded executable extracted a directory structure with an executable and autorun file at the top. This structure is what you want to burn to a CD to carry around, so thats what I did.
After making you agree to its own license agreement, the program, which does let you redistribute it as long as you dont charge or mess with it or try to call it your own, confirms you want to scan the registry and deselect previously installed hotfixes.
It recommends disabling any anti-virus software for a completely silent install and warns that AutoPatcher is only for English versions of Windows. Then it opens a long outline control of system components and updates with some boxes checked and others not. Theres an option to keep hotfix backups thats selected and recommended.
This is when you actually start the process. The initial estimate for my system was 132 minutes. It actually took just about an hour. At some point the Windows Display Properties comes up. This must have been a side effect of AutoPatcher installing new screen savers and changing the default one. Then I clicked Finish, and the system restarted.
The next obvious step was to run Windows Update. I saw three critical updates and nothing else. The first one—”Critical Update for ADODB.stream (KB870669)”—was released Wednesday, so no surprise. The second one—Security Update for DirectX 9.0 (KB839643)—was released June 8, so I can see why it wouldnt be in the June version. But the third update—Security Update for Microsoft Data Access Components (KB832483)—goes back, as best I can tell, to Jan. 13. It must be an AutoPatcher bug.
The total download for all three updates was about 2.5MB, so its not that horrible to finish up even for a modem user. The one problem aside, I think it worked really well.
The real question about
But the question thats been on my mind since I heard about this is how can they do it? Lots of software included in this program has license restrictions against redistribution. Did they give permission to AutoPatcher? I dont know.
For example, AutoPatcher includes the Blaster removal tool (KB833330). The KB article for this tool says:
A4: No. All customers must download KB833330.exe from the Microsoft Web site.
AutoPatcher also includes the freeware tool PsShutDown from Sysinternals, which is a better command-line shutdown tool. The license for this tool makes it clear that you need a commercial license (i.e. one that costs money) from Sysinternals to redistribute it. The Google Toolbar license also clearly prohibits such copying without permission from Google.
I could go on with the specifics, but I suspect there are a lot of similar problems. AutoPatcher doesnt make the user consent to the EULA for each patch as Windows Update does. Maybe this is “better” than Windows Update, but thats not the point.
I asked the guys listed as authors for AutoPatcher about all this. The one who responded was uncomfortable answering all the legal stuff and had just speculation about the missing patch. I also asked Microsoft about AutoPatcher, and they said, “Microsoft does not authorize redistribution of Windows updates in this manner.”
Finally, I asked Eric Schultze, head R&D guy at major patch management vendor Shavlik Technologies and a former senior Microsoft security tech guy. Schultze said, “Microsoft has a policy (and a EULA in some cases) that prohibits redistribution of Microsoft security patches. When I worked at MSRC, if we found sites that were rehosting or redistributing patches, wed send that info along to the MS legal team and theyd send letters to the offenders, asking them to stop.”
Real commercial patch management vendors like Shavlik dont bundle up the patches like AutoPatcher; they direct the user to the patches on Microsofts site. Obviously at this point you can create your own local cache of patches, but Microsoft argues that its important for you to get the patches from them, rather than from some third party, and they have a good argument. Actually, there are one or two other vendors who have tried this, and these people get cease and desist letters from Microsofts lawyers. The AutoPatcher guy said they have received no such letter.
I got a lot of e-mail from you readers about AutoPatcher, and I do like the product. I just think it would have been done long ago by a for-profit company if it were legal to do.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer