Please do NOT advise your users to turn off automatic updates because of *one* problem update
The latest “Rollup for ActiveX Killbits for Windows” (KB960715) is causing problems for some third party applications that are dependent on the disabled controls.
One application that has problems, “Office Tools Professional”, is advising its users to not only uninstall the Killbit patch (thereby restoring the broken functionality), but also to “turn off automatic updates”. Please do not turn off automatic updates. Simply uninstall the problem patch.
Office Tools Professional is wrong to tell its customers to “turn off automatic updates” just because *their* program has been negatively impacted by *one* patch. Yes, they should tell their customers warn them of the problem and to uninstall 960715 until OTP has been updated to resolve the problem - yes they should put an alert up on their support site and a new article in their Knowledge Base about the issue – BUT THEY SHOULD ALSO tell their clients to read the relevant Security Advisory so that their clients understand what they are doing, are aware of the impact that removing the update will have, and are aware of any available workarounds that can be used in place of the patch. They should also make sure to tell their clients that if they “turn off automatic updates” they may be exposed to elevated risk because future security updates will not be installed unless their clients remember to go out and get them manually.
I can understand that OTP may be worried that users who have set their systems to automatically download and install patches may be impacted again next month, but there is no reason why they cannot supply step by step instructions to their customers to show them how to change their patching protocols to “download but do not install” and then selectively install all but the problem patch.
What happens to their customers next month if/when the next round of security patches come out if automatic updates has been turned off completely? What if there is a patch for a show-stopper security vulnerability that is actively being exploited? What if their clients don’t install *that* patch because of OTP’s advice, and they then get hit by a nasty? Historically, I have seen plenty of software companies tell customers to “turn off automatic updates” when a problem with a particular patch is discovered that affects their software, but I cannot remember a single time when the same company has sent out another email later saying “ok, problem fixed, turn AU back on again”. Nor have I seen software companies send out emails to say “we told you to turn off AU last month; please make sure you manually download and install this months patches but don’t install patch X”.