Print 27 comment(s) - last by oTAL.. on Sep 19 at 1:46 PM

Recent reports reveal that Microsoft's Window's Update Service, has some sneaky behavior

Most power users want as much control over their OS environment as possible, including full administrative privileges of what is installed and uninstalled.

Administrators have typically been fairly pleased with Windows OS' Windows Update tool.  It allows them to apply patches to fix vital security flaws, but it also allows them to filter the content for patches that might block out functionality, or even to watch for fake malicious patches transferred to their machines.  The key is choice -- administrators decide whether to install the patch or not.

Now a very unsavory detail of Microsoft's Windows Update has been discovered and confirmed by Microsoft.

Windows Update has the ability to update itself as controlled by Microsoft's Update Servers.  This update offers no control to the administrator of the machine, and forces the machine to install the update if it is connected to the Microsoft Servers.

One thing that makes this development alarming is that the process reveals a backdoor which could allow malicious parties to alter the service; if the update process were to be reverse engineered.  This is a substantial security hazard to the OS, because it means that the OS has the ability to be directly altered without administrator control on a system which was previously secure.

One workaround would be to disconnect from Window's update servers, and maintain a local update server.  However, this is inconvenient and requires a significant amount of administrative effort.

Microsoft claims in a statement issued that the process was necessary or the Windows Update Service would no longer be able to install updates.  The statement reads:
"One question we have been asked is why do we update the client code for Windows Update automatically if the customer did not opt into automatically installing updates without further notice?

The answer is simple: any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available.  Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications. That result would not only fail to meet customer expectations but even worse, that result would lead users to believe that they were secure even though there was no installation and/or notification of upgrades.

To avoid creating such a false impression, the Windows Update client is configured to automatically check for updates anytime a system uses the WU service, independent  of the selected settings for handling updates (for example, “check for updates but let me choose whether to download or install them”).

This has been the case since we introduced the automatic update feature in Windows XP.  In fact, WU has auto-updated itself many times in the past."
Microsoft is both admitting its guilt in creating this automatic update flaw and defending it by saying that it needs to be able to regularly override the user and install updates, for the user's own good and safety.

What Microsoft's statement does not explicitly state, but what is also true is that the update process to the update program also overrides administrators.  The update process was shown to occur both on Windows Enterprise and Home Editions of Vista and XP, though Microsoft did not acknowledge this either in its statement.

Microsoft acknowledged how to stop the process from happening: turn Windows Update off  -- or sever it from the Windows severs.

Many users and administrators will be troubled by this development, which leaves their OS with a possible back door, waiting to be opened.  Further troubling is Microsoft's insistence on leaving this functionality in place.  Turning off updates obviously would make the computer even less secure, and manually installing patches would require a large amount of effort.  The choices aren't pretty when it comes to this development about Windows Update behavior.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By TomZ on 9/18/2007 11:50:32 AM , Rating: 1
Jason, I suggest you get out of the business of promoting FUD. This article is ridiculous - you speculate about all these things that could happen, and repeat several times that this is overriding the desires of sysadmins. That's not really the issue at all, now is it, since admins still do have full control of WU. In addition, Microsoft's logic and reasoning is spot-on, and what end user or sysadmin wouldn't want the update service kept up to date?

Pure FUD. Cease and desist. Disengage.

By porkpie on 9/18/2007 12:03:47 PM , Rating: 2
I agree. This is the silliest thing I've read in weeks.

By thebrown13 on 9/18/2007 7:58:09 PM , Rating: 3
Agreed. Microsoft can't win.

By JasonMick on 9/18/2007 1:14:42 PM , Rating: 5
First of all, I was asked by D-Tech to cover this story.

The issues I present are valid ones.

If Windows Update is "updated" automatically, than the system has a possible security flaw which would allow a malicious user to update windows update with code to auto update occasionally with malicious patches.

The admin has control over WU patches with the current program. This is not necessarily true if the program is updated to give it new capabilities (including malicious ones).

I think most would agree that forcing an update on users is a bad idea.

I think you are labeling this as FUD more because you don't like my editorials than a valid technical assessment of its content.

Subverting wireless drivers or webcams would also likely sound like FUD, had it not been done. Security flaws, no matter how small need to be recognized in OS's.

Update software is particularly security critical and in my mind should never override the user in updating its mechanics.

By Murst on 9/18/2007 1:23:49 PM , Rating: 3
Although this is a story I would expect to see on DT, I think that perhaps it was presented with the wrong tone.

There are plenty of things that I think Microsoft should be criticized for, but what they are doing right here seems to be appropriate. It would have probably been better if you focused on both the good and bad of what MS is doing - the way it is presented seems totally one-sided.

Don't get me wrong - I generally enjoy your articles, I just think this one came out wrong :)

By porkpie on 9/18/2007 1:28:12 PM , Rating: 2
BS. If you can penetrate an "auto-update" feature deep enough to redirect it to a different site and install a backdoor, you can do the same thing for an update triggered manually by users.

