The Windows Update Stealth Affair Explained

It was widely reported last week that Microsoft had automatically updated systems that had Automatic Updates set to "Check for updates but let me choose whether to download and install them". Nate Clinton, a Windows Update Program Manager at Microsoft posted a response on his blog shortly after the widespread [misconceived] reporting had gone out.

One question we have been asked is why do we update the client code for Windows Update automatically if the customer did not opt into automatically installing updates without further notice? The answer is simple: any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available. Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications. That result would not only fail to meet customer expectations but even worse, that result would lead users to believe that they were secure even though there was no installation and/or notification of upgrades.

One misconception is that people wrongly assumed that Microsoft had updated systems when the option for Automatic Updates was turned off, in this instance the machines were not updated, only those that had the Automatic Updates tool turned on. The only stealthy thing about the whole affair is that the Windows Update service was updated without consent of the user, Nate explains above why this is so. It updated a tool to check for updates which seemed to be the problem all round.

Not such a big deal if you ask me. Oh Nate also goes on to say that Windows Update, or Automatic Updates have upgraded themselves in the past in the same manner, only now it seems has it become an issue!

View: How Windows Update Keeps Itself Up-to-Date @ Microsoft Update Team Blog

Report a problem with article
Previous Story

Speech @ Microsoft Blog Online

Next Story

The Different Services @ Neowin

39 Comments

Commenting is disabled on this article.

Heck if you saw all the routers OneCare v2.0 beta support for WiFi setup you might think MS will send the password they set back to MS. New OneCare setups alot of the routers and Wifi stuff. Included File and Printer stuff aswell. Now for the most part anyone here thats a easy task. But joe blow thats cool.

First post here. My personal experience was that I was not offered the update until I unblocked Microsoft's servers, enabled the Automatic Update and BITS services, and went to the Windows Update site. Adrian Kingsley-Hughes, on a ZDNet.com blog titled "Confirmation of stealth Windows Update" at http://blogs.zdnet.com/hardware/?p=779 states:

At the PC Doc HQ we have several systems set not to update. This is so that they are kept at a specific patch level for testing duties. Many of these systems are virtual machines but some are physical. When I heard about this stealth update I decided to take a look at one of these systems that don’t update automatically - and within seconds I found what I was looking for.
I'm taking this to read 'Windows OS computers set not to update updated anyway.' This may not be the correct interpretation of this and it was NOT my experience.

<Donning my tinfoil hat>

This means Microsoft has shown their hand that they have a backdoor into your box.

I'm not really surprised much. Around a year ago we were using VoIP with a Vonage-supplied Linksys router (Linksys Broadband Router with 2 phone ports Model RT31P2). We were having fits with faxing with it (the FoIP standard hasn't been adopted yet, but that's a whole different rant) and I read over at dslreports that a firmware update would raise the ringer voltage, perhaps solving our problem. We contacted Vonage and they agreed to flash our router.

About an hour later I remembered that I'd specifically DISABLED mucking with the firmware externally in one of the router's settings. "Oh-oh, they won't be able to flash it" I thought. When I went into the administrative section, however, I discovered they had already flashed the firmware.

They had a backdoor!

Considerable poking around found the login and password they possibly used, which I forwarded to a "spook" friend of mine who was very interested.

I now just use the switch section of that router and we've long since said good riddance to Vonage.
--CF

It's not really a backdoor. that would require yoru box to allways be able to receive data.

This is the update serveice check if there are any updates available to itself, seeing that there is it downloads the update so it can check if there are any updates for the OS available.

Most likely the report you quoted didn't have updates turned off, but had it set to download, but don't install. In wich case the updater service will still need to self update.


If you have updates set tpoupdate or download but don't update, you obviusly want it to do this, what you don't want is to apply any real OS updates or reboot while you're doing something full screen and you didn't see the update. so it makes sense for the updater to self update.

And as I said, npot a backdoor since it only receives updates to itself and only from a signed verified server, it's not like anyone can tap into it, or MS can do anything they want with it.

I'm taking this to read 'Windows OS computers set not to update updated anyway.'

No, that means 'Windows OS computers set not to update still had the updater updated because even though it was set to not update [components of the operating system / other supported programs], the update checker wasn't switched off.' Ignorance by those at PC Doc HQ about how WU works (and has worked for years) doesn't help much and adds to the FUD the anti-MS crowd love to propagate.
...About an hour later I remembered that I'd specifically DISABLED mucking with the firmware externally...

I would have thought that even a year ago default settings of firmware wouldn't be set to allow external access. My Linksys ADSL router never had that set by default and that's several years old (moot since I flashed to third party).
I discovered they had already flashed the firmware

and you didn't notice a service outage when the router rebooted? Odd, that. Still, if they did manage to flash your box when external access was denied then that is definitely a security issue. After all, anybody could come along and brick it with garbage firmware...

In my opinion MS made a wrong decision here.

I don't think it's that weird to be concerned about anyone messing with your computer remotely without your consent. The issue is not if the update itself was suspicious or not, but rather that they shouldn't be able to do that.

Just shows how many people didn't read their OSs EULA. Always highly amusing how a giant **** storm is created out of lack of knowledge from information that is right at people's hands.

GEIST said,
Just shows how many people didn't read their OSs EULA. Always highly amusing how a giant **** storm is created out of lack of knowledge from information that is right at people's hands.

Not everybody is a immortal highlander in order to waste life by reading all boring crap wandering around. I think Microsoft must print their OS EULA on toilet paper so people will read it as soon as indigestion will hit them. I bet it will be more interesting reading than all this text on shampoo bottles.

GEIST said,
Just shows how many people didn't read their OSs EULA. Always highly amusing how a giant **** storm is created out of lack of knowledge from information that is right at people's hands.

Also shows how many people live in countries where that kind of EULAs are not legally binding, and don't have any reason to bother reading them.

MS operates worldwide, the EULA excuse is a weak one.

Why not just retain the old updater infrastructure enough to offer the new version of the updater through it, and then other updates are obtained with the new one.

The answer is simple: ...users would not have been able to successfully check for updates and...

I think I've heard this explanation already. It sounded like: The answer is simple: Iraqis would not have been able to successfully implement democracy so we invaded them without asking. Its all for your own good and not because of oil, you just don't understand. :)

This is one big pile of PR b******t which comes when someone is is trying to cover bad event by describing it in other terms to make it look legitimate. This excuse falls into same class as "I am not stealing I am just borrowing".

All these people had WORKING! AutoUpdate which was perfectly capable to download list of update files and show update message to the windows users. All Microsoft needed to do is just a) create update for auto update; b) make it critical; c) in description write that user must install this update in order to successfully check for new updates after some specified date because new updates will be available from another place.

I don't see anything wrong here. Everybody makes mistakes and I believe that original Microsoft intentions was good - just to update AutoUpdate itself. But Microsoft's PR just made it smell fishy by trying to push it like it was no other way to do this when in fact it was and by putting responsibility of this action on customer by saying "we done it because it was you (customers) who needed it most".

I find it fairly amusing and shocking how this turned into a 800lb gorilla of an issue. I thought this was pretty much considered "old news..."

Never underestimate how big a fuss people can make out of non-issues just so they can stick it to a "big evil company". People just like to whine and feel outraged, they don't really need a solid excuse to do it.

maybe this is also a reason why MS wanted to kill AutoPatcher....if MS gives the option to 'download' but let me 'Choose' and they don't..then its without permission...for you fanboys of MS its not a matter of paranoia...you'd be throwing a hissy fit if you went to one of your gameboy sites and it updated something without you knowing it(you set the option to notify)...even though the update was needed eventually for shooting your toy play gun.

thats kinda like going to a Quik Stop for a Sandwich (knowing you need Gas eventually) and when you walk back outside,one of the employees already filled your car up with 30.00 of Gas and you didn't ask,nor told him to fill it up...and your wallet is empty...lol

JamesWeb said,
Was this not explained, like, the day it was discovered?

Yes, and ever since then I've blocked all Microsoft IPs on my router.

Perhaps there has been some overreaction over what MS are adamant is an innocuous (and commonplace) happening. I'm sure there was nothing Evil™ about the update, but:

Why not notify users, just as you would for any other update? Why does an update to the updater "not count" for some reason? Nothing has been said to suggest this would have been impossible; after all, if they were still able to deliver the update, I can't see any technical reason why this update, just like any other, couldn't be preceded by the usual prompting according to the user's settings? To not have done so makes the update tool disingenuous, and inevitably leads to the bad press we have seen. So why take that risk? They didn't seriously think no one would ever notice?

The underlying fear, as at least one person above has mentioned, is the risk -- however remote -- that should the windowsupdate site somehow get "pharmed", the attacker could pump out horrendous exploit code to every Windows PC out there with no warning. (Of course for others, the fear is that Microsoft could do that themselves )

Bottom line: if you are going to give users a degree of control over the update process (which I for one think is a good thing, as long as "automatic and silent" remains the default for the clueless), you deserve scathing criticism if you only give it selectively, and without telling.

Havin_it said,
Why not notify users, just as you would for any other update? Why does an update to the updater "not count" for some reason? Nothing has been said to suggest this would have been impossible; after all, if they were still able to deliver the update, I can't see any technical reason why this update, just like any other, couldn't be preceded by the usual prompting according to the user's settings? To not have done so makes the update tool disingenuous, and inevitably leads to the bad press we have seen. So why take that risk? They didn't seriously think no one would ever notice?

The underlying fear, as at least one person above has mentioned, is the risk -- however remote -- that should the windowsupdate site somehow get "pharmed", the attacker could pump out horrendous exploit code to every Windows PC out there with no warning. (Of course for others, the fear is that Microsoft could do that themselves )

Bottom line: if you are going to give users a degree of control over the update process (which I for one think is a good thing, as long as "automatic and silent" remains the default for the clueless), you deserve scathing criticism if you only give it selectively, and without telling.

This is exactly true and all your questions are valid. Microsoft probably have spun their way out of this situation (you notice it took a while for their 'proper response' to appear---it probably spent days being kicked about in their PR department before being posted on that 'blog'), but the fact is they could have taken the open way and asked permission to update the updater. They chose instead the hidden way. It is no wonder people are paranoid about them and about what is going on behind their backs (or at least behind their desktops).

Yeah, I've seen the buzz explained on the Keep Updated Live blog http://keepupdated.wordpress.com/2007/09/1...s-self-control/ several days ago. The guy there has clearly explained the situation and confirmed that the engine updates were taking place way before the problem has been revealed the August. He also provided some useful notes on the workaround that implies using special tools from Microsoft and Scriptlogic that allow accurately control any actions performed during the system updates. I agree with him that there's no problem here with updating the code only that they probably should have explained that before and provide a little more flexibility to the users.
---
Regards,
Ralf.

I do agree that maybe some sort of notification could have been used, but I don't think they should ask for consent really. As I said in a previous post, they'd probably just click no, saying they have no time for it, or click no for simply not knowing what it is.

If the Windows Update site gets screwed, well, then you've got a major situation on your hands. However, I'd imagine that the site for those servers is locked down extremely well as it is.

i had allready said in the last bit of news that its not the first time its done it geez take of the tin foil hats ppl i for one am glad it does it so it atleast works

I don't see how this is much of an issue for people with legitimate copies of Windows.

Either way, you are either someone who keeps track of what's going on with your OS/apps and you manually install these kinds of things or you are someone who leaves most everything on 'auto' mode and you wouldn't know or really care about this issue in the first place.

It seems to be lumping the 'just click next' users in with the 'read what updates actually update' users and they are two totally different groups of people.

So sneaky? Yes.
Something a legitimate user who pays attention need worry about? Nope.

I think the issue is, if Microsoft can alter code on your computer then what's stopping some malicious application from doing the same thing.

Tomo said,
I think the issue is, if Microsoft can alter code on your computer then what's stopping some malicious application from doing the same thing.

This isn't the only Updater that updates it's files before it checks for updates. Now weather those let you know that they've updated the updater I don't know. But this isn't anything more than the update service getting a new version of it's records. As MS ads new patchs and ads updates for other non-Windows apps up, the updater has to be updated or it'll never get the newer information.

Exactly. It's not as if Microsoft is changing any real system files; they're just updating the Updater so that you can still update.. properly!

And the fact that it's FREE is great enough as it is.

As for other malicious applications, they do exist. They're called viruses, trojans, spyware, etc. Unless they're put on the Microsoft's patch servers for you to download, they must find an alternative method to get into your PC, such as being attached to a file in a .rar archive. (free_pr0n.rar! lol)

As for the non-user consent, I'm glad they didn't ask for it. You just think how many people would be like,"No, don't have time to fool with that," or "What's this?! Better click no." That would leave a lot of people unpatched, and unable to download patches for the OS or applications (Office, Outlook, etc).

GP007 said,
This isn't the only Updater that updates it's files before it checks for updates.

Probably not, but it's certainly an updater that must run with admin privileges. That is, the kind of program that I wouldn't want to have features like "control what's being installed without my consent".

So somewhere in this story, it was misreported that people with Automatic Updates turned off had received this update?

Relativity_17 said,
So somewhere in this story, it was misreported that people with Automatic Updates turned off had received this update?

Actually this is what got people angry in the first place. And some people said that that was happening. Here is an example. The explanation they are giving now makes sense but only if it does NOT update people who have elected not to receive ANY updates at all. If Microsoft didn't already have a reputation as being untrustworthy among many people out there, this never would have got played up to this extent.

James7 said,
Actually this is what got people angry in the first place. And some people said that that was happening. Here is an example. The explanation they are giving now makes sense but only if it does NOT update people who have elected not to receive ANY updates at all. If Microsoft didn't already have a reputation as being untrustworthy among many people out there, this never would have got played up to this extent.

