funsec mailing list archives
Via Slashdot: Microsoft updates Windows without users' consent
From: <rms () computerbytesman com>
Date: Thu, 13 Sep 2007 10:29:37 -0400
I hope we hear Microsoft's side of the story soon. Does anyone know if it is possible to disable the Windows Update service from the registry? I assume also that Windows Update can be disabled by redirecting the windows update server to localhost using the hosts file. Richard http://windowssecrets.com/2007/09/13/01-Microsoft-updates-Windows-without-us ers-consent Microsoft has begun patching files on Windows XP and Vista without users' knowledge, even when the users have turned off auto-updates. Many companies require testing of patches before they are widely installed, and businesses in this situation are objecting to the stealth patching. Files changed with no notice to users In recent days, Windows Update (WU) started altering files on users' systems without displaying any dialog box to request permission. The only files that have been reportedly altered to date are nine small executables on XP and nine on Vista that are used by WU itself. Microsoft is patching these files silently, even if auto-updates have been disabled on a particular PC. It's surprising that these files can be changed without the user's knowledge. The Automatic Updates dialog box in the Control Panel can be set to prevent updates from being installed automatically. However, with Microsoft's latest stealth move, updates to the WU executables seem to be installed regardless of the settings - without notifying users. When users launch Windows Update, Microsoft's online service can check the version of its executables on the PC and update them if necessary. What's unusual is that people are reporting changes in these files although WU wasn't authorized to install anything. This isn't the first time Microsoft has pushed updates out to users who prefer to test and install their updates manually. Not long ago, another Windows component, svchost.exe, was causing problems with Windows Update, as last reported on <http://WindowsSecrets.com/links/$P20d/0b929ch/?url=WindowsSecrets.com%2F200 7%2F06%2F21%2F01-Svchost.exe-gets-worse-before-its-fixed> June 21 in the Windows Secrets Newsletter. In that case, however, the Windows Update site notified users that updated software had to be installed before the patching process could proceed. This time, such a notice never appears. For users who elect not to have updates installed automatically, the issue of consent is crucial. Microsoft has apparently decided, however, that it doesn't need permission to patch Windows Updates files, even if you've set your preferences to require it.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Via Slashdot: Microsoft updates Windows without users' consent rms (Sep 13)
- RE: Via Slashdot: Microsoft updates Windows without users'consent Larry Seltzer (Sep 13)