Windows

Microsoft admits to stealth updates


Over the last few weeks, and without user approval of any kind, Windows Update has updated nine executable files on both Windows XP and Windows Vista.

We first reported about this last week in Microsoft caught doing stealth updates, in which a user noticed files being modified by Windows Update despite the fact that automatic update was disabled. This has since been echoed by various users and reports around the Web.

Well, it's now official. Microsoft has come clean and admits to the 'stealth' updates.

To Microsoft's credit, the updates in question were actually limited to updating Windows Update's own files. Also, the only reason this update occurred is because the alternative would mean that Windows Update itself would stop functioning properly, according to Microsoft.

Wrote Nate Clinton, Windows Update program manager on the Windows Update team blog:

"That result would not only fail to meet customer expectations but even worse, would lead users to believe that they were secure even though there was no installation and/or notification of upgrades."

However, Microsoft is adamant that there is no wrong here, and that the entire issue is more a matter of Microsoft not being clearer. Microsoft Windows programmer Nick White wrote:

We do recognize that we should have been clearer in our explanation of this process earlier in the game...

Note that this issue only affects computers that use Windows Update. Most large businesses probably use Windows Server Update Services or a feature in Systems Management Server to perform their updates. They are not affected by this snafu.

Still, Microsoft seems to be missing the bigger picture here. As mentioned in my earlier post, if Microsoft is able to 'push' updates to a computer with automatic update disabled, what is there to stop a hacker from figuring out how to do the same?

Is this silent update 'ability' a major security vulnerability waiting to explode in our faces?

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

103 comments
compuwysepc
compuwysepc

What else aren't they telling us? If Microsoft can force updates to executable files within Windows and Microft Update software, what other executable files are they slipping in unknown to the user? Does everybody remember HAL the super-computer from the movies?

technimac
technimac

Installed Vista about a month ago to give it a try. Didn't take me long to want XP Pro back, so I DBAN'd the HD and attempted to load XP. No can do. Seems there's still some Vista residue residing in the HPA, preventing XP from installing properly. Now, that's M$ stealth for ya. Or is it M$ pirating my HD?

PeterPac
PeterPac

Another words you installed Vista without making a separate partition for Vista and XP Pro. Now you will have to format and intall XP Pro back. Hope you not losing any valuable data or info.

jackie40d
jackie40d

go get Puppy and burn to a CD then fire it up and SAVE the files you want ( Puppy will let you burn them to a CD or DVD ) and see the junk on the HD !

jackie40d
jackie40d

Well I hope you did not have a lot of files you wanted to keep ! . . . As you get to FORMAT the HD again to go back to XP PRO . . So go download Puppy Linux and burn to CD then load it into memory and save the files . . Or add another drive over that one and copy files from the drive you have them on to the new drive in a directory named technimac

jackie40d
jackie40d

I use them for backing up the other files also incase of MAJOR crash and now I have a 160 GIG D-Link Drive for copying odds and ends files to so they do not go bye bye . . got to get to the D-Link drive in a round about way so its safe from most things . . I put 5 web sites out there ( or the files for them ) plus my Quicken files and the Web Graphic's directory and still got tons of room left on it !

normhaga
normhaga

of a second hard drive, if it is a SCSI or SATA, is that you can move the page file off the primary drive and increase performance. Only with SATA and SCSI is Windows capable of writing to two or more drives simultaneously.

Neon Samurai
Neon Samurai

I can't remember the last time I put together a Windows machine that didn't have a second partition or drive. Windows and your programs get installed on the first drive/partition while save files and storage archives get saved to the second drive/partition. This setup has saved me a number of times where Windows has to be blown away and reinstalled from scratch; all my user stuff lives on happily in it's own seporate drive space.

igtddave
igtddave

If we had HAL 9000, from 2001: A Space Odyssey, he would have asked MS when they tried to update our systems, "What are you doing, Dave?"

jackie40d
jackie40d

I have EVERY little ICON in the fire wall which is winblows stuff blocked . . And slowly moving to ALL LINUX and leaving Windblows behind me . . ( I like that Windows to Windblows ) :-)

elandwehr
elandwehr

Between the cost of REPLACING all of our desktops and all the bad press we seen. We have to stay with XP and UNIX. Is going to save $$$$$$. Why upgrade, just for eye candy?

jackie40d
jackie40d

You do know that you can move it to Linux completely . Add Code Weavers Pro to your Linux and then you can run about 90 percent of the WindBlows stuff any way . . And to get all of it load VMware-server and then load the XP Pro and run the rest . . I use Linux Mandriva 2008 i586 DVD version and added the rest to it lots easier to do . .

jackie40d
jackie40d

I wish My Acer ( NEW LAPTOP ) would take the NEW LINUX MANDRIVA 2008 i586 DVD version ! Its the full 64 bit O/S and would run circles around the "VISTA" . . It came with the HOME version on it So I dumped it and put Linux on it had to use the older 2007 Version of Linux Mandriva . . Even with the extra 512 megs of ram I added gave it a full 1 gig of ram to play in . . Oh well what did I expect for a $399.00 Laptop any way ( got it on sale at Computer Geeks . Com ) Linux Found all the drivers and even had the driver for the USB WiFi adapter for places like Coffee shops . . You know the Fancy Places with FREE INTERNET or so they say got to buy a cup of coffee at some wild prices . . !

elandwehr
elandwehr

We started to look at VMware. Upper management wants to get rid of Vista all together. It would cost us almost 2 mill just to change out the desktops. Going with an alternative would save a lot of raises and bonuses with the IT group. I love this because it gives unix new life!!

webgruntaux
webgruntaux

From the article: "[i]...the only reason this update occurred is because the alternative would mean that Windows Update itself would stop functioning properly, according to Microsoft[/i]." Nonsense. Let's say you have a copy of XP or Vista that was released before these updates to Microsoft update came out. If you install your copy on a blank drive, will your Microsoft Update component on that newly-installed Windows not function properly because it doesn't have the updates to Microsoft Update that are necessary to keep it functioning properly? That makes no sense.

richard.wilson
richard.wilson

If you do not realize, Microsoft has been updating the Windows update service engine since XP's RTM, (MS's technical papers claim since SP1) and there hasn't been any problems. The problem is the lack of understanding on people's part and the lack of communication on MS's part. And is it an "exploitable hole" as so many are suggesting? Well, as previously stated, the "exploit" has been there since 2002. Don't you think someone would have exploited it by now, 5 years later? I think so... Leave the paranoia and ignorance behind and do some good, quality research and you will find that not all "exploits" and "holes" and "sneaky schemes" and "evil plots" are real. Is Microsoft perfect? Hell no! Is anyone else? Nope.

gregzdnet
gregzdnet

No offense Richard but that's not very reasuring. I do fraud research myself and others who do the same reasearch get attacked up to 1400 times per day and guess what under the Patriot act and Federal wiretapping the suspects are not always the bad guys. Companies also need to worry about corporate espionage. Believe it or not there are shady people in this country who hack computers when billions and/or prison sentences are at stake. On the issue of the stealth updates I do believe you are correct if any thing it made the computers safer by ensuring that auto updates was functioning so I half agree with you overall and almost fully agree with you on this point. Security conscience will disable as many ports and services as possible and corporate environments will use wsus and manual updating and other methods anyways but better safe than sorry. The majority of home and small business owners are probably better off leaving auto updates enabled though. I'm a small town country boy but learned the hard way this is not our grandparents America anymore. Computer crimes are all to real and all to dangerous to take lightly.

The Scummy One
The Scummy One

The main thing is that there was no warning. Like several people (including myself) have exclaimed they were working on something, and then suddenly the system shuts down without warning. Someone pointed out that it did give a warning, behind other open windows. How can we save our data and prepare for it? Many apps, if/when shutdown improperly may result in problems, corrupt data, possibly to the point of recovering from backup or losing it completely. Not only that, but if someone 'opts out' for auto updates, then why are they still being 'forced' on? I update, but I do not auto-update, as I am guessing that many others do this as well. Apparently the only solution(s) are to cut your Internet connection, disable services (most people will not know how), or put a patch server up and bypass MS auto-update completely. Whether or not this has been exploited yet, it is a serious vulnerability, to be able to bypass security to remotely install an application. Just because nobody (that we know of) has exploited it previously, does not mean that it cannot be exploited, nor does it mean that it never will, regardless of how old it is.

