Vista SP1 impatience is an opportunity for malware

The unofficial Windows Vista Forums have posted a download link for the final release Windows Vista Service Pack 1. No doubt there are many others. The post includes a health warning:

We must strongly note that using this file may violate the End User License Agreement from Microsoft.

but adds:

Given that some people are indeed having major technical problems and “bugs” with Windows Vista, we have made the decision to offer this download without malicious intent, strictly for the purposes of open technical support and community assistance for legitimate Windows Vista customers. We have not received authorization to distribute this file, but at the same time have received no request not to do so. This file will become unavailable should any request be made by Microsoft or any owner of this content to do so.

The downloads are digitally signed, so I should think they are the real thing but of course cannot guarantee it.

The real question: what was Microsoft thinking when it announced that the service pack was done, but said that users would not get it until mid-March?

In mid-March, we will release Windows Vista SP1 to Windows Update (in English, French, Spanish, German and Japanese) and to the download center on microsoft.com.

If for some reason Microsoft did not want its users to benefit from the service pack until mid-March, it had a simple solution: don’t announce it until then. Too late now.

Then again, why does Microsoft want to defer this release for over a month? It is putting users at risk, because they will resort to unofficial downloads like the one above, and that’s an opportunity for malware.

Microsoft: put SP1 up for download now and solve this utterly predictable problem.

Postscript

I should add that Microsoft did give a reason for postponing the SP1 release. It relates to what Microsoft describes as small number of device drivers which “do not follow our guidelines for driver installation”. Apparently this can result in non-working drivers, though users can fix the problem by reinstalling them. Mike Nash adds:

While we know that most customers who update from Windows Vista to SP1 will NOT be affected, our approach is to improve the experience for all our customers.  To do this, we will begin making SP1 available through Windows Update in mid-March, giving us time to work with some of our hardware partners to make adjustments to the installation process for the affected drivers.  As SP1 gets delivered through Windows Update, we will only offer it to PCs that we detect don’t have any of the affected device drivers installed.  We’re taking the next month or so to continue our work of identifying as many of these devices as possible.

The point here is that getting SP1 through Windows Update is not quite the same as downloading and running the large single file. If you go through Windows Update, you get a differential download and more intelligence about what is actually downloaded.

I still don’t get it. If there is a problem with the device driver installation, is SP1 really done? Further, what is to stop Microsoft offering the update for manual download with appropriate health warnings? Better than all these unofficial downloads, I would have thought.

Technorati tags: , ,