Windows

Microsoft caught doing stealth updates


The Inquirer just ran a report in which it claimed that Microsoft performed updates on users' machines without first asking about them.

Apparently, Scott Dunn of Windows Secrets is credited with noticing that Windows Update has recently started updating certain files on the sly on users' systems.

Here's an excerpt from Microsoft fiddles with your Windows without permission:

Nine small executable files on XP and Vista have been altered so far in what Dunn dubs a stealth move by the Vole. What is strange is that the updates were carried out while the Automatic Updates dialogue box in the Control Panel was set to prevent updates from being installed automatically.

At this moment, there is absolutely no indication about the purpose of the changes. Also, nothing pertaining to this unexpected update can be found on Microsoft's Web site.

I find it very worrying if it is indeed possible to perform remote patching and/or updating of a Windows box without prompts of any kind or even the ability to opt out.

In such a scenario, it would only be a matter of time before some hacker manages to reverse engineer this backdoor into an attack vector of devastating effect and scope.

So stay tuned -- we will post additional information pertaining to this matter when and if it becomes available.

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

53 comments
WhocreatestimecreatesGod
WhocreatestimecreatesGod

It's a trespass! Why do we need Information Security if a software vendor can do it without asking? We need to re-examine the "licensing" evil in it.

kengharthun
kengharthun

Doesn't surprise me. I just wonder how long this has been going on? Since Automatic Updates were incorporated into XP? Back in August, I discovered a control panel applet for CardSpace that had been installed without my knowledge along with .NET 3.0. I blogged about it: http://tinyurl.com/2myaeg Installing something along with a product you chose to install is one thing; complete stealth is unacceptable. To top it off, MS broke XP's repair function: http://tinyurl.com/2bsa95. I've almost completed my move to using nothing but Open Source software; all that remains is for me to move to Linux. Cheers! The Geek

rtweeboom
rtweeboom

Turn off auto update service or change from automatic to manual.

NickNielsen
NickNielsen

This quote is from the original posting at Windows Secrets (http://tinyurl.com/33gsft). [i]Microsoft is patching these files silently, even if auto-updates have been disabled on a particular PC.[/i] Edit: nextday spollchack

markinct
markinct

Windows Secrets posted a follow-up: http://preview.tinyurl.com/yo22r6 He quotes MS executives and provides guidelines for preventing silent updates. Here's "program manager" Nate Clinton of MS: "The point of this explanation is not to suggest that we were as transparent as we could have been; to the contrary, people have told us that we should have been clearer on how Windows Update behaves when it updates itself. This is helpful and important feedback, and we are now looking at the best way to clarify WU's behavior to customers so that they can more clearly understand how WU works." Hmmm... sounds a lot like another Clinton we all know...

terryh
terryh

So much for "Trusted Computing"

dgrandja
dgrandja

Regardless of the EULA, if stealth updates have been done, Microsoft has once again shown how unethical the organization is. Whats to stop them using these updates to extract information from our networks, to gain access to competitor financial and development information.... Yes they own the software and we have the License, however we own the hardware, and when it boils down to it, the HDD of any machine is not identical in every way as a result of their changes, its magnetically different... i.e. been changed by them.... it may be a very fine technicality but regardless.... what they have done is totally unethical and leaves room for others to do the same....

foringmar
foringmar

Microsoft is reported to recently have patented some method of pushing out commercials in the operating system. Their so called stealth update is merely a small test of what is to follow....

arroyowolf
arroyowolf

vole -- Britannica Online Encyclopedia vole: any of 124 species of small-bodied mouselike rodents of the Northern Hemisphere.

rayp
rayp

Truly disturbing. With this ability let loose what's to prevent incriminating documentation being dumped onto anyone's computer and then anyone being indicted on charges for something they didn't do, because the 'evidence' is stacked against them.

Dusterman
Dusterman

My God ........ folks ! . Are the majority here that blinded by MS's subtle messages either in writing or in their seminars ? . They sold out to the Feds [ gave up the source code in exchange for no prosecution for being in massive monopoly that they are ] and now you are surprised that they "dare" to run code/programs without your permission ? . H e l l o ......... as my daughter would say ! . Get a grip ! . We actually have folks on here that work for and with the guvment and Microsoft , and monitor our progress and our ability to find them out ! . Don't believe it ? . Then put your head back in the sand ! . And to those here who comment that "just because somebody said it ..... it ain't so" ........ really ? . Well most subversive things thru out history have not been written to so as not to be proven without fact . . I am not anti-guvment ....... just anti guvment spying on its own citizens ....... the Patriot Act has been mis-used so much [ per my inside contacts ] that even the insiders question the ethics of what is being done in the name of the good old USA . . Ouch ......... sorry for the rant ....... but simpletons that really believe that MS and our guvment haven't struck a deal need to be fed coffee intraveniously for a week and get woke up to reality . . :-)

Murphy's_Brother
Murphy's_Brother

The headline in the Techrepublic newsletter blared out, "Microsoft admits to stealth updates." I come to the actual article to read a story on Microsoft being "caught" and not a word on them admitting to anything. What Microsoft actually admits to, easily found by searching, is automatically updating Windows Update when you are using automatic updates OR visiting the Windows Update site. According to them, if you do neither, your files are untouched. Yes, what they are doing raises some concerns but they are not secretly pushing updates out to everyone. Enough scaremongering.

mlkiely
mlkiely

grow up nerds when in hell did you realise that Microsoft is in reality now NSA and we have absolutely no say in what they are doing simply put they can do whatever they like to your person or property under the Anti-terrorism Legislation that congress passed a few years back.Canada lost complete control of thier DND computers years back and Cognos paid the price so if you feel violated good join the club.

jags_mcp
jags_mcp

So what, Boss, Until it is good for the system health we dont mind.. and it is much far good doing by Microsoft than those hackers injecting the virus, spywares, and other malicious code.. I dont know why the hell every one is behind Microsoft. dont you shift your focus on the those things and help to the software leaders on how to overcome those vunerabilities and prevent unauthorised access by the hackerss Have a change for the while! Jagdish M Chichria

jaishankarvr
jaishankarvr

Windows XP User. Things i dont like about Microsoft Spying your system without your consent. Dont like Microsoft Security center as well. Have disabled them both including Firewall. Will tell you how to disable them For Windows XP user 1) click on Start-> run Type in Msconfig( Pop up windows Sys ..config..utility) 2) click on Services. 3) a) uncheck windows Firewall internet sharing b) uncheck Logic disk manager admin service ( do not uncheck only Not logic disk manager) c)uncheck error reporting service d)uncheck Error reporting, Help and Service IMAP CD_burning,Netmeeting, Windows Installer,Net Logon,Distributed transaction,Machine Debugger,Removable storage,Task Scheduler, Smart CArd,System Restore Service. (Disable system Restore on All drive). Uncheck Security Centre & automatic Updates. also uninterrupted power supply, wirless zero configuration,portable media serial number. Try the above thing and you will see how the system performs after restarting. Make sure you dont disable any antivirus stuff that you have in startup.

djMot
djMot

Let me get this straight. We're allowing The Inquirer as a credible source of IT news? YIKES!

NickNielsen
NickNielsen

Maybe you should have read the Inquirer article. At the bottom you would have found this link (http://tinyurl.com/33gsft) to the source article at Windows Secrets. edit: clarify

PhilippeV
PhilippeV

this silent update is actually NOT updating the Windows update system, but allwing it to use another ADDITIONAL patching system. On my XP system, there are now FIVE versions of the Windows updates patch engine, 2 for the Windows Update v2 API, three for the Windows Update v1 API. The build versions of Windows Update v2 engines are the same as those of Windows Update v1, but there's still another old engine for Windows Update v1 (build version 5.xxx, most probably coming from Office Update in a older version of Office, since all these patching engines are now integrated with a single search in Microsoft Update that operates both Windows Update and Office Update). However I don't understand why these updated patch engines are remaining : if these were updated due to security issues (possible remote attack by virus), then these old versions should have been uninstalled, and documented, and Microsoft should have rebuilt its patching servers so that they can operate either with: * older WU clients (like those reinstalling Windows or Office), in away that just permits these older WU clients to upgrade the WU executable before applying the patches, so that they become new WU clients not sensible to remote attacks * newer WU clients, whose older update engines no longer work, but that are permitted to install patches even for their older Windows of Office components. I think we are concerned by the fact that these older patching engines are left installed (and why?). If they are staying there, it's because that Microsoft admits they are are not demonstrated to be a critical security issue. But if the old patching engines are exploitable by viral worms or remote attacks, then they should have been completely uninstalled, adn Microsoft should have documented this fact by closing at the same time the possibility to install older downloaded patches that will no longer work on PCs that have the newer secured patch engines and API (wupd.dll and wupd2.dll). Really, Windows Update client installation needs to be cleaned up even if Microsoft maintains secrets on its internal API. We should not have multiple APIs when just one, preferably the newest and most secure one should remain for applying other patches. Given the fact that these patch engines can be very powerful on a system, in a way that they will silently install system components including critical ones, they constitute a privileged target for possible remote attacks by worms (and notably to install malicious rootkits running with the highest system privileges and access rights). And anyway, Microsoft should document its policy, and which critical WU files are needed for each Windows or Office patch. Critical patches that will work on several versions should have separate downloadable installation engines depending on only one version of the WU client. But I see no reason why Microsoft silently updates WU. I fear that this is another implementation by Microsoft of the bad concept of "security by obscurity". If a new patch system is needed to install newer system or Office patches, then Microsoft should document this fact and explain why the new patch engine is needed (and possibly urgently needed if this is because of a security issue in the older WU client files). Note that if Microsoft uninstalls these old WU client files, then the separately downloadable patches that have been successfully applied in the past may no longer work on systems that have only the newer version of the WU client. I don't think it is bad, provided that Microsoft explains why they the new client is needed and why the older WU client are no longer supported, and provided that Microsoft makes older patches still downloadable separately containing an installation engine updated to conform to the newer WU client. And in all cases, older WU clients should not be uninstalled without user consent as well (up to now, they have not been uninstalled, so this is still not a policy problem, because patches downloaded in the past will continue to work even on PCs that have the newer patch engine in addition to the older patch engine...) Now that the subject is public, all the system will be scrutinized: the existing WU clients will be compared extensively, looking for possible security issues in each version, and the effects of each version should be strictly limited so that no virus will exploit them (only approved patches digitally signed by Microsoft should work with those WU client versions, but if there are security holes in the verification made by WU clients, then Microsoft needs to address the issue). I fear that Microsoft has built newer WU files only in order to increase the protection of its WGA system, to avoid that users with invalid licences turn their system into a validated version of Windows or Office (because most Microsoft patches now require WGA approval, if they are not critical security patches).

CharlieSpencer
CharlieSpencer

How about linking to the original source of the article, not some second-hand recounting? Just a suggestion.

paulmah
paulmah

Thanks for your feedback Palmetto. You might be glad to know that I actually consciously do that. Must have slipped through the cracks in this instance, so point taken here.

Neil Higgins
Neil Higgins

Oh well,if they can "add",surelly they can also "take-away?" Just delete all the bad stuff guys.I wont mind.... Oh...that just leaves the desktop curser then.

Genera-nation
Genera-nation

CursOr. Guess that just ruined your post then!

royhayward
royhayward

I think he had that one right.

Neil Higgins
Neil Higgins

I wish I cud spel curektly... Me use foul language about Redmond....never.lol

Genera-nation
Genera-nation

Damn you - I would have gotten away with it as well if it was not for you pesky users...

CharlieSpencer
CharlieSpencer

The Inquirer article makes several references to "the Vole". What the heck is that?

boxfiddler
boxfiddler

An article entitled "Revenge of the Vole (aka Microsoft). http://blog.taragana.com/index.php/archive/revenge-of-the-vole-aka-microsoft/

CharlieSpencer
CharlieSpencer

The article you linked begins, "This may be a bit 'Inquirish', ... ". Most of the links I got Googling the terms vole Microsoft either had others asking the same question or referred to it as a term used by the Inquirer. I've decided it's not worth my time pursuing. I'm not familiar with the Inquirer. I almost blew the original article off, thinking it was referring to the grocery checkout tabloid. Is this a reliable web site with some level of journalistic balance, or is it just an anti-MS site? I don't have enough background to determine the legitimacy of it's information.

paulmah
paulmah

Hi Palmetto, I have found The Inquirer to be of good, if not excellent journalistic integrity - facts-wise at least. Well, their anti-MS (Some might say anti-establishment) slant might put some off, but I have found that they do get their facts right.

boxfiddler
boxfiddler

I thought you were asking what 'the Vole' references. Don't read the Inquirer either, but find it amusing that the Vole (in this case)=MS. Rodent and all...

unhappyuser
unhappyuser

Microsoft wouldn't do that would they?! I can't beleive a company with such a reputation would do that! But I also still believe in the Easter Bunny so....... EMD

cparris
cparris

Microsoft has the reputation of using the mass public for their final beta testing. Microsoft's reputation is of gross negliance and the unwullingness to take responsibility for it. Taking that into account Microsoft has gotten lazy and lackadasicial in their approach to creating new versions and new products. If they did more research they would know that there are a lot of things that people will not tolerate. The acceptance of Vista at this time is one such example of this failure to plan or research ahead. As for any of the updates M$ puts out, I haven't seen too many that didn't slow down my and my enduser's machines.

royhayward
royhayward

"I'm shocked, shocked to find that gambling is going on in here! " This is no surprise Microsoft has been talking about this stuff forever. Search "Digital Right Management", "Software Protection Platform", and "Windows Genuine Advantage". Who owns this software anyway, I thought they were selling not renting it?

tonymorgan
tonymorgan

I'd suggest that you read Microsoft's EULA where you'll see that "The Software is licensed, not sold" in clause 3. This clause is in ALL Micorsoft software. Read the rest of the EULA and you'll see that Microsoft excludes any liability for ANYTHING relating to their software. Install the software (ANY Microsoft software) and you agree to all the "get-outs" written there :-(

foringmar
foringmar

There are in my country (it's NOT Sweden) laws about responcibility for sold products. Microsofts products are so faulty that MS cannot risk taking any responcibility. In fact, recent events regarding their new dokument standard suggests that MS products are so bad that MS has to pay users to use them. They did offer bribes in Sweden among other countries. And they admitted that they offered bribes in Sweden.

RKG
RKG

I seem to remember somewhere there has been a successful court challenge to some EULA content where the user could not opt-out. It did not negate the EULA, but there was something about 'reasonable expectation'; the EULA had some conditions that could not normally be expected, and the user was not actually bound by the unreasonable part of the EULA. Blanket imdemnification I think may come into this category.

royhayward
royhayward

I try to be pretty consciouses about safety and security, building in holes is kind 1984ish. Do we have to buy the Vista Premium No Back Door Edition? And how much will that cost me?

CharlieSpencer
CharlieSpencer

This makes MS no different from the majority of software companies. Almost all of them have similar clauses about "licensed, not purchased". MS isn't unique in this.

Genera-nation
Genera-nation

Some guy of some site said..... Suddenly it is fact....???

rmahr_523
rmahr_523

Hello Bin Laden; H. Hoover; Tricky Dick

bgalliford
bgalliford

Automatic Updates is pushy enough, but this is a little crazy... However, how many worms are spread by unpatched computers, how many hours in your life do you spend fixing issues that could have been resolved by a patch being applied? My question is this, do we really want to rely on the users to control IF they update or not? Wouldn't it be safer if the machines where always up to date? I do not know where I stand on this yet...

martyncoup
martyncoup

In our corporate environment we disable Automatic Updates via Group Policy then push them out via SMS 2003, this way we know which ones fail/complete and is generally a faily decent method of updating.

Fregeus
Fregeus

... that legally speaking, we do not own our version of the OS but are merely using it under license. What prevents them from updating something they own anyways, without our consent? Legally speaking of course. As a home user, I'm not too ticked at this since nothing serious will occur if my system is suddenly not accessible because of an unannounced update. At the office tho, its another story. Its one more argument not to allow automatic updates at the office.

crgrunstad
crgrunstad

If Microsoft has the ability to slip something onto a enterprise critical machine and it no longer functions correctly because of it, what would be a companys recourse? Pull a backup out of the vault and restore it to only have Microsoft come back in and do it again...I see trouble on the horizon.

rruss536332000
rruss536332000

Our client can deduct their monthly payment for services in accordance with service availability. Untested (by us) updates from MS can cause application outages, as have, several tested updates have done. Stealth updates will definitely cost us.

nubbs17
nubbs17

That's why SUS and WSUS were created, to implement a way for updates to happen with no user interaction. Even then, the administrator at least knows what's going on. I do not agree with Microsoft's idea of "stealthing" the updates, the only reason I can see them doing something like this was because it was too embarrassing for them to announce these patches... C'mon guys, everyone knows you're f*d up, just don't go patching anything on my computer on the sly!

theillien
theillien

You're assuming all patches are applied to strictly enterprise systems. Chances are they are being applied to personal systems as well and therefore eliminate any opportunity for SUS or WSUS to enter the discussion. I too am unsure where I stand on this. It has been shown that not only are enterprise admins greatly irresponsible in this department but personal users are more so. Worm, virus and trojan authors know this which is why they are still able to do as much damage as they can. If there were no ability to opt out of keeping an up-to-date system chances are we'd have a much more secure computing world. If they can put all kinds of crap in the EULAs regarding software ownership and the fact that we are, in essence, only borrowing the software on their terms, they really should have the ability to force us to accept the updating of it.

Tony Hopkinson
Tony Hopkinson

when they break the system they are updating. Which apparently they aren't.