It was widely reported last week that Microsoft had automatically updated systems that had Automatic Updates set to "Check for updates but let me choose whether to download and install them". Nate Clinton, a Windows Update Program Manager at Microsoft posted a response on his blog shortly after the widespread [misconceived] reporting had gone out.
One question we have been asked is why do we update the client code for Windows Update automatically if the customer did not opt into automatically installing updates without further notice? The answer is simple: any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available. Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications. That result would not only fail to meet customer expectations but even worse, that result would lead users to believe that they were secure even though there was no installation and/or notification of upgrades.
One misconception is that people wrongly assumed that Microsoft had updated systems when the option for Automatic Updates was turned off, in this instance the machines were not updated, only those that had the Automatic Updates tool turned on. The only stealthy thing about the whole affair is that the Windows Update service was updated without consent of the user, Nate explains above why this is so. It updated a tool to check for updates which seemed to be the problem all round.
Not such a big deal if you ask me. Oh Nate also goes on to say that Windows Update, or Automatic Updates have upgraded themselves in the past in the same manner, only now it seems has it become an issue!
View: How Windows Update Keeps Itself Up-to-Date @ Microsoft Update Team Blog
One question we have been asked is why do we update the client code for Windows Update automatically if the customer did not opt into automatically installing updates without further notice? The answer is simple: any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available. Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications. That result would not only fail to meet customer expectations but even worse, that result would lead users to believe that they were secure even though there was no installation and/or notification of upgrades.
One misconception is that people wrongly assumed that Microsoft had updated systems when the option for Automatic Updates was turned off, in this instance the machines were not updated, only those that had the Automatic Updates tool turned on. The only stealthy thing about the whole affair is that the Windows Update service was updated without consent of the user, Nate explains above why this is so. It updated a tool to check for updates which seemed to be the problem all round.
Not such a big deal if you ask me. Oh Nate also goes on to say that Windows Update, or Automatic Updates have upgraded themselves in the past in the same manner, only now it seems has it become an issue!
View: How Windows Update Keeps Itself Up-to-Date @ Microsoft Update Team Blog
As the the "Nate also goes on to say that Windows Update, or Automatic Updates have upgraded themselves in the past in the same manner, only now it seems has it become an issue!".... wtf? Its because you've only been caught this time. I guess it is like BT, downloading isn't illegal unless you get caught
As the the "Nate also goes on to say that Windows Update, or Automatic Updates have upgraded themselves in the past in the same manner, only now it seems has it become an issue!".... wtf? Its because you've only been caught this time. I guess it is like BT, downloading isn't illegal unless you get caught
they havn't been caught and there is nothing secret about it. The process is described on msdn and in the eula and lot of administrators i know already knew about the updates happening. Why are people so paranoid 8-)
No they didn't. They patched a component attached to the OS (you don't have to have it in order to use Windows) in order to maintain a service provided at no extra cost (apart from bandwidth costs I suppose) to the end user. This service changes over time as more products are added / code is cleaned up or enhanced.
Most people have automatic updates (and installation) on by default as that is the default. The only updating they ever physically do happens if they click the icon in the system tray (which normally is "I need a reboot after updating myself"
Setting to download and notify or just notify only still means that the update component needs to check if there are updates. If this checker is out of date how will it find out? Do you think a just-let-it-get-on-with-it user is going to like having to approve an update to the update check? This already happens at WU but they never go there.
If AU updated programs (apart from itself) when told not to, then that indeed is an issue. However, it doesn't. It only updates itself so when it is needed it can work properly.
Note that AU doesn't even update itself if the whole thing is turned off.
Mountains and molehillls. Let it go. Be thankful it exists or there'd be a far greater number of zombie PCs than there are already.
Why do you run an antivirus? Why do you run a firewall? Why do you run an antispyware programs?
Why don't you use every toolbar you see, let every tracking cookie track you and let your machine run rampart with different ad-ware programs?
Yes, I wonder why people are so paranoid.
Great logic, <snipped>!
What exactly is it that Microsoft was trying to "get away with" when it got "caught"?
People lie, cheat, or steal because there is some tangible benefit in doing so: they get something in exchange for their acts of dishonesty. Like .mp3 files for example.
So what benefit did Microsoft receive in exchange for perpetrating this horrible act of deception? C'mon! Let's hear it! What exactly is it that Microsoft was "caught" doing?
Last edited by PureLegend on 20 Sep 2007 - 14:45
Why don't you use every toolbar you see, let every tracking cookie track you and let your machine run rampart with different ad-ware programs?
Yes, I wonder why people are so paranoid.
Well, if you're paranoid enough to be worried about this one - turn Automatic Updates off. End of story. I'm not exactly a rabid MS fanboy here, but it's a fair enough point - Joe Average would be screwed over royally if his AU wasn't up to date and from the PC's point of view it thought it was secure, when in fact there were however-many critical patches that his AU wasn't spotting. So imo, as we now have a decent enough explanation, I don't think MS did anything wrong, really...
If you look in Automatic Updates in the control panel it says at the top that if you turn AU on that the windows update components may be automatically updated before any other updates.
They should have created a notification for the update and stated that no more updates will be available until this update is installed.
Actually this is what got people angry in the first place. And some people said that that was happening. Here is an example. The explanation they are giving now makes sense but only if it does NOT update people who have elected not to receive ANY updates at all. If Microsoft didn't already have a reputation as being untrustworthy among many people out there, this never would have got played up to this extent.
The question remains open however as to why Microsoft is so "untrustworthy". Is it because they actually are, or is it simply that a reputation has been built upon a patchwork of misunderstanding and knee-jerk reactions from stories such as these?
I bet if someone posted on the Neowin front page about how Microsoft has started to scan people's machines and remove software from competitors, that you'd get 40 comments about how Microsoft is an evil monopolistic empire, before someone looked around and figured out that it wasn't true.
Either way, you are either someone who keeps track of what's going on with your OS/apps and you manually install these kinds of things or you are someone who leaves most everything on 'auto' mode and you wouldn't know or really care about this issue in the first place.
It seems to be lumping the 'just click next' users in with the 'read what updates actually update' users and they are two totally different groups of people.
So sneaky? Yes.
Something a legitimate user who pays attention need worry about? Nope.
This isn't the only Updater that updates it's files before it checks for updates. Now weather those let you know that they've updated the updater I don't know. But this isn't anything more than the update service getting a new version of it's records. As MS ads new patchs and ads updates for other non-Windows apps up, the updater has to be updated or it'll never get the newer information.
And the fact that it's FREE is great enough as it is.
As for other malicious applications, they do exist. They're called viruses, trojans, spyware, etc. Unless they're put on the Microsoft's patch servers for you to download, they must find an alternative method to get into your PC, such as being attached to a file in a .rar archive. (free_pr0n.rar! lol)
As for the non-user consent, I'm glad they didn't ask for it. You just think how many people would be like,"No, don't have time to fool with that," or "What's this?! Better click no." That would leave a lot of people unpatched, and unable to download patches for the OS or applications (Office, Outlook, etc).
Probably not, but it's certainly an updater that must run with admin privileges. That is, the kind of program that I wouldn't want to have features like "control what's being installed without my consent".
Why not notify users, just as you would for any other update? Why does an update to the updater "not count" for some reason? Nothing has been said to suggest this would have been impossible; after all, if they were still able to deliver the update, I can't see any technical reason why this update, just like any other, couldn't be preceded by the usual prompting according to the user's settings? To not have done so makes the update tool disingenuous, and inevitably leads to the bad press we have seen. So why take that risk? They didn't seriously think no one would ever notice?
The underlying fear, as at least one person above has mentioned, is the risk -- however remote -- that should the windowsupdate site somehow get "pharmed", the attacker could pump out horrendous exploit code to every Windows PC out there with no warning. (Of course for others, the fear is that Microsoft could do that themselves
Bottom line: if you are going to give users a degree of control over the update process (which I for one think is a good thing, as long as "automatic and silent" remains the default for the clueless), you deserve scathing criticism if you only give it selectively, and without telling.
The underlying fear, as at least one person above has mentioned, is the risk -- however remote -- that should the windowsupdate site somehow get "pharmed", the attacker could pump out horrendous exploit code to every Windows PC out there with no warning. (Of course for others, the fear is that Microsoft could do that themselves
Bottom line: if you are going to give users a degree of control over the update process (which I for one think is a good thing, as long as "automatic and silent" remains the default for the clueless), you deserve scathing criticism if you only give it selectively, and without telling.
This is exactly true and all your questions are valid. Microsoft probably have spun their way out of this situation (you notice it took a while for their 'proper response' to appear---it probably spent days being kicked about in their PR department before being posted on that 'blog'
---
Regards,
Ralf.
If the Windows Update site gets screwed, well, then you've got a major situation on your hands. However, I'd imagine that the site for those servers is locked down extremely well as it is.
Yes, and ever since then I've blocked all Microsoft IPs on my router.
thats kinda like going to a Quik Stop for a Sandwich (knowing you need Gas eventually) and when you walk back outside,one of the employees already filled your car up with 30.00 of Gas and you didn't ask,nor told him to fill it up...and your wallet is empty...lol
Last edited by jwjw1 on 20 Sep 2007 - 12:51
I think I've heard this explanation already. It sounded like: The answer is simple: Iraqis would not have been able to successfully implement democracy so we invaded them without asking. Its all for your own good and not because of oil, you just don't understand.
This is one big pile of PR b******t which comes when someone is is trying to cover bad event by describing it in other terms to make it look legitimate. This excuse falls into same class as "I am not stealing I am just borrowing".
All these people had WORKING! AutoUpdate which was perfectly capable to download list of update files and show update message to the windows users. All Microsoft needed to do is just a) create update for auto update; b) make it critical; c) in description write that user must install this update in order to successfully check for new updates after some specified date because new updates will be available from another place.
I don't see anything wrong here. Everybody makes mistakes and I believe that original Microsoft intentions was good - just to update AutoUpdate itself. But Microsoft's PR just made it smell fishy by trying to push it like it was no other way to do this when in fact it was and by putting responsibility of this action on customer by saying "we done it because it was you (customers) who needed it most".
Last edited by EJocys on 20 Sep 2007 - 15:00
Not everybody is a immortal highlander in order to waste life by reading all boring crap wandering around. I think Microsoft must print their OS EULA on toilet paper so people will read it as soon as indigestion will hit them. I bet it will be more interesting reading than all this text on shampoo bottles.
Also shows how many people live in countries where that kind of EULAs are not legally binding, and don't have any reason to bother reading them.
MS operates worldwide, the EULA excuse is a weak one.
I don't think it's that weird to be concerned about anyone messing with your computer remotely without your consent. The issue is not if the update itself was suspicious or not, but rather that they shouldn't be able to do that.
<Donning my tinfoil hat>
This means Microsoft has shown their hand that they have a backdoor into your box.
I'm not really surprised much. Around a year ago we were using VoIP with a Vonage-supplied Linksys router (Linksys Broadband Router with 2 phone ports Model RT31P2). We were having fits with faxing with it (the FoIP standard hasn't been adopted yet, but that's a whole different rant) and I read over at dslreports that a firmware update would raise the ringer voltage, perhaps solving our problem. We contacted Vonage and they agreed to flash our router.
About an hour later I remembered that I'd specifically DISABLED mucking with the firmware externally in one of the router's settings. "Oh-oh, they won't be able to flash it" I thought. When I went into the administrative section, however, I discovered they had already flashed the firmware.
They had a backdoor!
Considerable poking around found the login and password they possibly used, which I forwarded to a "spook" friend of mine who was very interested.
I now just use the switch section of that router and we've long since said good riddance to Vonage.
--CF
This is the update serveice check if there are any updates available to itself, seeing that there is it downloads the update so it can check if there are any updates for the OS available.
Most likely the report you quoted didn't have updates turned off, but had it set to download, but don't install. In wich case the updater service will still need to self update.
If you have updates set tpoupdate or download but don't update, you obviusly want it to do this, what you don't want is to apply any real OS updates or reboot while you're doing something full screen and you didn't see the update. so it makes sense for the updater to self update.
And as I said, npot a backdoor since it only receives updates to itself and only from a signed verified server, it's not like anyone can tap into it, or MS can do anything they want with it.
No, that means 'Windows OS computers set not to update still had the updater updated because even though it was set to not update [components of the operating system / other supported programs], the update checker wasn't switched off.' Ignorance by those at PC Doc HQ about how WU works (and has worked for years) doesn't help much and adds to the FUD the anti-MS crowd love to propagate.
I would have thought that even a year ago default settings of firmware wouldn't be set to allow external access. My Linksys ADSL router never had that set by default and that's several years old (moot since I flashed to third party).
and you didn't notice a service outage when the router rebooted? Odd, that. Still, if they did manage to flash your box when external access was denied then that is definitely a security issue. After all, anybody could come along and brick it with garbage firmware...
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.