Recent reports reveal that Microsoft's Window's Update Service, has some sneaky behavior

Most power users want as much control over their OS environment as possible, including full administrative privileges of what is installed and uninstalled.

Administrators have typically been fairly pleased with Windows OS' Windows Update tool.  It allows them to apply patches to fix vital security flaws, but it also allows them to filter the content for patches that might block out functionality, or even to watch for fake malicious patches transferred to their machines.  The key is choice -- administrators decide whether to install the patch or not.

Now a very unsavory detail of Microsoft's Windows Update has been discovered and confirmed by Microsoft.

Windows Update has the ability to update itself as controlled by Microsoft's Update Servers.  This update offers no control to the administrator of the machine, and forces the machine to install the update if it is connected to the Microsoft Servers.

One thing that makes this development alarming is that the process reveals a backdoor which could allow malicious parties to alter the service; if the update process were to be reverse engineered.  This is a substantial security hazard to the OS, because it means that the OS has the ability to be directly altered without administrator control on a system which was previously secure.

One workaround would be to disconnect from Window's update servers, and maintain a local update server.  However, this is inconvenient and requires a significant amount of administrative effort.

Microsoft claims in a statement issued that the process was necessary or the Windows Update Service would no longer be able to install updates.  The statement reads:
"One question we have been asked is why do we update the client code for Windows Update automatically if the customer did not opt into automatically installing updates without further notice?

The answer is simple: any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available.  Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications. That result would not only fail to meet customer expectations but even worse, that result would lead users to believe that they were secure even though there was no installation and/or notification of upgrades.

To avoid creating such a false impression, the Windows Update client is configured to automatically check for updates anytime a system uses the WU service, independent  of the selected settings for handling updates (for example, “check for updates but let me choose whether to download or install them”).

This has been the case since we introduced the automatic update feature in Windows XP.  In fact, WU has auto-updated itself many times in the past."
Microsoft is both admitting its guilt in creating this automatic update flaw and defending it by saying that it needs to be able to regularly override the user and install updates, for the user's own good and safety.

What Microsoft's statement does not explicitly state, but what is also true is that the update process to the update program also overrides administrators.  The update process was shown to occur both on Windows Enterprise and Home Editions of Vista and XP, though Microsoft did not acknowledge this either in its statement.

Microsoft acknowledged how to stop the process from happening: turn Windows Update off  -- or sever it from the Windows severs.

Many users and administrators will be troubled by this development, which leaves their OS with a possible back door, waiting to be opened.  Further troubling is Microsoft's insistence on leaving this functionality in place.  Turning off updates obviously would make the computer even less secure, and manually installing patches would require a large amount of effort.  The choices aren't pretty when it comes to this development about Windows Update behavior.

"We can't expect users to use common sense. That would eliminate the need for all sorts of legislation, committees, oversight and lawyers." -- Christopher Jennings

Latest Blog Posts
T-Mobile Data Problems
Saimin Nidarson - Oct 20, 2016, 10:17 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki