Over the last few weeks, and without user approval of any kind, Windows Update has updated nine executable files on both Windows XP and Windows Vista.

We first reported about this last week in Microsoft caught doing stealth updates, in which a user noticed files being modified by Windows Update despite the fact that automatic update was disabled. This has since been echoed by various users and reports around the Web.

Well, it’s now official. Microsoft has come clean and admits to the ‘stealth’ updates.

To Microsoft’s credit, the updates in question were actually limited to updating Windows Update’s own files. Also, the only reason this update occurred is because the alternative would mean that Windows Update itself would stop functioning properly, according to Microsoft.

Wrote Nate Clinton, Windows Update program manager on the Windows Update team blog:

“That result would not only fail to meet customer expectations but even worse, would lead users to believe that they were secure even though there was no installation and/or notification of upgrades.”

However, Microsoft is adamant that there is no wrong here, and that the entire issue is more a matter of Microsoft not being clearer. Microsoft Windows programmer Nick White wrote:

We do recognize that we should have been clearer in our explanation of this process earlier in the game…

Note that this issue only affects computers that use Windows Update. Most large businesses probably use Windows Server Update Services or a feature in Systems Management Server to perform their updates. They are not affected by this snafu.

Still, Microsoft seems to be missing the bigger picture here. As mentioned in my earlier post, if Microsoft is able to ‘push’ updates to a computer with automatic update disabled, what is there to stop a hacker from figuring out how to do the same?

Is this silent update ‘ability’ a major security vulnerability waiting to explode in our faces?


Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!