Star Microsoft Updates Windows Without Users' Consent
Linked by Thom Holwerda on Fri 14th Sep 2007 14:02 UTC, submitted by tux68
Windows Microsoft has begun patching files on Windows XP and Vista without users' knowledge, even when the users have turned off auto-updates. Many companies require testing of patches before they are widely installed, and businesses in this situation are objecting to the stealth patching. "Normal behaviour," according to Microsoft.
E-mail Print r 0   138 Comment(s) http://osne.ws/ed5
Thread beginning with comment 271518
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[7]: :-/
by dylansmrjones on Sat 15th Sep 2007 13:30 UTC in reply to "RE[6]: :-/"
dylansmrjones
Member since:
2005-10-02

Probably as easy as signing as Redhat I assume.

Personally I'm still not past the part about compromising the servers ;)

Reply Parent Bookmark Score: 2

RE[8]: :-/
by lemur2 on Sat 15th Sep 2007 13:39 in reply to "RE[7]: :-/"
lemur2 Member since:
2007-02-17

Personally I'm still not past the part about compromising the servers


You don't have to compromise the server ... you just have to spoof the client into believing that your data came from such a server.

Likewise, you don't necessarily have to be able to sign your data as Microsoft ... you just have to get WU to believe that it is so signed.

Tricks like these are the essential reason why it is a good idea to require manual input of credentials from a local user before any execute permissions are set. That requirement should ideally also be subject to audit ... it should be possible for end users to examine OS source code so as to assure themselves that execute permissions can only be set by them.

These are the reasons why any type of "automatic update without local user authorisation" is an utterly bad idea ... from an end-user perspective.

Edited 2007-09-15 13:42

Reply Parent Bookmark Score: 3

RE[9]: :-/
by sappyvcv on Sat 15th Sep 2007 13:42 in reply to "RE[8]: :-/"
sappyvcv Member since:
2005-07-06

Ok, so how do you get WU to believe it is signed? You make it sound so simple, yet no one has done it yet.

Reply Parent Bookmark Score: 1

Read more of this thread... >
RE[9]: :-/
by dylansmrjones on Sat 15th Sep 2007 14:13 in reply to "RE[8]: :-/"
dylansmrjones Member since:
2005-10-02

How are you going to do that? The WU-servers NEVER contact the client.

It is always the client that contacts the servers, so in order to spoof the client you need to compromise the servers - or hacking the User's ISP or somehow get control over the User's internet conneciton. OR replace the WU-client in which case you already has access to the core of the User's system.

Reply Parent Bookmark Score: 2

Read more of this thread... >