Microsoft Updates Both XP and Vista Without User Permission or Notification

The details are still fuzzy, but if this is true, it's a huge deal.

Not that Microsoft can do this; that's just stupid company stuff. But what's to stop anyone else from using Microsoft's stealth remote install capability to put anything onto anyone's computer? How long before some smart hacker exploits this, and then writes a program that will allow all the dumb hackers to do it?

When you build a capability like this into your system, you decrease your overall security.

Posted on September 17, 2007 at 6:12 AM • 60 Comments

Comments

ThomasSeptember 17, 2007 6:41 AM

"""But what's to stop anyone else from using Microsoft's stealth remote install capability to put anything onto anyone's computer?"""

I assume the updates are digitally signed, so you _might_ be able to fool someone into downloading something, but the OS should rfuse to run it (assuming you can't fake the signature by, say, fooling verisign into kiving you a microsoft key)

PaeniteoSeptember 17, 2007 6:59 AM

AFAIK, all Microsoft updates are digitally signed. Furthermore, verification is an automatic process, so "clicking away warning dialogs" is not much of an issue.
Therefore, exploitability appears to be low.

Stephen BSeptember 17, 2007 7:01 AM

"When you build a capability like this into your system, you decrease your overall security."
- That depends. If this is in essence, the default global system - a standard, then yes. That is a potential security flaw. It denigrates security by having a single common point of failure - same way that an anti-virus engine has a single common point of failure in how they update - no matter what version or type of product they use.
(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2864)

On the other hand, if that's the way you have set up and update your systems through one method (such as Microsoft's SMS pushing Microsoft patches), the fact that there are more than one way of deploying patches will not denigrate overall security of Microsoft users so much.

Still. They really ought to have released this as a standard gold-patch. I wonder how many systems it has polluted...

iglooSeptember 17, 2007 7:10 AM

The problems arise (and have arisen) when one is conserving particular checkpoints through the OS update process so that one can refer back to particular versions for reference when checking out applications and security issues.

"Oh sorry, that version that was particularly vulnerable has been updated through the backdoor so that we can no longer research it !!!!!!!!!!!"

At least Apple still gives you the option of updating or not - as far as I know..............

JulianSeptember 17, 2007 7:20 AM

I can see that the whole concept of automatic updating might be a security hole (whether on Windows, OS X or Linux), but don't see why this recent news makes it any different. Most users have their PCs set to update automatically anyway. The fact that a few more get the update program itself updated automatically when they didn't know this would happen, isn't in essence any different. Presumably Windows queries a Microsoft web site for any updates, so either the web traffic would have to be diverted or else a rogue program placed on the Microsoft site. In either case, the end PC isn't the problem.

KonradsSeptember 17, 2007 7:26 AM

I agree with other commenters, that exploitation without obtaining keys seems to be low.
However, the mere fact that it is possible to push some changes when explicitly said not to, could lead to at least social engineering attacks, and user is tricked into accepting it.
Stealth updates bad. Period.

Victor BogadoSeptember 17, 2007 7:37 AM

There are other, social, problems. If this has been done behind the user's back they cannot admit doing it, so failed secret updates could be a headache to the user, since MS will not want to get out and say that they had screw up.

And even if an attacker cannot really patch a windows this is not all the problem, we don't know how this secret updater is developed, but if an attacker could push several false "updates" the machine will have to check if the signature is ok with all of them and this could be a good way to craft a deny of service attack.

Wyle_ESeptember 17, 2007 7:45 AM

I don't know who originated this mashup of Arthur C. Clarke and Napoleon, but it's appropriate here: "A sufficiently advanced incompetence is indistinguishable from malice."

SparkySeptember 17, 2007 7:46 AM

There may be an attack vector, even if the updates are signed by Microsoft. The signed updates would always be silently accepted. If Microsoft ever signs an update which later turns out to be vulnerable to some attack (this has happened before with signed activeX components), an attacker could re-push this vulnerable update and introduce a known vulnerability into the target system.

AnonymousSeptember 17, 2007 7:48 AM

The crucial issue here is that the updates were installed 'even when users have turned off automatic updates and without notifying users'. Let's for a minute assume the procedure is 100% secure (hmmm...) and it cannot be exploited by others. That still leaves me with the question to which extent I would trust Microsoft. With access to this level of a system basically MS could do anything it wants.

bobSeptember 17, 2007 7:53 AM

Exactly. If you had authorized a "I need to download this to keep the download capability functional" you would be aware something had changed and be on your guard, might notice suspicious behavior that started right after that.

This way the hacker gets a free shot.

gregSeptember 17, 2007 8:00 AM

So I'm suppose to trust the security of a security check (Signature on updates) written by a group that won't even tell me that potentially core modules are getting updated?

Sorry, but no cigar. I hate all forms of auto updates. I want to know when things change, not find out when it all comes crashing down.

RoxanneSeptember 17, 2007 8:02 AM

If I'm understanding this correctly, a would-be miscreant would need to steal the update en route, with the digital signatures intact, and then change the content of the 'upgrade'. I have no idea how hard this would be in practice.

All the security in the world doesn't help if the key - the digital signature - has been embedded in another piece of software.

iglooSeptember 17, 2007 8:18 AM

It IS socially irresponsible not to keep your OS updated so that it stays as "secure as possible" - I know! I delete a lot of spam from zombie systems from South America through Russia to China - and the average Joe Blow doesn't know enough to make an informed decision when asked to accept an update.
My mother would not know anything about public or private keys, but there are those of us who might have a need to refuse a particular update at this particular time through an informed decision.
We (Microsoft) should not assume the lowest common denominator and force changes through the back door. Socially irresponsible or not, it has to be left to the user to accept or not any particular update.
If the user is not doing the right thing, then we have to educate hir so that they make an appropriate decision. Either that or educate our programmers to design and implement an appropriately secure OS in the first place.

JasonSeptember 17, 2007 8:19 AM

From Nate Clinton, Program Manager for the Microsoft Windows Update Team says you can turn off this update without consent behavior by disabling the Automatic Update feature.

"WU does not automatically update itself when Automatic Updates is turned off, this only happens when the customer is using WU to automatically install upgrades or to be notified of updates."

http://blogs.technet.com/mu/default.aspx

Josh OSeptember 17, 2007 8:26 AM

@Roxanne:

It uses public key encryption which enables one to verify a signature without being able to duplicate it if you make changes to the signed content.

iglooSeptember 17, 2007 8:33 AM

Whatever Nate Clinton is trying to say, updates were still pushed through when Auto Update was switched off:

http://tinyurl.com/yu83aa

He's trying to justify it but the process still exists and is used by Microsoft if not by anyone else...yet!

guvn'rSeptember 17, 2007 8:36 AM

@Alex (posting anonymously), it's not that MS could do anything they want, it's that they *have* done something that contravenes explicit user directions.

Since disabling automatic updates requires a user command input, pushing an update after they were disabled is simply doing something to a customer system that the system owner has clearly stated is undesired.

To someone (such as myself) who has administered systems required to be under a formal change control process this capability seems both offensive and dangerous.

iglooSeptember 17, 2007 8:43 AM

@guvn'r -" To someone (such as myself) who has administered systems required to be under a formal change control process this capability seems both offensive and dangerous."

Thank You!

merkelcellcancerSeptember 17, 2007 8:51 AM

I noticed this activity as I have both windows automatic update turned off and under services background intelligent transfer service and automatic updates disabled until I am ready to approve Microsoft updates.

I noticed that updates, when enabled, refused to function indicating that missing files were causing a malfunction, then it proceeded to install those "missing files" outlined in this article. Still did not ask my permission or explain what the missing files function(s) were.

This has to stop!

WooSeptember 17, 2007 8:57 AM

@Jason: you might want to read up on some of the reports there and on the IW page. The WU update installed itself on many computers that even had updates set to off. This is a serious privacy violation.

Dale.September 17, 2007 8:58 AM

Beyond hacking the system from the outside, consider:
- An update that causes catastrophic breakage. Ask the Telcos about that bit of fun.
- Rogue Microsoft employee, pissed at the world, decides to cause grief.
- You've Been Investigated. Warrantless wiretap installed. You're innocent, so you have nothing to fear.

