Microsoft responds to stealth update issue

Microsoft responds to stealth update issue

Summary: Last night I approached Microsoft for comment on the stealth updating issue. Here is the response I received from a Microsoft spokesperson ...

SHARE:
TOPICS: Microsoft, Windows
96

Breaking news - Latest from Microsoft 

Last night I approached Microsoft for comment on the stealth updating issue.  Here is the response I received from a Microsoft spokesperson:

The files that are being updated are part of the Windows Update client itself. Windows Update automatically updates itself from time to time to ensure that it is running the most current technology, so that it can check for updates and notify customers that new updates are available.  This is normal behavior, and it has worked this way since the service debuted several years ago.

This is not to suggest that we were as transparent as we could have been; to the contrary, we could have been clearer on how Windows Update behaves when it updates itself. We’ve received helpful and important feedback on this point, and we are now looking at the best way to clarify WU’s behavior to customers so that they can more clearly understand how WU works. 

That said, we continue to be confident that the choice to use Automatic Updating continues to be the best decision for many of our customers. Windows Update remains a popular service with our customers because it helps them stay safe and have confidence that they are running the latest software from us.

Nate Clinton, Windows Update Program Manager also comments on this issue.

I'll comment on these responses later.

Topics: Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

96 comments
Log in or register to join the discussion
  • Automatic updates

    The people who are screaming rape by Microsoft, concerning automatic updates without permission, are the same people who scream rape when someone touches their collectible Dragonball Z toys.
    matt.nelson
    • And what are you doing

      touching those Dragonball Z toys in the first place? When I was a kid my mother taught me something called "manners". You don't touch something that's not yours because it's rude.
      Michael Kelly
      • RE: And what are you doing

        LOL... thats a good point.
        Qlueless
    • RE: Automatic updates

      They are also the same people that complain that there computer has a virus, even though they have not ran windows updates in 3 years, nor do they have updated anti-virus software.

      On the other hand I have several computers that are still running WinXP SP1, and I would be quite upset if they were "automaticlly updated", since they would not do the job they are intended to do at that point.

      The Auto updates are good for some reasons, but extreamly back in others...
      Qlueless
    • How often do you

      open your front door to the police and let them wander through your house to decide for themselves if everything you own is legal and okay to have?

      By the same token, I don't want Microsoft, or anyone else, on my system. Just because I'm forced to your Windows (because of work) doesn't mean they're invited to wander around when they feel like it. If my system's not "up to date", that's MY problem, not their's!
      straybeat_z
  • It is an interesting conundrum

    The people that are complaining are the ones that have Windows Update turned off. They therefore are the ones that are not affected. If it breaks the feature they won't even know. Those using Windows Update benefit from the changes but also don't know unless it breaks. Sounds like a non-issue to me.
    ShadeTree
    • I think the ones complaining are the ones who set to notify

      The updates are not supposed to be installed until they are notified and proceed. No one knows whether anything broke yet. Even if it did break some computers, I doubt it would be tracked to the update, most didn't know about it and will revert to the 3Rs and chalk it up to SOP.

      A more interesting question, now that the cracker community knows of another attack vector (updates that bypass the user OK), will they start attempting to exploit it?

      TripleII
      TripleII-21189418044173169409978279405827
      • What attack vector?

        Just because Microsoft has a back door doesn't mean the hacker community knows how to exploit it. Also, if this exploit broke Windows Update 100s of millions of users would be complaining.
        ShadeTree
        • You can't be serious?!

          What attack vector, they have the patch, they have the code, they can decompile it to find out HOW the update bypasses the user notify preferences, just like they DO WITH EVERY OTHER security patch.

          Why does a patch have to affect hundreds of millions to be the fault of the patch. If the patch were to break, oh, let's take a sample.

          Anyone running AVG with STAT array XYZ with Nvidia drivers where patch SP-XXXYY does not already exist because they blocked it. I doubt there are hundreds of millions who run that exact config. Hmm,maybe MS missed that configuration during their exhaustive testing, like they have MANY MANY times in the past with patches, missing something and thereby breaking something.

          Point is, don't shove patches with NO NOTICE, bypassing user preferences to machines, that way, when something does break, they have a clue where to look.

          You are one of the VERY few pooh poohing this as an actual problem/deficiency

          TripleII

          P.S. While it is a problem, I have posted in other blogs that MS has every right to update their computer, you agreed to the EULA.
          TripleII-21189418044173169409978279405827
          • Are you serious?!

            If anyone could shove code into the Windows Update stream, they would have by now. What ever mechanism that prevents automatic updates from getting patches from anywhere else (I'm assuming public/private keys) would prevent Windows Update from updating itself from elsewhere.
            Please, get real and give it a rest.

            yes I agree, however, that MS should have
            1. made this very clear to start with
            2. not updated the updater
            mdemuth
          • They don't have the patching mechanism.

            They only have the files that were changed. If as you contend the people have selected notify they will know if the patch broke their system when the next patch Tuesday rolls arround and they don't get any patches. There is a malicious software removal patch every month. Your arguements just don't hold water!
            ShadeTree
          • But how does it really differ from any other service

            such as Adobe's updater that accesses your machine, checks it's software version, and if out of date, has the access to splash a window on your screen. It's not installing anything w/o permission but depending on who is logged in, could install anything it wants. <br>
            I suppose someone could take the flash plugin and rip it apart and figure out how it's being accessed by it's updater.
            xuniL_z
          • EULA not justification

            Just because a EULA is present does NOT mean it is enforceable under contract law. California for one has rejected Microsoft EULA's in the past because they can be modified solely at Microsoft's behest and without agreement from the user. In addition, a EULA is not the only legal entity in play, here.

            Basic contract law dictates that both parties to a contract must be cognizant of the terms of the contract and that neither party can be under duress during the agreement or the contract is unenforceable, i.e. null and void.

            Just because Microsoft CAN do it does NOT mean that they SHOULD or that they have the legal RIGHT to. The federal law which prohibits tampering with another person's computer (aka hacking/cracking) can also apply here, as the intrusion was neither approved nor welcome despite the EULA. Microsoft may license the software, but the computer hardware is NOT theirs, and modifying anything means making changes on the hard drive (writing new files, etc.). And Microsoft owns 0% of the hard drive or memory.

            The best thing to do in any case is simply to complain - make a big enough stink either in the press or with your pocketbook (switch to Linux) and I guarantee MS will change their tune.
            blarman_z
          • Correct

            Contrary to what a couple people here say, Microsoft has no legal right for tampering with anything without user permission.

            Microsoft is just a company purporting to sell products and services. Microsoft is absolutely unrelated to genuine law enforcement agencies.

            Get serious about complaining. File a complaint with the Better Business Bureau online:

            http://www.bbb.org/complaint.asp
            Cardhu
        • FYI

          It was already known as an attack vector. Not everything is "social engineering" you know.
          zkiwi
          • Really

            Please share a link to the vulnerability. Oh that's right, you only bash Windows mindlessly. Facts are beyond your grasp!
            ShadeTree
          • Here's a thought...

            I'll post the facts in a couple of days. Oh wait, that makes me sound like George Ou. Nevermind.

            And it's not a Microsoft only thing, it is also something that people try on OS X and any other system that "phones home" in a systematic manner.

            Do you find it hard to believe that people out there snoop on what happens when systems "phone home?" And if that seems reasonable to you then are you still prepared to say that it isn't an attack vector. Please note, I have indicated nothing about success or now, just that people are and have been trying it out.
            zkiwi
          • Just as I thought!

            No link! No facts! Just a personal attack on George and more idle speculation. Were you the class clown in school or are you new to the role?
            ShadeTree
          • River, Egypt

            You're on a denial cruise.

            Once more, do you not think that people have looked at and have/are trying to use these automatic "phone home" systems as attack vectors?
            zkiwi
          • Once again youself.

            Just because people are looking for a weakness in something doesn't mean they found one or that one actually exists. Your the one that is spouting hot air. Provide something concrete or go away.
            ShadeTree