Monday, September 17, 2007

Microsoft admits to stealth updates

  • Blog Post
  • 5 Comments
  • Permalink

icon_comments_154x48

+1

Worthwhile?

Over the last few weeks, and without user approval of any kind, Windows Update has updated nine executable files on both Windows XP as well as Windows Vista.

We first reported about this last week in Microsoft caught doing stealth updates, in which a user noticed files being modified by Windows Update despite automatic update being disabled. This has since been echoed by various users and reports around the web.

Well, it is now official. Microsoft has now came clean and admitted to the ’stealth’ updates.

To their credit, the updates in question were actually limited to updating Windows Update’s own files. Also, the only reason this update occurred is because the alternative would mean that Windows Update itself would stop functioning properly, according to Microsoft.

Wrote Nate Clinton, Windows Update program manager on the Windows Update team blog:

“That result would not only fail to meet customer expectations but even worse, would lead users to believe that they were secure even though there was no installation and/or notification of upgrades.”

However, Microsoft is adamant that there is no wrong here and that the entire issue is more a matter of Microsoft not being clearer. Microsoft Windows programmer Nick White wrote:

We do recognize that we should have been clearer in our explanation of this process earlier in the game…

Note that this issue only affects computers that use Windows Update. Most large businesses will probably be using Windows Server Update Services or a feature in Systems Management Server to perform their updates. They are not affected by this snafus.

Still, Microsoft seems to be missing the bigger picture here. As mentioned in my earlier post, if Microsoft is able to ‘push’ updates to a computer with automatic update disabled, what is there to stop a hacker from figuring out how to do the same.

Is this silent update ‘ability’ a major security vulnerability waiting to explode in our faces?