Via Slashdot: Microsoft updates Windows without users' consent

[<rms () computerbytesman com>]

I hope we hear Microsoft's side of the story soon.  Does anyone know if it
is possible to disable the Windows Update service from the registry?  I
assume also that Windows Update can be disabled by redirecting the windows
update server to localhost using the hosts file.

 

Richard

 

http://windowssecrets.com/2007/09/13/01-Microsoft-updates-Windows-without-us
ers-consent

 


Microsoft has begun patching files on Windows XP and Vista without users'
knowledge, even when the users have turned off auto-updates.

Many companies require testing of patches before they are widely installed,
and businesses in this situation are objecting to the stealth patching.


Files changed with no notice to users 

In recent days, Windows Update (WU) started altering files on users' systems
without displaying any dialog box to request permission. The only files that
have been reportedly altered to date are nine small executables on XP and
nine on Vista that are used by WU itself. Microsoft is patching these files
silently, even if auto-updates have been disabled on a particular PC.

It's surprising that these files can be changed without the user's
knowledge. The Automatic Updates dialog box in the Control Panel can be set
to prevent updates from being installed automatically. However, with
Microsoft's latest stealth move, updates to the WU executables seem to be
installed regardless of the settings - without notifying users.

When users launch Windows Update, Microsoft's online service can check the
version of its executables on the PC and update them if necessary. What's
unusual is that people are reporting changes in these files although WU
wasn't authorized to install anything.

This isn't the first time Microsoft has pushed updates out to users who
prefer to test and install their updates manually. Not long ago, another
Windows component, svchost.exe, was causing problems with Windows Update, as
last reported on
<http://WindowsSecrets.com/links/$P20d/0b929ch/?url=WindowsSecrets.com%2F200
7%2F06%2F21%2F01-Svchost.exe-gets-worse-before-its-fixed> June 21 in the
Windows Secrets Newsletter. In that case, however, the Windows Update site
notified users that updated software had to be installed before the patching
process could proceed. This time, such a notice never appears.

For users who elect not to have updates installed automatically, the issue
of consent is crucial. Microsoft has apparently decided, however, that it
doesn't need permission to patch Windows Updates files, even if you've set
your preferences to require it.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.