The question remains open however as to why Microsoft is so "untrustworthy". Is it because they actually are, or is it simply that a reputation has been built upon a patchwork of misunderstanding and knee-jerk reactions from stories such as these?

I bet if someone posted on the Neowin front page about how Microsoft has started to scan people's machines and remove software from competitors, that you'd get 40 comments about how Microsoft is an evil monopolistic empire, before someone looked around and figured out that it wasn't true.

At the end of the day, MS patched part of the OS with no indication this was happening. Surely a notification of this kind of action is warranted.

As the the "Nate also goes on to say that Windows Update, or Automatic Updates have upgraded themselves in the past in the same manner, only now it seems has it become an issue!".... wtf? Its because you've only been caught this time. I guess it is like BT, downloading isn't illegal unless you get caught

jasondefaoite said,
At the end of the day, MS patched part of the OS with no indication this was happening. Surely a notification of this kind of action is warranted.

As the the "Nate also goes on to say that Windows Update, or Automatic Updates have upgraded themselves in the past in the same manner, only now it seems has it become an issue!".... wtf? Its because you've only been caught this time. I guess it is like BT, downloading isn't illegal unless you get caught :rolleyes:

they havn't been caught and there is nothing secret about it. The process is described on msdn and in the eula and lot of administrators i know already knew about the updates happening. Why are people so paranoid 8-)

At the end of the day, MS patched part of the OS with no indication this was happening.

No they didn't. They patched a component attached to the OS (you don't have to have it in order to use Windows) in order to maintain a service provided at no extra cost (apart from bandwidth costs I suppose) to the end user. This service changes over time as more products are added / code is cleaned up or enhanced.

Most people have automatic updates (and installation) on by default as that is the default. The only updating they ever physically do happens if they click the icon in the system tray (which normally is "I need a reboot after updating myself"). A lot don't even do that and the reboot happens as a normal consequence of them turning off their PC when they're done with whatever they were doing.

Setting to download and notify or just notify only still means that the update component needs to check if there are updates. If this checker is out of date how will it find out? Do you think a just-let-it-get-on-with-it user is going to like having to approve an update to the update check? This already happens at WU but they never go there.

If AU updated programs (apart from itself) when told not to, then that indeed is an issue. However, it doesn't. It only updates itself so when it is needed it can work properly.

Note that AU doesn't even update itself if the whole thing is turned off.

Mountains and molehillls. Let it go. Be thankful it exists or there'd be a far greater number of zombie PCs than there are already.

XerXis said,
Why are people so paranoid 8-)

Why do you run an antivirus? Why do you run a firewall? Why do you run an antispyware programs?

Why don't you use every toolbar you see, let every tracking cookie track you and let your machine run rampart with different ad-ware programs?

Yes, I wonder why people are so paranoid.

jasondefaoite said,
wtf? Its because you've only been caught this time. I guess it is like BT, downloading isn't illegal unless you get caught :rolleyes:

Great logic, <snipped>!

What exactly is it that Microsoft was trying to "get away with" when it got "caught"?

People lie, cheat, or steal because there is some tangible benefit in doing so: they get something in exchange for their acts of dishonesty. Like .mp3 files for example.

So what benefit did Microsoft receive in exchange for perpetrating this horrible act of deception? C'mon! Let's hear it! What exactly is it that Microsoft was "caught" doing?

daPhoenix said,
Why do you run an antivirus? Why do you run a firewall? Why do you run an antispyware programs?

Why don't you use every toolbar you see, let every tracking cookie track you and let your machine run rampart with different ad-ware programs?

Yes, I wonder why people are so paranoid.


Well, if you're paranoid enough to be worried about this one - turn Automatic Updates off. End of story. I'm not exactly a rabid MS fanboy here, but it's a fair enough point - Joe Average would be screwed over royally if his AU wasn't up to date and from the PC's point of view it thought it was secure, when in fact there were however-many critical patches that his AU wasn't spotting. So imo, as we now have a decent enough explanation, I don't think MS did anything wrong, really...

jasondefaoite said,
At the end of the day, MS patched part of the OS with no indication this was happening. Surely a notification of this kind of action is warranted.

If you look in Automatic Updates in the control panel it says at the top that if you turn AU on that the windows update components may be automatically updated before any other updates.

It is not an issue of parinoia I am in an enterprise and although most ( >90%) of my clients recieve updates from wsus there are a few that use automatic updates (I'd rather not explain why let's just say I don't make the decisions). Those users are paranoid and if anything is done to their system without their consent it will become my department's problem. I.E. the CD-burner that hasn't worked in the last two years "suddenly" stopped working when I got this patch.

They should have created a notification for the update and stated that no more updates will be available until this update is installed.