September 12, 2007 6:45 PM
My eWEEK Labs colleague Andrew Garcia has independently confirmed a report that will appear in tomorrow's Windows Secrets newsletter: Windows Update is fetching and installing some updates without end users' consent.
Windows Secrets contacted eWEEK and Microsoft Watch earlier this afternoon about the discovery. Tomorrow, Windows Secrets' Scott Dunn will report that Windows Update has started "altering files on users' systems without displaying any dialog box to request permission. The only altered files that have been reported to date are 18 small executables used by WU itself. Microsoft is patching these files silently, even if auto-updates have been disabled on a particular PC."
The Windows Secrets story can be found here, on Sept. 13.
The stealth updates do not appear to affect PCs using WSUS (Windows Server Update Services) the same way as those using Microsoft Update/Windows Update. Typically, Windows would give some notification before installing updates and, presumably, install nothing if Windows Update is disabled. But, in testing, Dunn found that Microsoft was updating Windows XP and Vista systems even when automatic updating is disabled.
"Microsoft is bypassing the normal automatic update control," Dunn told me this afternoon. "The problem is that users don't know that."
"From the perspective of businesses, it isn't a good thing," said Andrew Jaquith, Yankee Group program manager for Security Research. "Silent updates are probably against corporate policy and will definitely mess up whitelisting programs if those are installed."
Windows Update starts on its own.
Dunn agreed and warned that stealth installations could undermine ongoing compatibility testing conducted by IT professionals. "To have this done behind their backs is disconcerting," he said.
We contacted Microsoft PR, but received no response before posting.
The testing conducted by Windows Secrets and eWEEK Labs uncovered the update scenario, which affects Windows XP or Vista.
Windows Vista offers four update options:
- Install updates automatically
- Download updates but let me choose whether to install them
- Check for updates but let me choose whether to download and install them
- Never check for updates
Windows Secrets discovered that Windows had updated files even with automatic update disabled. By comparison, eWEEK Labs found that several Windows computers set to automatically download and manually install had applied updates without end user consent. The two screen shots, supplied by eWEEK Labs, show a PC starting Windows Update and applying a patch without explicit consent. The computer had been set to manually install any updates.
The eWEEK Labs installations occurred on Aug. 23 and those for Windows Secrets on Aug. 24. Windows Secrets found that the stealth updates changed nine files on either Vista or XP, including (on both), wuapi.dll, wuauclt.exe and wups2.dll. Version of the stealth update is 7.0.6000.381.
Susan Bradley, a vocal Small Business Server MVP (Microsoft Valued Professional), said she contacted Microsoft about the apparent stealth updating but with no real explanation.
Windows Update installs update without end user consent.
"I'm concerned that people are expecting that the plumbing update like this should get a yellow pop up in the corner saying 'you have updates'; it doesn't work that way," she said. "But Microsoft has indeed been less than public about this MU/WU update."
In her testing, systems with Windows Update 7.0.6000.374—the version before 7.0.6000.381—that used WSUS did not receive the stealth updates.
"However," she expressed, "that still does not reduce the issue where Microsoft has had ample time to communicate via blogs or other means as to a) what this is; b) what it is fixing; and c) the expectation of how it's doing it."
I spent about an hour this afternoon reading various forum posts about the 7.0.6000.381 update. They varied from people finding the update installed without consent to WSUS not updating some systems to version 7.0.6000.381.
The Windows Vista Privacy Statement states:
"To make Windows Vista work better with the Internet, some features that do not collect personal information are turned on by default. You can choose to disable these features. For details about the information collection, uses, and choice provided by a specific feature or related product or service, please click on the link provided in the list on the right."
Windows Update is not in that list, but it is in another. But I found nothing in the Windows Update Privacy Statement explicitly giving permission to update without end user consent.
"Even if there is some fine print in the EULA, they're still being very Big Brother about how they're handling it," Dunn warned.
[Editor's Note: In its newsletter, Windows Secrets used "turned off" and "disabled" to describe Windows Update's behavior. On, Sept. 13, we asked for clarification. Dunn said that Windows Secrets meant disabled, not turned off. Windows Secrets considers disabled to mean Windows Update settings two and three (see above list). A blog posted today by Nate Clinton, Microsoft's Windows Update program manger, confirms that Windows Update self-updates without user intervention when the setting is either option two or three.]
El Al has cancelled all flights to the US for the 14th and 15th.
If you go here: http://www.elal.co.il/ELAL/English/States/General/
And pick Tel Aviv and New York; - out on the 14th and back on the 19th, you'll see no flights for the 14th and 15th.
Now, pick Tel Aviv and any other city within Israel or Palestine. There are flights.
The US has a total stand-down order for the 14th for the Air Force.
A B-52H was 'outed' to be carrying nukes, on its way to Louisiana, which is the staging point for B-52s going to the Mid East.
Yesterday, Israel 'discovered' Syria had North Korean nukes that were paid for by Iran. (and the tooth fairy is coming over tonight)
Israel bomb Syria a couple of days ago, but no-one is talking.
I guess we'll see, eh?