RoxanneSeptember 17, 2007 9:48 AM

The other capability this delivers is for law enforcement to place a keylogger on a computer as part of the OS, if Microsoft agreed to do it. Since there's a quid pro quo there - we won't go after you for being a monopoly if you let us spy on people - this is probably the real danger.

Just what is in your OS, anyway? Hmmm...

DZGSeptember 17, 2007 9:58 AM

Aside from the security issues that are being discussed, there's something else that everyone should keep in mind. What Microsoft has done is illegal. Unless you concede that somebody else owns the software on your computer, then Microsoft is buggering around with your property. There's also the anti-hacking laws covering unlawful network access. I don't know how the laws are actually written, but as I understand them, anyone who accesses a network without authorization of the network owner/operators is committing a felony. MS may now well be guilty of thousands of offenses of this nature.

mozSeptember 17, 2007 9:59 AM

Let's be totally clear there were four modes 1) install auto 2) download and inform 3) inform 4) do nothing. In mode 4 contact with the windows updates server was disabled so they (probably??) couldn't update even if they wanted to. The updates happened in modes 2 and 3 contrary to the settings and documentation. Anyone with intrusion detection procedures would have flagged an intrusion.

The big deal is that it was documented that your computer won't be changed and actually it was. That means they had a backdoor to control your computer when they claimed they didn't have. That means their security policy is that Windows users don't have any reason to have protection against MS.

If this was the first ever issue like this, I think people would have the right to complain. However; when you choose to use Windows, you automatically accept that an MS backdoor is acceptable to you.

MediterraneanSeptember 17, 2007 10:01 AM

Bruce: You're on vacation and someone else is blog-ing for you, right?

I mean, the way you use the term, "hacker" ....

paulSeptember 17, 2007 10:34 AM

This makes Microsoft keys into an exceptionally high-value target (or would if the porosity of the rest of the system didn't make installing and running arbitrary code easy enough already -- sort of a reverse of defense in depth).

It's an interesting question whether this is a federal crime in the US -- it seems you have to have some kind of scheme that's being furthered by unauthorized access, or else damage that imposes costs on the users. Both of those have been interpreted fairly broadly in the past, though.

OriharaSeptember 17, 2007 10:47 AM

Someone else does own the software on your computer. Microsoft does (at least some of it, anyway (most likely)). You own a license to use that software. In allowing WU to query for updates, you have given them permission to access the network. In other words, trying to claim this is illegal won't fly.

I'm fairly certain that the info WU sends isn't able to identify a given computer, so you can't install a warrantless wiretap on it without cooperation of both MS and whatever ISP you have(to be able to redirect to the fake WU server).

The moral of this story is that: just like you must accept that administrators can do anything they like to your systems, you also must accept that privileged software writers can do the same if they can access your system. (Privileged software defined as anything that runs at administrator or higher level.) Of course, this should be nothing new.

FPSeptember 17, 2007 11:20 AM

Not to condone Microsoft's behavior and (bad) publicity -

My understanding that I distilled from the various conflicting sources is that some Windows Update files were modified when contacting the Windows Update service.

That's just like browsing to some Web site and having some Active X controls updated in the process. Depending on security settings, that happens automatically. You don't think of updating your computer when browsing the Web, but that's just what happens. And microsoft.com is probably preset with the highest "allow everything" permissions.

That would explain how "Windows is updated" when checking for updates. Still a bad practice if the user has chosen manual upgrades.

So far, Microsoft has not admitted to updating any files if upgrades were disabled, and I have seen conflicting reports if that occurred or not, so I'll wait for the dust to settle on that one.

We all know what's going to happen -- the most that will change is another clause in the EULA stating the fact.

That won't change unless forced by legislation. Unfortunately, the current practice is that everything's legal if it is mentioned in that single sentence within the 50 page click-through EULA.

Durable AlloySeptember 17, 2007 11:56 AM

You'd be amazed at the number of people that have access to the internal build machines that produce patches for Windows. It would take only one person to wreak havoc with a package that installs a rootkit or other malware.

So yes, this is indeed a big deal.

tkSeptember 17, 2007 12:15 PM

Apart from the security angle it boils down to a question of trust.
Can you trust Microsoft to honor the settings you put into your installation? Obviously you can't. You set it to 'inform only' and it will still install it.
So what other setting will Microsoft ignore? Desktop background? Audio volume? Local ACLs? Firewall rules?

I lost my 'faith' in the automatic update when they pushed the WGA notification as critical security update. This is just one more point to mark Microsoft as not trustworthy. Maybe if there are no scandals like this in the next 10 years, I might consider switching back to Windows.

Its easy to lose trust, but much harder to gain it back. And no kind of "This will not append again" press release will gain it back.

TellItLikeItIsSeptember 17, 2007 12:24 PM

In my corporate business environment, we have Window Update turned on for automatic updates, yet this silent update did not run. In fact, we are still using Windows update modules from May 2006, so Windows Update did NOT have to be updated for Windows Update to continue to work.

Kadin2048September 17, 2007 12:25 PM

I find it amazing that so many people seem to be comfortable saying 'it's digitally signed, it's no problem.'

To say that those keys are "high value" is a bit of a gross understatement. Imagine that you had a key that would let you arbitrarily load software onto 90+% of the computers in the world. How much would something like that be worth to the right person? It's certainly a hell of a lot more than they're paying a lot of people at Microsoft. Heck, it's probably more than a lot of people working at Microsoft are going to make in their entire lifetime. (And you just wanted to get the code long enough to cause a problem, it would definitely be worth enough to kill a few people for.)

That's a nuclear-weapons-grade secret, and it sure doesn't give me the warm fuzzies that Microsoft has it.

JaredSeptember 17, 2007 12:40 PM

-- Someone else does own the software on your computer. You own a license to use that software

Right, except that line of reasoning's a joke. A product acquired by a one-time payment, with cash, anonymously, from a third-party retailer, with no notification of the sale sent back to the company, nor any requirement to return said product under any circumstances, is a "license"? Sounds an awful lot like a "purchase" to me. Not a loan, nor a rental, nor a lease, but a flat out now-I-own-it-and-you-don't purchase.

They may own the copyright on it, but the software is as much mine as any book, CD, or newspaper I buy, and they have absolutely no standing to come into my home and start screwing around with it without my express permission.

As for EULAs, I'd like to see someone write an absolutely heinous one (like, "user agrees to give seller $1,000,000 on demand", or "user agrees to give up his/her firstborn child") and then sue a few high-profile customers with the intention of losing, just to establish some precedent that a contract you don't sign isn't worth the phosphors it's printed with.

Anyone recall the ABC exec who claimed that skipping commercials with a TiVo was breach of contract because you "implicitly agreed to watch them" when you put on the actual show? It's laughable, and the idea of implicit, post-purchase, click-through software licenses is no different.

TomSeptember 17, 2007 12:48 PM

I agree that automatically installing updates without the user's permission or notification is going too far, but I don't think automatic software updates (which DO notify the user) are a bad thing. Surely the vast majority of computer users don't bother manually downloading and installing bug fixes, etc.

scosolSeptember 17, 2007 1:08 PM

Maybe I'm the only one who thinks this is a *good* idea, but if you look historically at the number of problems caused by unupdated systems, versus attacks on a cryptographically-signed update service, I think you'll see quite clearly which has been more harmful.

Todd KnarrSeptember 17, 2007 1:22 PM

To those saying digital signatures close the holes, let me remind you that a number of years back a group of crackers got code-signing keys issued to them in Microsoft's name. Not well-done forgeries, real keys issued by Verisign with all of Microsoft's correct corporate information in the certificate. Given such a certificate, it'd be easy to get it installed in the system and at that point the owner of the certificate could download any updates they wanted and they'd be accepted.

Double DoubleSeptember 17, 2007 1:23 PM

@scosol:

> Maybe I'm the only one who thinks
> this is a *good* idea

No, I'd say there are at least three of you...

derfSeptember 17, 2007 2:26 PM

What is the difference between malware that downloads/installs files without your knowledge or consent and Microsoft deliberately downloading/installing files without your knowledge and against your explicit consent denial (by turning off automatic updates)?