This isn't a "hole" and MS didn't "admit their guilt". You're so far off base you're not even playing the same sport.

By Murst on 9/18/2007 1:40:19 PM , Rating: 3
Although the chances of a mistake are unlikely, don't you understand how this could cause a problem?

Suppose you have a webserver with manual installs of updates (but windows update is still turned on - quite a common scenario). Now suppose that, for some reason, someone as MS messes up and posts a bad build of WU on their server. Your system will automatically download and install this update, potentially taking your server down if the bug is major. This does not require any hacking or bypassing of security. It could just be a mistake by MS (and yes, it does happen - look at the recent WGA problems).

Is this a likely scenario? Probably not, but there is a possibility this will happen. If anything, this article is informative. Previously I (and probably many people out there) thought that turning off automatic installs with stop all automatic installs, but it seems this is not the case.

Will this make me change the way I do things? Not really, but it is still something that's nice to know.

By porkpie on 9/18/2007 2:13:28 PM , Rating: 1
The point is you can turn off WU if you want. So whats the problem? Its a feature and like any other feature it can possibly be open to exploitation.

If you're worried about it, don't use it. That's it. Nothing to see here, move along.

By Murst on 9/18/2007 2:32:46 PM , Rating: 3
The point is you can turn off WU if you want

No, point was that even if you specifically tell windows update not to install updates, it will install updates to the WU process anyways.

This is not stated anywhere in the WU process, and that is why it is news.

By porkpie on 9/18/2007 2:56:28 PM , Rating: 2
You turn it off by not using Windows Update at all. But if you decide to use it, you have to let it update itself. The choice is the users.

By TomZ on 9/18/2007 3:03:10 PM , Rating: 2
This is not stated anywhere in the WU process, and that is why it is news.

It's probably a matter of opinion, but I don't find this troublesome or unexpected. If I disabled WU and it updated anyway, I think that would be potentially troublesome, but since WU is a network service, I would expect it to try to keep client and server in sync by delivering updates to the client as necessary.

But sure, it would be nicer if WU told you it was updating, if it doesn't now.

By TomZ on 9/18/2007 1:40:15 PM , Rating: 2
Geez, do I need to spell it out for you?
If Windows Update is "updated" automatically, than the system has a possible security flaw which would allow a malicious user to update windows update with code to auto update occasionally with malicious patches.

Yes, of course in theory, just like all other functionality in Windows and every other operating system. But in practice, how many exploits have taken advatage of WU to-date?
The admin has control over WU patches with the current program. This is not necessarily true if the program is updated to give it new capabilities (including malicious ones).

Again, why are you assuming malicious updates to make your case? Has this been a problem so far? The control that admins have, as you stated, is they can turn WU off and on. Therefore, for admins who choose to not trust WU, they will turn it off anyway, right? Problem solved and admins are still 100% in control, right?
I think most would agree that forcing an update on users is a bad idea.

Sure, but I also think that most users would expect that if they enable WU, that it will continue to work going forward, and not fall so out of date that it doesn't work.

While we're on this subject, would you care to speculate as to why Microsoft is updating WU in the first place? Probably security, right? Therefore, by keeping WU up-to-date, Microsoft is probably reducing the liklihood of malicious code taking over WU, right?
I think you are labeling this as FUD more because you don't like my editorials than a valid technical assessment of its content.

No. That's your opinion, but I don't agree.
Update software is particularly security critical and in my mind should never override the user in updating its mechanics.

I agree, but that hasn't happened here - that is the FUD that I mean. Now suppose WU had a checkbox that asked whether or not to update WU itself, and if you turned it off and Microsoft updated WU anyway, that would be a problem. Or if you turned off WU and it downloaded and installed updates anyway. But neither of these are the case AFAIK.

By JasonMick on 9/18/2007 1:52:23 PM , Rating: 2
Windows update has already been exploited this year to conduct attacks on machines in Germany. The attacks utilize the BITS program which is a central part of the Windows Update process.

Maybe you just were unaware of here:

Malicious updates are a powerful form of attack, though they would be much more complex to develop. You will still likely see more examples of this kind of attack in the future if they are not occuring already.

Imagine, a way to completely get around a firewall unnoticed. Sure there are other ways, but this exploit is pretty subtle in terms of that you don't have to significantly alter the os's registry or its dlls.

By TomZ on 9/18/2007 1:57:42 PM , Rating: 2
Yes of course, but doesn't this strengthen Microsoft's case to make sure WU is kept up-to-date? In other words, Microsoft needs to be able to update WU to change it in response to these sorts of security threats.

If WU didn't auto-update when only manual updates are selected, then many users (esp. corporate) would be running "old" WU executables that are susceptable to attacks that have been since thrwarted by "new" WU executables.

