Microsoft downplays stealth update concerns

Windows must silently update its Update feature, says company

Microsoft last Thursday essentially called the concerns over undercover updates to Windows XP and Windows Vista a tempest in a teapot, saying that silent modifications to the Windows Update (WU) software have been a longtime practice and are needed to keep users patched.

"Windows Update is a service that primarily delivers updates to Windows," said Nate Clinton, program manager in the WU group on the team's blog Thursday. "To ensure ongoing service reliability and operation, we must also update and enhance the Windows Update service itself, including its client-side software."

Microsoft was moved to respond after the popular "Windows Secrets" newsletter looked into complaints that WU had modified numerous files in both XP and Vista, even though users had set the operating system to not install updates without their permission. In many cases, users who dug into Windows' event logs found that the updates had been done in the middle of the night.

Windows gives users some flexibility in how their PCs retrieve and install updates and patches from the company's servers. In Vista, for example, users can turn off Automatic Updates entirely; allow the operating system to check for, but neither download or install, any fixes; or allow it to download files but not install them.

Clinton tackled the stealth install issue in some detail. "One question we have been asked is why do we update the client code for Windows Update automatically if the customer did not opt into automatically installing updates without further notice? The answer is simple: Any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available."

Failing to do so, he argued, would have ultimately run counter to what a user wants and needs. "Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications." The result, he said, would be to leave users at risk to attack via vulnerabilities Microsoft has patched. "That would lead users to believe that they were secure, even though there was no installation and/or notification of upgrades."

In fact, the practice has been going on for some time, Clinton claimed. "The Windows Update client is configured to automatically check for updates anytime a system uses the WU service, independent of the selected settings for handling updates. This has been the case since we introduced the Automatic Update feature in Windows XP. In fact, WU has autoupdated itself many times in the past," he said.

That would be news to the majority of people who filled several threads on Microsoft's own support newsgroups starting in late August. "I found this information by myself, checking the Windows directories," griped someone identified as Frank. "But the point is that I didn't allow the update (Automatic Update properties on 'notify') and there is no information about this update on Microsoft [Web pages]. Why [didn't] Microsoft publish any information about this update?"

Clinton also disputed user accounts of stealth updates to WU even when they had completely disabled the automatic update feature in the operating system. "WU does not automatically update itself when Automatic Updates is turned off, this only happens when the customer is using WU to automatically install upgrades or to be notified of updates," said Clinton.

Join the Computerworld newsletter!

Error: Please check your email address.

More about HISMicrosoftnCircleVIA

CIO
ARN
Techworld
CMO