OSNews

UNTRUE ...

Windows Update updates itself (9 files on your machine) REGARDLESS of the setting of Windows Update.

You set your Windows Update to "Never Update" ... it still connects to Microsoft and performs the update.

Do you have any evidence or at least sources for that claim?

It runs counter to the explanation from Microsoft (and the complaints) and it runs counter to my experiences with Windows 2003 Server.

Do you have any evidence or at least sources for that claim?

The article itself makes that claim:

It only says "seem". It has not been confirmed to be true for all four settings, and it is a fact that the WU-client cannot connect to WU-servers when running without Administrator rights.

I know from my experiences with my firewall that WU does not attempt to do anything when turned off. And I know that because my firewall freaks out when I run WU and forget to un-restrict WU

Edited 2007-09-14 19:12 UTC

I don't have evidence for the thing he discribed, but I set it to "Notify, but don't download or install".
Yesterday evening I booted Windows and two updates were shown: The one security update and that "tool to remove baad software" (no, I don't know the correct english names for that ). I clicked on cancel since I wanted to do this later, after doing some work.

Half an hour later there was just ONE update left. Guess which one it was.

Okay, that's not really much "evidence" since you can't really prove that without making a video. Guess you just have to believe me here.

Wooot O_o ??? You have an IE7-uninstaller!!1?

Hmm.. I've had my own problems with the notification-thingy when manually launching Windows Update. The notification thing tend to conflict with the manual launch, so I'd need the output from Windows Update's list over installed updates and failed updates for your machine. HOWEVER: You MUST NOT give me that information. I'll haunt you in your nightmares if you do

Launch Windows Update manually and check the list over succesful updates and failed updates and see if it shows something. Until then I can only conclude you had a problem with the notifier.

I have had conflicts with manual launch of WU and the notifier running, but I haven't experienced what you describe. But that malicious software thingy is probably selfinstalling

You said:
Microsoft should of course not install updates to WU automatically unless configured so. It should notify users of updates to Windows Update...

That's the whole point of the article that you found "very little to".

No. That's the core of the problem. The core of the article was that Microsoft was invading your privacy and modifying the entire OS by installing all kind of updates without your consent.

Remove the sensationalism of the article and you would have had a good story. As it stands now it is just obnoxious second rate "journalism".

Heehee

I understand the line of thinking behind that particular dialogue, but I think it could be formulated better

Well, from a security-POV Microsoft could hardly do it much different.

MS of course has the following options:

1) Install updates to WU automatically if WU is set to "automatic updates"

2) Download updates to WU automatically if WU is set to "automatic downloads" and notify the user that the updates are ready to be installed. However! The user must be notified that WU will not work if the updates are not installed.

3) Nofify the user of updates to WU if WU is set to "Notify only". However! The user must be notified that WU will not to work if the updates are not installed.

The downside of doing 2) and 3) is that the user will not know about important updates until the user has updated the Updater (which is difficult to formulate properly, as Kroc proved with his earlier post.. heehee).

From a security-oriented POV Microsoft has not been unethical. From a privacy-oriented and technological POV Microsoft has handled in part unethical and in part incompetent.

But it doesn't mean that MS is trying to take over your computer (they may be doing that, but not through WU).

What Microsoft should have done is to inform of this in WU. No part of a operating system should be self-updating without written notice of what parts gets self-updated, and why.

Also, from a security standpoint, i think this is bad.

WU is propriary. We dont know how it validates new self-updates. What if Microsoft WU servers get hacked, and millions of Windows machines starts to automaticlly download compromised code?

Edited 2007-09-14 14:34

Well for me it ain't a risk, since my firewall blocks Windows Update unless I specifically allow WU to contact the servers

Remember, the Windows Update servers do not contact your machine. It is your machine that contact the Windows Update servers.

If the servers are compromised people using automatic download/installation/notification are in (a rather hypothetical) risk. It's however only a matter of having a properly configured firewall - and not the built-in btw.

Well, since you cannot control what it does when it contacts the remote machine, and you cannot prevent it from changing software on the machine, it is not really your machine any more, is it?

http://www.microsoft.com/technet/archive/community/columns/security...

The really scary thing is that there is now at least one more known way to remotely install code in a Windows system without having to get permission.

All that is required is for the code one wishes to install on the target Windows system to successfully masquerade itself as being an update to WU.

True security would require that an OS insist that a local, authorised administrator of the system manually supplies credentials before any piece of new software can become executable.

It is plain that the Windows OS lacks this most basic security provision.

Well, it does require that the update is properly digitally signed, and it must be fetched from a WU-server.

But yes, if you can compromise an update-service the users are screwed. But that goes for _any_ update-service.

Yeah, but digital signing as Microsoft is easy. Duh!

Probably as easy as signing as Redhat I assume.

Personally I'm still not past the part about compromising the servers

AFAIK, update notiifiers on Linux clients run with normal priveledges. The notifiers merely inspect what versions are locally installed, and what versions are in on-line repositories. When it is found that updates are available on-line, the notifiers show the user that updates are available.

It still requires the user to manually supply root credentials to the package manager software before the actual updates can be downloaded and installed.

This is the essential difference, I suppose, between an mere update notifier and Windows Update.

On Windows, there is apparently no absolute universal fundamental-to-the-OS requirement to manually supply administrator credentials before downloaded information can be made executable.

On Linux, there are execute permissions as part of local filesystems, that can only be set by a local user. After execute permissions are set, the newly-executable file can then only run with the maximum permission level of the user who provided credentials to set the execute permission bit. Therefore, in order to bestow universal and system-level execute permission, the authorising local user must be root.

Edited 2007-09-15 12:58

dylansmrjones and sappyvcv have already dealt with your arguments from a technical standpoint (successfully, IMO), but I want to respond to a statement of yours from a non-technical standpoint.

"The really scary thing is that there is now at least one more known way to remotely install code in a Windows system without having to get permission. "

It seems to me that given that the vast majority (or, at least a substantial percentage) of home Windows computers have WU set to download and automatically install security updates anyway (that's the default setting), that if someone wanted to infect systems by compromising WU in some way, they would have already done it, or at least already have been trying to do so. This "one more way" doesn't add much from a practical standpoint. It would expand the targeted users beyond the "download and auto-install updates" users to the "download but don't auto-install" and the "check for available updates" users, but the first target is so huge that baddies would have already been trying to compromise WU if so inclined. And any techniques that would exploit this "one more way", that first huge segment of users has already been subject to.

(I talk of home computers because corporate computers likely use WSUS or SMS rather than WU, so the IT staff controls how those machines are updated, regardless of this "one more way".)

Edited 2007-09-15 15:26

This is a typical Microsoft position.

The critical points are these:
(1) It is trivially easy to get data onto a client. Any website can do this. If you want to compromise a system, then getting your data onto a system is not a problem ... the problem is to get your payload data to be executed by the target system, hopefully with elevated privileges. WU has been shown to provide just such a mechanism.

(2) Microsoft's EULA reserves the right for Microsoft to update Windows systems. WU is one way (very likely not the only one) that Microsoft can update any Windows system. WU cannot be disabled as an entry point onto a Windows system, even apparently if the end user selects "never update". This effectively (if not literally) makes WU a "push technology".

(3) If Microsoft can push data onto a Windows system via WU and get it to execute (install) at system-level privileges without end-user authorisation, then that immediately presents an attractive doorway for other parties to try to do the same feat. Even if Microsoft honestly intend for this mechanism to only ever be used for WU to update itself, other parties are in no way constrained by Microsoft's original intentions.

(4) Finally, Windows makes no distinction between "binary data" and "locally authorised to execute program". WU illustrates this point beautifully. WU provides a mechanism (that cannot be disabled by the end user) for an external party to put new code onto the end user's system without permission of the end user and to have that new code enjoy system-level privileges. The fact that the intention is that Microsoft is the only party that can do it is moot ... the fact remains that it can be done. If Microsoft can do it, it remains only a matter of time before some other party finds a way to also do it using the same mechanisms.

This is fundamental security stuff. Either Microsoft just doesn't get security, or Microsoft does get it but doesn't care to provide it for end users. Either way is a very poor reflection on Microsoft.

Edited 2007-09-16 06:45

(1) It is trivially easy to get data onto a client. Any website can do this. If you want to compromise a system, then getting your data onto a system is not a problem ...

Then WU is irrelevant at this point because the machine is already compromised.

the problem is to get your payload data to be executed by the target system, hopefully with elevated privileges. WU has been shown to provide just such a mechanism.

No, actually it hasn't. You've only claimed it has with no proof whatsoever.

WU cannot be disabled as an entry point onto a Windows system, even apparently if the end user selects "never update".

Ah, but it can. It's been stated by multiple people already that setting to "never update" didn't do the updates. Even further, it's quite trivial to disable the WU service.

(3) If Microsoft can push data onto a Windows system via WU and get it to execute (install) at system-level privileges without end-user authorisation,

A side effect of the poor security in versions prior to Vista. However, on other systems, most people would blindly authorize ANY updates done through the Operating Systems update client. Honestly, what percentage of people attempt to verify the update server is valid and the updates they are receiving are valid? Not many.

(that cannot be disabled by the end user)

I know it must be fun to state lies, but please stop already.

What happens if ANY update servers (including those hosted by debian, redhat, apple, etc) get hacked? A lot of people are screwed.

Well, there is the difference that Debian machines don't automatically download software from the Debian servers

But yes, any kind of updating service which is hacked poses a severe security threat. But then.. turning on your computer poses a threat in itself. And the greatest threat is sitting 40 centimeters from the monitor.

That darn Evil Monkey, always sitting there, staring at me...

Silly boy, you need to learn how to Spank the Monkey !

You're talking about that annoying Monkey-ad that promised Gold and Green Forests?

NOTHING ///

My machine uses RPM (yum or up2date) to install packages.

The packages have to be SIGNED by a private GPG key before they will install.

The key that is required to sign the pacakges is not stored on the update server at RedHat.

SO .. if someone replaces the real packages with fake ones, nothing at all happens on my machine, other than I am told that these packages are not signed by the proper key.

SEE ... don't ask retorical questions when the answer makes you look bad

Windows File Protection is for files already installed on your computer, not files on a remote server.

AFAIK WU uses digitally signing. I could be mistaken though, but I cannot believe MS would run an update service without digitally signed packages. Perhaps in the old Win98 days, but not today.

If you try to replace system files with files not signed by Microsoft, WFP complains. That's my point.

True; this was raised from another point of view; what happens if someone can find how it works and attract the end users machine from that vector - using an apparent 'legitimate' open door where by the WU can be updated to point to an illegitimate source and thus, ability to deploy false updates which are actually anything ranging from adware to spyware to virus's.

The issue I think which people forget, and you have raised in your post is this; the issue isn't necessarily privacy per say but how this 'technology' can be exploited.

It is very easy to remedy. You simply have the updater update itself when you check for updates.

The updater informs the user about the need for the update every time a manual update check is attempted, they have to do it to use the current update system.

Simple. Very simple. No need to do anything automatically.

Of course, I think automatic updates ( auto-download-install ) is The Dumbest Idea Ever(R).

--The loon

But it can't check for updates without the updater update. In 3 of the 4 settings, the updater automatically checks for updates, which is when you say its ok for it to update itself.

The 4th setting, according to some people, doesn't automatically update the updater anyway.

The fourth approach will however result in Windows Update being updated automatically the moment you manually launch Windows Update. There will be a message with BIG LETTERS stating that it is checking to see you are running the newest version. I can't remember the exact wording now, but WU is updated the first time you run it manually after an update of WU is available.

"If this was normal surely it would have happened before, perhaps it is my memory but I can't remember any other instance of it happening. "

-------------------

According to the Microsoft blog, Windows Update has been like this since the introduction of XP, and has updated itself in the past many times in the past.
http://blogs.technet.com/mu/archive/2007/09/13/how-windows-update-k...

Just to reinforce what dylansmrjones is saying, according to the Microsoft blog, a user can set Windows update to one of four settings: "1) Install updates automatically, 2) Download updates but let me choose whether to install them, 3) Check for updates but let me choose whether to download and install them, and 4) Never check for updates", and that Windows Update components themselves auto-update for all settings except setting (4). The reason, as stated in the blog, is that if the user is using Windows Update at all, even just to check if updates are available, then the client-side Windows Update components must be kept in sync with the server-side components. According to the blog, the Windows Update components do NOT update themselves if the user completely turned off Windows Update, that is for setting (4).

The earth-shattering story that was reported yesterday is that someone found that Windows Update components were updated for settings (2) and/or (3). But according to the Microsoft blog, "This has been the case since we introduced the automatic update feature in Windows XP. In fact, WU has auto-updated itself many times in the past."


The Microsoft blog also says that this does not affect those that use WSUS or SMS rather than Windows Update, so IT departments are still in complete control of the OS updating process.

The only issue here is that Microsoft should have more clearly disclosed that Windows Update components do update themselves for settings (2) and (3) (that they would update themselves for setting (1) goes without saying). But I'm not sure how to do that in a user friendly manner, because there is such a thing as "too much information" for a normal user to absorb. Probably just add a link to the Windows Update control panel that says "Click here for more information" that refers to a web page explaining in detail what the process is. I doubt normal users care; IT staff would care, but they probably already know and/or are using WSUS or SMS rather than Windows Update, in which case they wouldn't be affected anyway.

I don't think that if the user has set Windows Update for settings (2) or (3) that they should be notified every time that Windows Update components themselves need to be updated, and given the chance to deny that operation. I think it's just too much info and would make setting (2) and (3) too cumbersome for users. But I know that many tech geeks like to know everything that is going on, so they would feel differently about it. But if Microsoft did change Windows Update to allow the user to reject updating Windows Update components for settings (2) and (3), such an option must be accompanied by a big loud warning saying that if the user does reject updating the Windows Update components, then the Windows Update setting will change to setting (4). (I doubt many that intentionally chose settings (2) or (3) would go for that, which is why I think such an option is a waste of time for both Microsoft and the user.)

If you want more details, be sure to read the MS blog.


BTW, the term "stealth" that I saw bandied about yesterday (and sadly, today on osnews) is sensationalistic, as the event logs show exactly what Windows Update component files were updated and exactly when that update took place. A "stealth" update wouldn't record any logs for the event.

Edited 2007-09-14 17:32

Well well.. damned if pigs cannot fly, MollyC - We agree on something

I'm slightly amused that you are seemingly getting modded down for "defending" Microsoft :p

Haha yeah

I'm having a great time with this

"I'm having a great time with this "

I'm convinced that someone else is using your account actually...mother's maiden name please? I've never seen you defend Microsoft ;-)

Agreed, there are people out there so blinded by their hatred from Microsoft they will mod down anyone who gives a rational explaination of anything Microsoft does.
There should be an ignore button for people like them.

Whilst the log exists, the real issue is that on closed source OS, you still don't know actually what has been changed. All you know is some filenames, but that doesn't actually prove anything.

I personally see only a small difference between the stealth update, and accepting an update. Either proves nothing about what code and functionality was actually changed in the update.

Ergo, this article blows things well out of proportion.

"The only issue here is that Microsoft should have more clearly disclosed that Windows Update components do update themselves for settings (2) and (3) (that they would update themselves for setting (1) goes without saying). But I'm not sure how to do that in a user friendly manner, because there is such a thing as "too much information" for a normal user to absorb."

Yeah, if you're a clueless Windows user...

Oh, please, this is just ridiculous. What's so damn hard about saying that the Windows Update process will update itself at those 2 settings. It's not rocket science to explain that.

Better yet, it shouldn't do it. What's so hard about putting in a notification system that says you need to update the Windows updater. If you can set the system to notify you only, notify that WU needs to be updated.

Some people just want to bend over backwards to excuse any stupid thing Microsoft does.

There is one problem with your scenario.

The Windows Update servers don't send anything out. They don't contact clients. It is the clients that contacts the servers. As such Windows Update is only a little more insecure than gentoo Portage, FreeBSD ports or Redhat repositories. Unless of course you have turned automatic updates/automatic downloads/notification on. It is easy fixed though. Turn off WU and launch Windows Update the first tuesday every month

Gentoo and Redhat ask for the root password and dont do anything in "stealth mode". So this is a totally different ball game.

Windows Update cannot run unless it has Administrator rights.

And it doesn't do anything in stealth mode unless you put it in stealth mode.

If you configure your gentoo box to automatically update (a cron-job) itself without notifying the running User you would have the same situation.

gentoo does not ask for the root password. It just fails to run because of missing rights (just like Windows Update) - unless it is configured to allow the user to run it as normal user. I don't recommend that. Use sudo, please.

In pre-Vista Windows a Limited User Account (or Restricted User Account) cannot run Windows Update. A user cannot even receive notifications. The problem stems from most users running XP with Administrator rights. Imagine that!

This has nothing to do with user level security. This update takes place even when a user is not logged in.

WTF!? Anything to backup THAT claim?

My machine cannot connect to anything when no users are logged-in. And Windows Update does not run at all when the logged-in user do not have Administrator Rights. At least that is true for pre-Vista Windows.

I have several xp boxes behind a Firewall One firewall with content filtering turned on. And if the article is true then the versions are on there and no one has been loggin to this computer for quite some time and no admins for sure. We use SMS to do our up dates and have not installed this one. Through GP we have turned off AU because we use SMS.

\rvailc$WINDOWSsystem32SoftwareDistributionSetupServiceStartup wups2.dll7.0.6000.381

Remember, there are *two* users with administrator rights on a Windows system: Administrator and System. My guess is that this runs as the System user.

WU does not work when the logged in user does not have Administrator rights.

You can try for yourself. Log on Windows Update with a LUA (RUA in Win2K and Win2K3). It fails. Even with a power user does it fail.

I'll have to check it to be sure, but it'll have to wait. I'm not in the mood for rebooting (into Windows)

You can just run your pre-Vista Windows as an ordinary user (Limited/Restricted User Account) instead of running with Administrator rights. Then WU won't run at all.

Imagine running Linux as 'root' O_o

BTW: Turn off WU completely. That'll solve the problem.

Oh, and about half of the programs you use won't run either.

lol

Hmm... all my programs run fine as Restricted User.

Of course Installers need to run with Administrator rights. Use "Run as..."

Oh, and yes. Players utilizing DirectShow-filters need to run as Administrator to work (almost) flawlessly.

Apart from that I only have one application (from 1997) that doesn't work properly. That has been fixed by giving my normal user read+write permissions for that applications folder in "Program Files". I have another one which needs extra permissions to run, but it is not installed since changes in the XML-format on Hattrick.org has rendered the application useless.

Everything else works correctly. Only admin tools require Administrator rights, and rightly so.

On Tuesday AM, out of the blue, my copy of Vista self-destructed when MS "determined" I wasn't using a legitimate copy. This was with a pre-installed OEM version on an HP laptop I purchased a few months ago; hence, no activation required. Yet, I woke up one morning and logged in to a screen telling me my version of Windows Vista was had an invalid activation key and that I could just go and bugger off because it wasn't let me going to do anything.

In fairness, it was reasonably quickly resolved with a call to the MS activation hotline, but why the f*ck should I have to call MS for permission to use my computer when they randomly decide to shut it down? Particularly when it was purchased on a system to avoid activation headaches? It really irks me because the main reason I use Windows is for work, and it would have been really fricking embarrassing to show up at a customer site for a training preso with a locked laptop because MS had a hiccup.

As far as I'm concerned, MS needs a little more scrutiny on this from legal authorities. I'm still bitter. But it underscores the fact that users do need to realize that as long as they are connected to the internet, they have no true idea of what is occurring communication-wise between their system and Microsoft.

edit: typo

Edited 2007-09-15 02:31 UTC

Cron is your friend

Unless you're using LinuxFromScratch. In that case you are your own distro-maintainer.

What distro are you on? If you mentioned that, you would have had a solution already. I use adept notifier, which adds some stuff to /etc/apt/apt.conf.d so I can just change the values to auto check and download. Combine that with anacron so the machine doesn't need to be on at update time, and life is very good.

It checks (apt-get update) and downloads (apt-get upgrade -d) without installing anything, then the adept-notifier pops up a little thing in the lower right of the screen, and I can install quickly when I want to without waiting for the download.

Then you should use Ubuntu, because it's had this feature since Edgy Eft.

Yes, that is indeed a rubbish site, none of the other links work correctly, it just appears to be one big advert

"Sometimes my hard drive is thrashing away and I don't have a clue why. I'm not doing anything,"

Would you rather it be thrashing your drive while you're <em>using</em> the machine?

Vista will adapt to your usage patterns and try to do background stuff whenever it thinks you're not using the machine.

He didn't say he was not using the machine. He said he was not doing anything at the moment.
When the drive starts trashing and Winblows is doing it's "cloak&dagger" stuff, you can't use the machine because it's not responsive.



That's what Microsoft claims. You worked on Vista and have access to the source code that does that to back up that claim?
Microsoft makes a lot of claims, none of which are true though.
And in practice when using the OS it's very easy to see that. As the poster said about the disk trashing for no reason at all, and many can confirm that, myself included (yes, I work on Vista regularly too).
So no, Vista doesn't adapt to anything and it most certainly does not think. It just barely runs if you don't ask it to do too much.
GG, insert coint to play again Jason.

The difference between automatic, and tell me the updates so I can say yes is that it allows me to determine when to install (in case of a kernel update that requires a reboot or glibc update that requires daemons to be restarted) and I can look at what is about to happen so that if the update borks the machine, I have a chance of knowing what actually broke things, making recovery easier.

Ummm, Linux distro maintainers are TRUSTED by their users, Microsoft IS NOT trusted by anyone (can yo spell ANTITRUST ?)



You'd most likely lose that bet.
Was the source code to Win2k not stolen a few years back?
Besides, Microsoft treats its network as a bank, Linux distro sites are like community centres, yet they still managed to be VERY secure and trustworthy.



Well, that's a good testament to the quality and security by design of Linux. You can have a server running without any updates for a long time and it stays secure and running well without any updates.
Intall Windows without any updates and it's hacked inlike what, 15 minutes?
BTW, I took off a point off your post because you posted a rant without thinking. Hopefully you're not doing that when working as a "contractor" on Linux servers.

Still software from your harddisk. I rather boot an original norton ghost CD and clone the box from a DVD image.

I have yet to see malware that adds malicious code to a DVD though thin air :-)