PeterPac
PeterPac

If you were to hack into one of Microsoft's servers and changed a dll because you knew it provided a big security problem you would be brought up on charges. Do not jump up and start yelling License and EULA because this still violates state and federal laws. Yes MS has the right to correct flwas and whatnot but the EULA does not state they can do it without you knowing it or just intrude on your computer when they feel like it. There are still some privacy laws left even though they have been mashed up in last few years. We just sit back and chat, post or whatever about this. How about taking some sort of action? I work in computer forensics and one would not believe the things I find on computers that the user had no idea how they got there, and yes, microsoft programs, dll's to just name some. My system maintains a log of everything incoming/outgoing and the action MS took was blocked as a illegal incoming transaction. They could not even connect or bypass my security mainly because I do not use security that has any connection to MS, such as any of their partner cronies. Plus if they did bypass my security than that would be considered a illegal intrusion and is a crime in my state. So get with it instead of moaning and crying or debating make your voice be heard and just maybe someone might just take up the cause. The EU slapped them down some so why cant our anti-trust people do the same???

Timbo Zimbabwe
Timbo Zimbabwe

"And is it an "exploitable hole" as so many are suggesting?" Duh. "Well, as previously stated, the "exploit" has been there since 2002. Don't you think someone would have exploited it by now, 5 years later? I think so" If it were a known "hole", yes, I think so too. Now it's known and you know that it will be looked at to be engineered into an expoit. No tin foil hats here, son. Just common sense.

Dumphrey
Dumphrey

at your suggestion (well, ok, not really)that people in tin foil hats can't have common sense....just because you ARE paranoid Does Not mean they Are Not out to get you. Rule 1. Being paranoid is the first rule of security; assume the worst. Rule 2. Plan for the worst. Once again, being paranoid and obsessive. I guarantee you that by most peoples standards, the NSA security team wears "tin foil hats".

richard.wilson
richard.wilson

Well "Pop", like I said before, it was stated so in MS's tech sheets with the release of XP RTM so it was a "know hole" That kind-of shoots holes in your "no one knows" about it theory. I have known the updater service gets its own update since early 2003. Why? Because I do my homework! I do my research! Try that once in a while before you "common sense" me to death.... "If ignorance is bliss, you should probably ask yourself, how happy are you?"

jackie40d
jackie40d

Its a way to jack up a computer and kill it if they want to I seen a WGA tray Icon in Steph's computer last time I was there 3 days ago . . and she did not know what it was . . I made the fire wall block it hahaha its a third party fire wall and it works very well plus I blocked the rest of MS Icons from calling home . . so now she has to do a manual update . . . Just need to know how to remove the WGA in the tray stuff now

j2ten
j2ten

What a thought. Now we not only have to wonder about the fact that Microsoft can Update our systems without our knowledge, but this implies that they (and who all are they?) have access to our systems. What operating system does your State and Country use? If they have Any Microsoft Products can we be sure that they or not also compromised?

tiapetra99
tiapetra99

don't be worried about them BEING comprimized, it's about who they are compromizing.

jackie40d
jackie40d

And then they wonder about ID theft ! I know Arizona is using MS in their Servers . . But its not "Vista" at least . .Thank God ! ! But I do wonder about the Ships on the Oceans they have MS and not Linux and subject to a WGA problem . . Maybe its why they had a shut down on Sept 14th to get the patches up dated . . God I hope not . .

Genera-nation
Genera-nation

I was surfing the 'web' and the 'web' put files on my PC. I did not know 'the web' was putting files on my PC!!!!!!. So what is the difference here really.....

lbogiani
lbogiani

For me the difference is that when you're surfing the web you knowingly take the risk that a website might try to install software on your PC..but that's the nature of the web and you take measures against it. If I buy a program from a reputable and supposedly trustworthy company and pick an option to disable updates and it still does it secretly then what's the point of giving me the option of doing so? That's like me selling alarm systems, allowing you to pick your own code but keeping a master code that i can use go into your house at any time. It's the false sense of security that is given to you by being able to "disable" updates and the implications this brings.

Cybrduck
Cybrduck

You would be correct with your analogy of alarm systems. All programs created have more than one way into them. That isn't debatable. I believe your point on "the option" is what is important. Microsoft has played a dangerous game with it's customers trust. Someone made an error in judgement by neglecting to inform the masses that keep them in business. I'm not saying the customer is always right, but I believe that the relationship is a two-way street. They need us to purchase, and we want the services they provide. This could jeopardize who the service comes from. Linux providers are you paying attention?

Genera-nation
Genera-nation

There is a master code on these alarm systems - FACT!!!!

That one guy...
That one guy...

If reference to your alarm system example MS took it one step further... You got the alarm system with your own code, they have some master code, and then you come home one day to find the installer in your house with the alarm box off the wall "installing updates". Not pretty.

RedRyan
RedRyan

Sure, you could block all traffic to your computer. It might be easier to cut the cable. I think you'd find this happened over RPC, or more likely these days RPC tunneled over HTTP/S. Point is, blocking this traffic from anywhere would disable a lot of the stuff you probably like to do. This still gets back to the difference between opting in knowingly to receive updates and having your desktop or server environment - and by extension your data - owned by Microsoft. A free man or woman has choice. If Microsoft does this TO YOU without your CHOICE, then you are essentially not free.

Genera-nation
Genera-nation

you would have your firewall / AV setup so this could not happen in the first place. Just ticking a box on Windows (or any other program or OS) is not really enough is it?

Smart_Neuron
Smart_Neuron

Wait a second. I did not see an answer to the most obvious point - if Automatic Updates are disabled, how could anyone, including Microsoft, push them to another system? I'll bet my entire yearly pay that there are many known points to enter your system, no matter how locked down it is - desgined by Microsoft itself into the O/S. This time they just got caught. So, what's the answer to the above question? :0(

normhaga
normhaga

Perhaps the file or dll responsible for the update should be renamed to remove this process. This is what I do with annoying programs like Adobe reader that always want to update. Does anyone know the name of the file responsible for the updates?

kmdennis
kmdennis

I have been using Longhorn for several months now and this just confirms one of my worst fears. More than once, the systems just shuts down and reboots while I am in the middle of something important. I get mad and blame my hardware,when in truth and fact Microsoft is actually causing such changes. That is one of the reasons I start to either power down my systems or power off my switch when I am not on the system. If I were the IT Admin in a company, I would suggest Deep Freeze!! That should fix all those virus issues and similar things like these. But what if users had Deepfreeze installed?? It is this kind of $#!+ that DeepFreeze is supposed to protect against...unauthorized changes to systems. Can you see the reboot loop when windows comes up and the files are reverted back to there original state. This is so evil, MS should be brought before the Justice system again for this security breach! And they have the gall to tell you, "we do not collect any of your personal information" when the errors are reported. I agree with the others, this is a serious security breach which sooner or later will be exploited by some with a lot of time on their hands. I don't believe that the Update would stop working. What about those companies that use WSUS and actually test the updates before applying them? How long would it be before the autoupdate stops working? And who cares if it does not work if I have it turned off? We turn it off for this very reason!!!! Because we do not want Microsoft to automatically update any files on our systems!! It usually breaks the already half-broken system. I will be looking to purchase Deepfreeze soon.

richard.wilson
richard.wilson

You will be the first one to start crying when an exploit takes out your system in full. "Microsoft stinks! Where's MS to patch these holes when I need them? What am i supposed to do now..what's that? You say they patched this exploit a while ago but I didn't update? Why the hell didn't MS tell me!" (and gee...I hope you're getting paid well from Faronics for all this product placement you're doing. LOL)

royhayward
royhayward

I would like to think that most on TR are sophisticated enough to realize that they don't get updates when they turn updates off. It seems a bit self explanatory. BTW, I do think that, and have advised home users to leave auto updates on and get updates frequently. But if I opt out, I really want to be out. What is to prevent someone from using this maliciously to have windows update point to their DOS service update,or BOT network service update server.

qhartman
qhartman

I posted this in a similar conversation elsewhere, and my opinion remains the same: "I call BS. If they need to update the updating system, it should _still_ ask to install. Furthermore, it should do _nothing_ if you have automatic updates turned off. That's what "off" means. If I need to update the update system, it should check the necessity of that when I initiate an update or turn automatic updates back on. Period. End of story." The excuse that Nate Clinton gives is just unacceptable. If the update system needs to be updated, an appropriate warning along the lines of, "Windows update needs to be updated to continue functioning properly. Please install this update..." should be displayed. This idea that they can do what they like with their customers' computers, regardless of their intent, is the pinnacle of arrogance. I gleefully await the day it finally bites them in a high-profile and meaningful way.

nachral
nachral

They're probably listening!!!

The Scummy One
The Scummy One

It is unacceptable. Recently, I had been forced to reboot due to an update on my system. Automatic updates was disabled. I was in the middle of something and then all of a sudden it closed out and rebooted on me. When it came back up it told me that updates had been installed. This pissed me off, but I had not heard about it happening to others, so I thought it was just me. I have mentioned this elsewhere on TR as well.

harryxebec
harryxebec

Has anyone tried this one yet? A Recently completed Windows clone. http://www.reactos.org/en/index.html MS is dead. Long live Open Souce.

jackie40d
jackie40d

Where did you find this at ? I got e-mail coming in from tons of places and missed this ! Going to try it out just on my laptop ( has the newer version of Linux Mandriva DVD 2007 i586 on it now and it found all the would be "Vista" hard ware only items even sound . . and the card slot for SD cards even found the USB item I plugged in for internet . .

w2ktechman
w2ktechman

Now I guess I gotta download it and try it. Unfortunately, probably not till I get out of school, and get a few other things together. I have bookmarked this site to come back to it later. Hmmm, I almost cant wait for the stable version to come out...

normhaga
normhaga

I just might want to become involved.

julian2971
julian2971

I run a network in a school and have had this problem recently, we are Novell on XP and found the popup that says "Your computer will reboot in 4 Minutes" has been popping up behind student work, then it just shuts down and restarts losing all the kids work.

The Scummy One
The Scummy One

makes me wonder why I was using XP at all at home.

paulmah
paulmah

Is this silent update 'ability' a major security vulnerability waiting to explode in our faces?

siddells
siddells

Big brother is more of concern than hacking for some people - & nobody knows what arrangements of "authorised intrusion" in the name of ?nation security? have been struck. Anybody with any power & influence can exploit technology to leverage the global connective to "spy" on traffic or interrogate personal nodes & networks & call the act ?Anti-terrorism tactics?. We need more count tactics to ?pipe-spy? our traffic, be it network PC or Mobile/Cellular. Does anyone know of any sentinel software that is standalone to watch & report all network communication ? I?d rather not have to unplug my network cable to protect my privacy.

sandeep_13482
sandeep_13482

This is really a big theft. If Microsoft can do this then why any hacker cant do it. Needs to be taken care of once this is known by any of the hackers can create big problems.

elandwehr
elandwehr

This is the nail that we needed to convince management that we should stay with XP and UNIX for a while. If we stay we will save big bucks due to we would have to upgrade over 85 pc?s to make them Vista compatible. It scares management that we will have no control over the updates or what else is open in that OS. Thanks

jackie40d
jackie40d

It means another company which will not be SUPPORTING M$ and their ahummm OS . . Plus another company which will go to Linux as their main OS and drop windows ( by the way you CAN open the M$ files in Open Source programs in Linux ) You could add Code Weavers Pro to the ones you move from XP to Linux and be able to open ALL the MS stuff I added MS XP Pro office to a Linux computer so they could run ALL of their MS files . . As they were worried about opening that stuff up I showed them they could do it in Open Source but they wanted the MS XP Pro Office add . .

ramonsao
ramonsao

so, how "trustworthy" are these practices? how sure are those who use WSUS that there are silent updates as well? I hope this incident had a bigger coverage...

peter.schultz
peter.schultz

I'm not chicken little an the sky isn't falling, but I am researching an issue at work with profile corruption and the only catalyst I've been able to identify is the at the NTUSER.DAT file got corrupted with 2 minutes of and automatic MS Upgrade initiating. I've got a dozen or so systems that all have shown the same pattern, but I haven't been able to determine what was included in the update packet that precipitated the NTUSER.DAT file corruption. I've gotten fairly adept at recovering the original profile, but I need to isolate the cause.

jackie40d
jackie40d

I blocked ALL ports of the call home stuff Windows uses every now and then I get a pop up saying this was blocked from calling home . . Actually its just the windows services which are blocked from accessing the net . . So nothing gets changed in my computer and soon I will make the COMPLETE change over to Linux and for ever leave windows behind . . Except under VM-Server as some stuff does not yet run under Linux . .

nader058
nader058

I would not be so amazed if one day soon with this weird frenzy that is going about in the US administration regarding security, the government makes MS to inject all kinds of spying software into their OS to monitor all the 95% of the world's PC's without any users' consent, the same way that they are doing it with email and phone eavesdropping. So much of a more reason for open source adoption.

jerry
jerry

If MS can install updates without telling you what it is then surely they can search your computer for the Dept. of Homeland Security (with a legal warrant from the secret cabal of judges). If the terrorist have any sense they would be using Linux anyway. Actully the law allows them to do just that for computers not located in the US without a warrant.

The Scummy One
The Scummy One

The DHS may mark anyone as a terrorist who speaks out against a government action in any public manner. So if you post on a message board that you are against IRAQ, or any policy being implemented, you may be on their list as a terrorist. yes it does follow that if MS can install SW at will, without consent or even knowledge, that they can install SW to search your computer and report back. Although, this may be unlikely, it may also be likely that someone uses this to install rootkits, or other malicious code onto your system. "why would they want to" -- power. looking for illegal SW. or maybe even amusement. I agree with the rest

webgruntaux
webgruntaux

It doesn't naturally follow that because MS can install updates covertly, they can search your PC. It might be possible for MS to search a Windows computer but I strongly doubt they would do it unless it was a special case (like, the DHS had pretty good evidence that someone was an actual terrorist or serial killer.) It's highly unlikely the DHS would bother looking into someone's PC for anything less serious than that. Why would they want to? However, that's not to say it's OK. If the US continues to edge closer to authoritarianism, the day may come when certain groups of people are used as scapegoats like the Nazis did with the Jewish people. All it takes for that to happen is getting enough people to think that it can't. That's why privacy is so important: to protect the innocent!

addicted2speed
addicted2speed

This stupid upgrade actually had me wasting a lot of time trying to figure out what it-was. I thought my computers had somehow contracted a rootkit virus or some other nefarious software was downloading to my computers. My network logs would show data coming through the network, and it looked like it was coming from Microsoft - but you can never take that at face value. If I was notified or consulted through the normal "Windows Update" applications, I would have absolutely clicked "Yes", but I would have been able to schedule it around other events if necessary. I think this shows some poor judgement on MSFT's part.

jackie40d
jackie40d

All of the talk back ports or things that want to talk to MS is blocked on my computer so I do not get these "STRANGE" occurances !. . . I do get a little window saying this or that was blocked from talking to MS . . Which I do not mind . . like NT kernel, Services and controler , LSA Execut., Task Scheduler, Generic Host, keeps MS out of my computer !

LYosko1903
LYosko1903

Yes. It is.

stewartav
stewartav

Stupid like a fox!!! If and when things begin to go South on a major scale, think of all that information they have access to. What dollar amount would you place on all that information? Wouldn't it be fun to sit down at a MS terminal and peek at all the info already DL'd to their D/B's. Paranoid? I don't think so.

TJC-online.net
TJC-online.net

In XP at least (I haven't migrated to Vista yet) you can select options in MS Update to download and install what Microsoft calls 'Critical Updates' without any user confirmation or knowledge. Surely you can turn the update facility off completely if you want to, thus preventing any updating going on without your express requests?

jbowlin6
jbowlin6

CAN YOU TELL ME HOW TO TURN OFF AUTO UPDATES? MICROSOFT COULD NOT OR WOULD HELP ME THANKS JOHN

Neon Samurai
Neon Samurai

Start -> Control Panel -> Automatic Updates Select applicable radio button (the dot instead of a checkmark). It sounds like you want "Turn off Automatic Updates" selected. Be sure you manually check Windows Update once a month (perferably the second Tuesday of each month). I do this as a "custom update" so I can see exactly what updates are being sudjested. I've rarely declined a "critical" updated but I've also been burned by a "updated driver" (thank goodness they're not autoselected).

mbrello
mbrello

that this stealth update took place even if the user had turned off the Automatic Updates function. Short of disconnecting the PC from the Internet, the end user had no choice in whether the stealth updates were installed or not.

Free-BooteR
Free-BooteR

MS can do whatever they want. They own the software not you. You agree to the EULA so your stuck. MS has a monopoly and you better get used to them doing whatever they want with your system. Don't like it? Use another OS. (don't mean to sound harsh but those are your options)

nachral
nachral

-->Control Panel --> Security Center --> "Change The Way Security Center Notifies Me" (Left hand column under "Resources") :-0

wendygoerl
wendygoerl

Who controls the OS environment? MicroSoft will tell you that THEY own the SOFTWARE and YOU own a LISCENSE to USE said software. And somewhere in the fine print of that liscense agreement that you ''signed on the dotted line'' by installing on your computer/using the software YOU AGREED TO ALLOW THESE UPDATES! Bacause it's MICRSOFT'S OS, NOT YOURS! This is a trend that, as far as I can tell, started with the Copyright Act of 1978. With the extension of copyright to the later of 100 yrs. from date of publication or death of author +75 years for a known author (50 yrs. from publication for psudonym/non-individual authorship). Many hardcopy publishers responded to this by buying ALL RIGHTS from the author rather than deal with the ''inconvenience'' of remembering to pay royalties if they felt like using it again. Hollywood and the recording industry took it a step further with the advent of digital media...Do you know what the difference between a ''private viewing only'' copy and a ''rental/public viewing'' copy is? $11-$80 or more (for VHS, anyway)! Every digital publisher--be it music, video, or software-- wants to have or has some scheme to make a file ''expire'' after N copies or some arbitrary date...We are rapidly moving to a state where PUBLISHERS=OWNERS and EVERYONE ELSE=RENTERS!!!!!

gregzdnet
gregzdnet

control panel/security center/change the way security center notifies me/ configure it the way you wish. You can also diable security center as a service

Jzoltowsky
Jzoltowsky

I'm with you Ryan...I'm going to have to install my Linux desktop...LOL

RedRyan
RedRyan

So, from what I gather, Windows computers in the default configuration (i.e. using Microsoft's Update Servers) are getting silent updates whether or not they want Automatic Updates. I can't tell if this is due to not disabling the Service itself. Is this a backdoor into every Windows system? What is the actual technique used to do the silent installs? Who controls the operating system environment? The purchaser of the license or the owner of the OS (Microsoft)?

slony
slony

Are you guys saying that although we may have had the option to update and install and the service turned off, MS still made changes to my OS? Forgive my untrained ignorance but isn't that hacking and how do I find the little worm that hacked my computer?

TJC-online.net
TJC-online.net

I misunderstood the implication then. In which case, I would have to suggest running services.msc from the start menu Run command, and disabling the service.

TG2
TG2

At first I was with you.. ready to jump on the funny little man from across the ocean.. but I rethought what he was saying.. when we turn off automatic updates ... that only turns off the scheduled check (and update if selected) for windows updates. It doesn't disable the SERVICE.. So then, turn off auto updates, and then disable the service. For which I suspect you would have to live with that GD little error marker down there by the clock ..

mdelp
mdelp

Nobody raises a stink when Apple updates the iPhone and says "It's just bug fixes, you don't need to know the details." So, we're to just blindly trust Steve Jobs?

Free-BooteR
Free-BooteR

There have been huge complaints about this. It has been all over the news. Just ask all those who now own bricks because they hacked their phones to be able to use a carrier of their choice.

xmlmagician
xmlmagician

Who said that we trust him? Can you remind me how fast they hacked into iPhone :-)?. Imagine if they could do that to your XP or Vista

Pringles86
Pringles86

I think there are a couple more Windows computers out there than there are iPhones... Maybe? Also, those Windows computers are more business critical than those iPhones, they are also more powerful and could cause more damage if there was a hacker that could take advantage of these stealth updates.

dlmeyer
dlmeyer

People are not complaining about iPhone updates because a) there are fewer of them to NOTICE them and b) people do tend to trust Apple more. Still, if Apple is doing stealth updates, that "b)" will erode significantly. To the best of my knowledge, Apple always asks permission to do an update. But, I don't own an iPhone. The mere ABILITY to do an un-approved system update is a Security Breach waiting to happen. I've heard enough about hijacked (not stolen) cell phones to consider this a problem. Still, there are more cell phones out there than there are Windows computers and there are fewer security problems with them than with Windows computers, so ... Security is security ... Microsoft, Apple or Nokia. DLMeyer - the Voice of [url=http://tinyurl.com/y4amro] [b]G.L.Horton's Stage Page[/b][/url] Pod Cast

mdelp
mdelp

I agree with the outrage over MS not announcing and explaining the details of their updates. I was chiding Apple users (of which I am one), for their lack of outrage. It is a small consolation that there are only a million iPhone users. It is just good business practice to be open about bug fixes and security updates.

stewartav
stewartav

At this point, hackers are probably less dangerous than MS. Does anyone really think this is the only back door MS has in Windows OS? Think of all the inside trading and business decisions they likely have access to. And please don't tell us that MS wouldn't do that... they did this! Our data, corp and personal, is only as save as their least honest employee.

Pringles86
Pringles86

That was the entire point of the article. The user I was responding to was asking why people aren't complaining about Apple doing it with the iPhone. As I stated in my post, the iPhone isn't as important and is not as widely used as Windows. That is why people are not complaining about it.

Brian Hynes
Brian Hynes

I do not believe it has anything to do with numbers. The concern is that Microsoft did not follow proper security protocols and performed updates without consent.

jontout
jontout

it's also part of the license agreement. I'm over the idea that I'm paying for something that's incomplete and needs constant attention with service releases and updates, to the point where my main pc doesn't sit on the net.

stewartav
stewartav

I'm just a nobody... I'm not a big IT guy but I had MS's number a long time ago. Absolute power corrupts absolutely and there's never been a better poster-child for this kind of issue than MS. I started going open-source a long time ago and with slide-in HD drawers and off-line computers, raspberries to MS.

seanferd
seanferd

I agree that it is in the EULA, however, it's a crappy EULA. I quit running XP on the net- once broken, it's hard to fix. Win98se I almost never have a problem with, even though it's totally non-secure. If compromised, it is usually very easy to fix, even manually. I like to critcize MS because the software can be pretty bad, the corporate direction even worse. But MS has the potential to produce some ass-kicking software. People tend to expect that what they buy, license, or lease will work as advertised, and that service will be above board. Not that MS will listen to me , but maybe they may sometimes listen to the aggregate. This discussion is for people who are into the discussion, but, as I said, your point is totally valid. Most people probably have better things in life in which to take an interest. Rock on.

seanferd
seanferd

Not only is the OS vulnerable to anyone who can exploit this or any other "feature" in an MS OS, systems are also vulnerable to MS itself, who may change their draconian EULA at any time with no notice. (Or not change the EULA and do whatever they want, apparently.) If MS continues it's stategy of trying to get it's proprietary internal standards made public standards by ISO and other organizations, and they are successful, look out. Due to their errors (e.g. the WGA debacle) or their decisions to change service levels, you may not only lose your AeroGlass TM, but also lose access to your documents, other files, or your entire system. Although I have never personally heard of WGA or Windows Update being exploited, it wouldn't surprise me. I do recall several Windows Security Updates that were patches for the fact that MS had several compromised Verisign certificates.

The Scummy One
The Scummy One

If there is extra code in a system, it increases the security vulnerabilities of the system. If this code can be used (by design) to bypass preferences and security to install a piece of software, then it can be a huge security issue

qhartman
qhartman

Anytime that someone can do something with your computer remotely that you did not explicitly allow, it is a security problem. It's especially a problem in the case where you thought you turned the ability for this to happen off, and it happened anyway.

TG2
TG2

Remember.. who's to blame for assuming that turning off automatic updates was the same thing as disabling the service? Or alternatively, not knowing that automatic updates was a service not just a cron or AT job? Microsoft didn't come out and explicitly tell you, but, if you look through the services, its plain to see. So stop and disable the service and you will no longer have to worry about the auto updates, or even updates to the auto updater service. Stealth? No. Misguided? Yes. in the opposite, its microsoft's fault entirely, as in, its microsoft's design, to have auto updater (the service) be required to be running, to use the windows update site...

xmlmagician
xmlmagician

i bet my house that some hacker somewhere is working on it as we speak.

nachral
nachral

I'll be by to pick up the house in the morning ... thanks. ;-)

lastchip
lastchip

No operating system should be able to do this; end of story. I just hope all the corporations out there are finally getting the message about Microsoft products, but I doubt it! Recently, there was a suggestion Microsoft had built in back doors for government agencies on the grounds of security. An allegation they strenuously denied. But is that closer to the truth than we would all like to believe? Just like the Sony root-kit fiasco, Microsoft thought they could get away with it and just like the Sony affair, some bright individual sussed it out. When will these companies ever learn? More to the point, can you ever trust Microsoft in any (let alone a corporate) environment again? You simply have absolutely NO CONTROL over what they may do.

Neon Samurai
Neon Samurai

From my understanding, Microsoft only produces the Windows line of operating systems. Was it Windows you where considering or what specific distribution of Linux where you looking at? (or did I miss a joke?)

Ptero.4
Ptero.4

And I was thinkin about moving from Ubuntu to M$ Linux, now I don't know if it's a good thing to do.

jackie40d
jackie40d

I find this very interesting as ALL of MS shipments have always NEEDED fixing . . Name 1 of them which did not need any fixing or that they did not make a upgrade to in short order . . Even their DOS needed fixing . . And they Based their next few OS's on IBM DOS 7 . . Sounds like they did not like their own DOS

ajcannon
ajcannon

This MS all over - ship a flawed product and then try to convince people that the need for it to be continually fixed is a good thing instead of an admission that they shouldn't have shipped it in the first place.

Timbo Zimbabwe
Timbo Zimbabwe

"Anytime that someone can do something with your computer remotely that you did not explicitly allow, it is a security problem." Yes indeed. And if MS can do it, it can be expoited and used against us.