Ethically, the malware is actually a step up compared to Microsoft. The malware didn't ask for your consent, but Microsoft ignored your denial of consent and updated your software anyway. If Microsoft is left unchallenged in this situation, malware's methods will gain some legitimacy.

As for hacking this system, if you can change the URL that this backdoor automatic updates goes to, you can make it skip the signature check, too.

EamSeptember 17, 2007 2:29 PM

So let me see if I understand this so far. This revelation shows that any Windows machine is potentially vulnerable to:

- Insider attacks at Microsoft (Durable Alloy)
- Retransmission of properly-signed, yet buggy updates (Sparky)
- Rootkits sent as patches after Microsoft's private keys are compromised (Kadin2048)
- Rootkits sent as patches after some dipshit at Verisign issues Microsoft keys to another hacker group (Todd)
- Surveillance software installed when the feds put some pressure on Microsoft (Roxanne)
- A patch that makes a computer personally identifiable to the Windows Update server (me)

...and yet this is still a good idea (scosol, Julian, Paeniteo, etc...)

X the UnknownSeptember 17, 2007 2:44 PM

UNITED STATES CODE ANNOTATED
TITLE 18. CRIMES AND CRIMINAL PROCEDURE
PART I--CRIMES
CHAPTER 47--FRAUD AND FALSE STATEMENTS

===============================================================================

 1029. Fraud and related activity in connection with access devices

(a) Whoever--

...

(9) knowingly uses, produces, traffics in, has control or custody of, or
possesses hardware or software, knowing it has been configured to insert
or modify telecommunication identifying information associated with or
contained in a telecommunications instrument so that such instrument may
be used to obtain telecommunications service without authorization; or

...

shall, if the offense affects interstate or foreign commerce, be punished as
provided in subsection (c) of this section.

(b)
(1) Whoever attempts to commit an offense under subsection (a) of this
section shall be subject to the same penalties as those prescribed for
the offense attempted.

(2) Whoever is a party to a conspiracy of two or more persons to commit an
offense under subsection (a) of this section, if any of the parties
engages in any conduct in furtherance of such offense, shall be fined an
amount not greater than the amount provided as the maximum fine for such
offense under subsection (c) of this section or imprisoned not longer
than one-half the period provided as the maximum imprisonment for such
offense under subsection (c) of this section, or both.

(c) Penalties.--

(1) Generally.--The punishment for an offense under subsection (a) of
this section is--

(A) in the case of an offense that does not occur after a conviction
for another offense under this section--

...

(ii) if the offense is under paragraph (4), (5), (8), or (9) of
subsection (a), a fine under this title or imprisonment for
not more than 15 years, or both;

(B) in the case of an offense that occurs after a conviction for
another offense under this section, a fine under this title or
imprisonment for not more than 20 years, or both; and

(C) in either case, forfeiture to the United States of any personal
property used or intended to be used to commit the offense.

(2) Forfeiture procedure.--The forfeiture of property under this
section, including any seizure and disposition of the property and
any related administrative and judicial proceeding, shall be
governed by section 413 of the Controlled Substances Act, except for
subsection (d) of that section.

...

(e) As used in this section--

...

(4) the term "produce" includes design, alter, authenticate, duplicate,
or assemble;

(5) the term "traffic" means transfer, or otherwise dispose of, to
another, or obtain control of with intent to transfer or dispose of;

...

(11) the term "telecommunication identifying information" means electronic
serial number or any other number or signal that identifies a specific
telecommunications instrument or account, or a specific communication
transmitted from a telecommunications instrument.

...

(h) Any person who, outside the jurisdiction of the United States, engages
in any act that, if committed within the jurisdiction of the United
States, would constitute an offense under subsection (a) or (b) of this
section, shall be subject to the fines, penalties, imprisonment, and
forfeiture provided in this title if--

(1) the offense involves an access device issued, owned, managed, or
controlled by a financial institution, account issuer, credit card
system member, or other entity within the jurisdiction of the United
States; and

(2) the person transports, delivers, conveys, transfers to or through,
or otherwise stores, secrets, or holds within the jurisdiction of
the United States, any article used to assist in the commission of
the offense or the proceeds of such offense or property derived
therefrom.

X the UnknownSeptember 17, 2007 2:45 PM

UNITED STATES CODE ANNOTATED
TITLE 18. CRIMES AND CRIMINAL PROCEDURE
PART I--CRIMES
CHAPTER 47--FRAUD AND FALSE STATEMENTS

===============================================================================

 1030. Fraud and Related Activity in Connection with Computers

(a) Whoever

...

(2) intentionally accesses a computer without authorization or exceeds
authorized access, and thereby obtains--

..

(C) information from any protected computer if the conduct involved an
interstate or foreign communication;

...

shall be punished as provided in subsection (c) of this section

(b) Whoever attempts to commit an offense under subsection (a) of this section
shall be punished as provided in subsection (c) of this section.

(c) The punishment for an offense under subsection (a) or (b) of this section is --

...

(2)
(A) except as provided in subparagraph (B), a fine under this title or
imprisonment for not more than one year, or both, in the case of an
offense under subsection (a)(2), (a)(3), (a)(5)(A)(iii), or (a)(6)
of this section which does not occur after a conviction for another
offense under this section, or an attempt to commit an offense
punishable under this subparagraph;

(B) a fine under this title or imprisonment for not more than 5 years,
or both, in the case of an offense under subsection (a)(2)or an
attempt to commit an offense punishable under this subparagraph, if-

(i) the offense was committed for purposes of commercial advantage
or private financial gain;

(ii) the offense was committed in furtherance of any criminal or
tortious act in violation of the Constitution or laws of the
United States or of any State; or

(iii) the value of the information obtained exceeds $5,000;

(C) a fine under this title or imprisonment for not more than ten years,
or both, in the case of an offense under subsection (a)(2), (a)(3)
or (a)(6) of this section which occurs after a conviction for
another offense under this section, or an attempt to commit an
offense punishable under this subparagraph; and

...

(e) As used in this section

(1) the term "computer" means an electronic, magnetic, optical,
electrochemical, or other high speed data processing device performing
logical, arithmetic, or storage functions, and includes any data storage
facility or communications facility directly related to or operating in
conjunction with such device, but such term does not include an
automated typewriter or typesetter, a portable hand held calculator, or
other similar device;

(2) the term "protected computer" means a computer

...

(B) which is used in interstate or foreign commerce or communications,
including a computer located outside the United States that is used
in a manner that affects interstate or foreign commerce or
communication of the United States;

(3) the term "State" includes the District of Columbia, the Commonwealth of
Puerto Rico, and any other commonwealth, possession or territory of the
United States;

...

(6) the term "exceeds authorized access" means to access a computer with
authorization and to use such access to obtain or alter information in
the computer that the accesser is not entitled so to obtain or alter;

...

(10) the term 'conviction' shall include a conviction under the law of any
State for a crime punishable by imprisonment for more than 1 year, an
element of which is unauthorized access, or exceeding authorized access,
to a computer;

...

(12) the term 'person' means any individual, firm, corporation, educational
institution, financial institution, governmental entity, or legal or
other entity.


===============================================================================
Section 814(e) Amendment of sentencing guidelines relating to certain computer
fraud and abuse.--

Pursuant to its authority under section 994(p) of title 28, United States Code,
the United States Sentencing Commission shall amend the Federal sentencing
guidelines to ensure that any individual convicted of a violation of section
1030 of title 18, United States Code, can be subjected to appropriate penalties,
without regard to any mandatory minimum term of imprisonment.

X the UnknownSeptember 17, 2007 2:49 PM

Thus, it would appear that Microsoft has violated at least two laws:

Title 18 Chapter 47 Section 1029 (a) (9)

and

Title 18 Chapter 47 Secion 1030 (a) (2) (C)

There is already existing case-law that holds that *any* Internet-Connected computer used (even occasionally) for interstate commerece (e.g. buying a book from Amazon.com) qualifies as a "Protected Computer" under this law.

jmattSeptember 17, 2007 2:55 PM

The details are NOT still fuzzy. Microsoft clarified secret or stealth or tin-foil hat updates do not occur when automatic Windows updates are explicitly turned off by choosing the radio button "Turn off Automatic Updates." The blogs.technet.com and blogs.zdnet.com URL's posted earlier in this thread contained that correct, non-fuzzy information on Sept 13 and 15, respectively.

Stating on Sept. 17, as Bruce did in his blog, that the details are still fuzzy is incorrect and irresponsible. In addition, the same type of update to the Windows Update Agent has been "pushed" (if Automatic Updates were turned on) to Windows 2000 and XP twice over the past four years. There is nothing new here. There is nothing huge here.

End users should not be discouraged from upating Windows nor encouraged to turn off Automatic Updates by the trifling hyperbole exhibited here.

TimbojonesSeptember 17, 2007 8:03 PM

@jmatt:

This may not be new, but it's at least a little huge. I configured Windows to "Inform me of updates before installing them" and it installed updates without informing me. This is broken and bad practice.

Many times when I have visited the Windows Update site or received a notice from the Automatic Updates tray notifier, there has been a single update waiting. "Some Windows Update components must be updated." I fail to see why this update did not follow the same procedure. I fail to see why it was even possible for it not to follow the same procedure.

Albert SweigartSeptember 17, 2007 8:07 PM

After a careful reading of Adrian Kingsley-Hughes's ZDnet article and Nate Clinton's (PM for Windows Update) blog response on this, I'd have to say that MS is in the wrong, for this point:

The silent update was (I assume from Clinton's blog) so that WU itself can continue to function and notify the user of future updates. They seem to have made the assumption that the user wants WU updated so they can continue to receive update notifications. The problem is that users who select "2) Download updates but let me choose whether to install them" or "3) Check for updates but let me choose whether to download and install them" are EXPLICITLY saying that every update, no matter how crucial, should be subject to their discretion, not Microsoft's.

Think about it: I assume most Grandpa J. NewUsers have "1) Install updates automatically" set because they don't understand the technology or have an implicit trust in MS. The people who set to have WU notify them before downloading/installing have that set for a reason, be it for controlled testing environments or system stability or whatever. Selecting the notify-first option is not the choice the "just make the computer work"-user makes. They want to be notified before ANY changes, and understand the risks of not immediately updating.

The fact that Clinton himself states that ("of course") the WU client is not silently updated for WSUS or SMS enterprise customers shows that they realize the merit of my above point.

So unless my premises are flawed, the WU team's decision was perhaps expedient but dead wrong. It is very troubling that their software does the exact opposite of the user intention, especially during a time when DRM and so-called anti-piracy systems are increasingly pushed as "necessary security features".

TheDoctorSeptember 18, 2007 2:16 AM

@ Jared:
Wellcome to the german law :-)

That's exactly how things go in germany: You buy WinXP, you own it. You can sell the CDs as you want, you can seperate the operating system from the computer it was bundled with (you must not copy it, you own only one copy).
And the EULA ? In germany plain useless for MS. If you can't read it on the package BEFORE purchase, it's not counting :-)

GuruSeptember 18, 2007 3:45 AM

This automatic hidden update process may have been put into Windows so that the NSA and such can send their surveillance programs on anyone's computer to spy on them.

Andy WongSeptember 18, 2007 5:16 PM

To those who were angry against this article and the author, I would say, take it easy. The title of the article and some content are just for catching your eye balls, not necessarily with full political correctness.

Peter E RetepSeptember 18, 2007 11:08 PM

It may be that MicroSoft has, in this instance, caused the wholesale violation of other laws as well, in literally innumerable counts. By which I mean Sarbanes-Oxley controlled retention and security of priveleged information security and audit provisions, which deception by MicroSoft (in preserving and maintaining this exploit) have caused to be fraudulently misrepresentative literally tens of thousands of Sarbanes-Oxley filings, for which the filers (M/S users) are themselves conequently liable, and therefore M/S is a causative Accessory Before the Fact - and, would we even be hearing of this IF it were not for Sarbanes-Oxley?

NocturnSeptember 19, 2007 2:46 AM

I find this horrific behaviour for any company (and one of the reasons I wouldn't even touch windows with a stick), but don't they claim the right to do this in their EULA?

I know, people do not read them, they may not be legally binding but the wording in the EULA alone would be enough to put me off using windows at all.

George W. (Vancouver)September 19, 2007 12:14 PM

jmatt wrote: "The details are NOT still fuzzy. Microsoft clarified secret or stealth or tin-foil hat updates do not occur when automatic Windows updates are explicitly turned off by choosing the radio button "Turn off Automatic Updates." "

Microsoft certainly claimed this. Believing that this claim "clarifies" the issue and resolves the "fuzzy" details is simply indicative of a predisposition to accept Microsoft's word (no pun intended) as being the ultimate arbiter in any dispute it is involved in.

I do not assert that Microsoft is deliberately misleading people but its claim is simply not true. For your information I attach a post I made elsewhere a couple of days ago, and which I stand behind:

---------------------------------------
From the official Microsoft statement:

"Before closing, I would like to address another misconception that I have seen publically reported. WU does not automatically update itself when Automatic Updates is turned off, this only happens when the customer is using WU to automatically install upgrades or to be notified of updates."

This statement is absolutely not true. I have automatic updates completely turned off since I prefer to maintain detailed control over updates. In saying that Automatic Update is completely turned off, I mean just that; NOT the "Automatically download recommended updates for my computer and install them" option; NOT the "Download updates for me, but let me choose when to install them" option; and NOT the "Notify me but don't automatically download or install them" option. The radio button I have selected is the one that reads "Turn Off Automatic updates".

I go generally once a month to the Microsoft Windows Update site to select manually the updates I want, using the custom installation option.

Despite this, at 7:40 this evening (September 17) while I was working on my computer the program files for Windows Update were themselves updated without any kind of notification or warning to me. I was aware something unusual was happening because of the sudden much-increased activity of the computer during the installation. After I rebooted, the "Tiny Watcher" utility alerted me to the changed files. As well, the Event Properties Viewer also shows the event: "The Automatic Updates service was successfully sent a start control." Of course, the installations are also recorded in the WindowsUpdate.log file.

To reiterate, automatic updates were totally off, I was not browsing the Windows Update site, or indeed any other part of Microsoft's site. And still these updates were downloaded and installed on my computer by Microsoft.

I object strongly to Microsoft's underhand behaviour in this case. The company could have downloaded and installed the necessary Windows Updates components during my next visit to the Windows Update site, after gaining my implied or express consent. Instead, they set a dangerous precedent by installing the components without notification and contrary to my clearly-expressed wishes, as indicated by my Automatic Updates settings.

George W (Vancouver)

PC-PlusSeptember 21, 2007 12:59 AM

It's only a matter of when not if this will be exploited. Then I think we have a clear Title 18 case and hopefully an arrest replete with the obligatory perp walk!

PeacemakerSeptember 24, 2007 4:39 AM

We cannot claim to understand a great deal of computer terminology but perhaps in this instance, MicroSoft should be renamed MicroHard?

But neither do we or members in our Family like feeling intimidated or bullied by corporate enterprise, as you can see at our Family Campaign website ;). It was created using Microsoft-Frontpage.

We also want the option and/or choice to be notified of updates etc. We also want the option and/or choice to decide whether to install them. Why? Because we feel like it! When we each of us say no, we mean NO!

Updates have updated automatically without our consent, against our consent on many occassions, and now - call us paranoid -we have regular visits to our website too....from Microsoft.

Perhaps our understanding of security issues and 'spying' IS wrong but our perception about Microsoft's heavy- handedness in this matter is bang on. But who is at fault in that?

Oooooo Scary Stuff maybe, but none of us can reinvent the wheel, but our adopted morality is always changeable.

anonamiseOctober 12, 2007 11:28 PM

i got a keylogger and he can delet and get anything on my computer he sais he can uncontrolle my keybored or mous at eny time he knows my password and all my thing and keeps sending me gay pics

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..