So explain again why these updates are a bad thing?

By Master Kenobi on 9/18/2007 1:59:06 PM , Rating: 1
I would point out you can block the Windows Update service from running on a network quite easily at the firewall level. We do it here at work and nobody is able to run windows update.

This wasn't a problem years ago and it isn't now.

By TheGreek on 9/18/2007 1:23:39 PM , Rating: 1
Yeah Mick it's the same old story with the ultra gullible pro-corporate sheep mentality that clogs Daily Tech. It's not like crackers have taken every possible advantage (and then some) to break into a company website. Windows over the last few years is more about what you can't do, and the greater mentality that MS knows what's best. It's not surprising that so many in the US accept this, apparently personal rights never meant a whole lot to this generation anyway.

Anybody who trusts the auto update tool is a fool to begin with.

But what could any reasonable person who reads comments here expect? The MTBE crowd thinks they have all the answers.

How did you get suckered into this job anyhow?

By Fenixgoon on 9/18/2007 1:28:43 PM , Rating: 2
MTBE = ?

the only thing i know with MTBE is methyl-tertiary abutyl ether, a fuel additive :P

and then there's MTBF - mean time before failure.


By TheGreek on 9/18/2007 1:42:04 PM , Rating: 2
Hey, I never did find out what Porkpie is. It certainly clogs up the arteries in a brain though.

(One of the pro-corporate guys was rather upset with a grass roots movement that helped get MTBE banned, even though it's been proven how harmful it is, he's still for it. Never mentioned whether it passed safety requirements with or without payoffs, but if there were payoffs they would be ok as well.

And welcome to this very strange place.)

By porkpie on 9/18/2007 2:16:53 PM , Rating: 2
MTBE = a substance Archer Daniels Midland created a "grassroots" group to get banned, so they could rake in a multi-billion dollar windfall by selling ethanol to replace it.

Oh, and it managed to raise gas prices 10c/gallon also, and temporarily raised corn prices enough to cause riots among the Mexican poor also. But whats a little human suffering in exchange for the cause eh?

By TheGreek on 9/18/2007 2:27:03 PM , Rating: 1
Well boo-hoo.

By TomZ on 9/18/2007 1:59:45 PM , Rating: 2
An alternate definition: MTBE is something brought up by TheGreek in order to get you to ask the question about why it is relevant, so that he/she can express his/her views again about those who he/she doesn't agree with yet again.

He/she is right though, this can be a strange place. :o)

By TheGreek on 9/19/2007 1:40:23 PM , Rating: 2
Nah, my comments were just pork laden.

Real reason
By gramboh on 9/18/2007 12:07:07 PM , Rating: 2
Could this have anything to do with pushing updated versions of WU onto pirated copies of XP? I am thinking more along the lines of getting newer version of WGA out there to find pirated installs, although I guess WGA is a separate update that is not automatic.

RE: Real reason
By Master Kenobi on 9/18/2007 2:01:40 PM , Rating: 2
WGA is listed under the regular Update or Not option. It won't do it automatically unless you have automatic updates turned on and most people with illegal copies of windows turn it off for this very reason.

By kattanna on 9/18/2007 12:54:46 PM , Rating: 2
Any admin who has his servers set to auto update deserves what he gets.

turn off the auto updates and this isnt an issue.

you should stick to alien implants and the poles melting

Tough crowd.
By rtrski on 9/19/2007 11:55:45 AM , Rating: 2
The honeymoon is over. Or, more bluntly, I think his cherry has been officially "popped".

Good to know this!
By oTAL on 9/19/2007 1:46:13 PM , Rating: 2
The crowd is giving you no quarter Jason, but I enjoyed the article and believe it is a legitimate peace of news.

I had read a bit about already, but your article cleared a few things.

I can't believe so many people can't understand why this is a problem... If you can reverse engineer the process and actually inject code into a system, that makes a previously secured system vulnerable. This could be, of course, solved by a new MS update to WU (one of those you can't refuse). However, one would believe, so far, that by choosing to check for updates but not to install them (very common with admins), there would be further security/insulation from security exploits or MS bugs introduced in the system.

By knowing about this I am not going to change the current behaviour of my machines (check but don't download) because, in this case, I prefer the comfort over the tiny possibility of a problem.

Nevertheless, if I was running a critical machine I would OBVIOUSLY make this change. This is one of those holes that, if someone could learn to exploit and spread it from machine to machine, could possibly take down the entire web with data storms.

MS's explanation for this is not satisfactory. If the design makes it mandatory for WU to be regularly updated, then the design is wrong. WU, when set to only check for updates, should check the available updates like it was just a simple DB query. It would check for the list of new patches since it was last updated and it would receive a data block with the description of the new patches. No need to make it more complicated than that.

"When an individual makes a copy of a song for himself, I suppose we can say he stole a song." -- Sony BMG attorney Jennifer Pariser

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki