Linked by Thom Holwerda on Thu 19th Nov 2009 23:22 UTC
Windows Earlier this week, a senior National Security Agency official told US Congress that the NSA had worked on Microsoft's latest operating system, Windows 7. This spurred a flurry of rumours about the NSA building backdoors into Windows 7, but Microsoft has today categorically denied these claims.
Thread beginning with comment 395566
To read all comments associated with this story, please click here.
Does a non-secret backdoor count?
by lemur2 on Fri 20th Nov 2009 01:54 UTC
lemur2
Member since:
2007-02-17

I also think it is highly unlikely Microsoft would put secret backdoors in Windows. Windows is probably the most prodded and tested piece of software out there, and the existence of a backdoor would get out quickly - and it would mean a devastating blow to Microsoft, especially in a world where, shall we say, the US isn't particularly popular.


How about a non-secret backdoor?

Microsoft have admitted in the past for XP that an "update to Windows update" can be pushed and installed silently on XP without Microsoft having to know any local machine password, regardless of user settings.

http://blogs.zdnet.com/hardware/?p=779

If Microsoft can silently update Windows update, then they have a backdoor. After silently updating Windows update Microsoft can always put it back again the way it was.

I haven't heard Microsoft ever claim that this backdoor was removed from either Vista or Windows 7.

PS: I don't believe there is anything malicious in this ... I just note that it exists.

Edited 2009-11-20 02:03 UTC

Reply Score: 6

umccullough Member since:
2006-01-26

Microsoft have admitted in the past for XP that an "update to Windows update" can be pushed and installed silently on XP without Microsoft having to know any local machine password, regardless of user settings.

http://blogs.zdnet.com/hardware/?p=779

If Microsoft can silently update Windows update, then they have a backdoor. After silently updating Windows update Microsoft can always put it back again the way it was.


A backdoor that is easily thwarted by disabling the automatic update service?

To be clear, the updates aren't "pushed" in the sense that your machine is contacted by Microsoft and the updates are installed forcefully - they are pulled - by the automatic update service that can be disabled by the user manually if desired.

Edit: corrected service name

Edited 2009-11-20 02:23 UTC

Reply Parent Score: 2

lemur2 Member since:
2007-02-17

"Microsoft have admitted in the past for XP that an "update to Windows update" can be pushed and installed silently on XP without Microsoft having to know any local machine password, regardless of user settings. http://blogs.zdnet.com/hardware/?p=779 If Microsoft can silently update Windows update, then they have a backdoor. After silently updating Windows update Microsoft can always put it back again the way it was.
A backdoor that is easily thwarted by disabling the automatic update service? To be clear, the updates aren't "pushed" in the sense that your machine is contacted by Microsoft and the updates are installed forcefully - they are pulled - by the automatic update service that can be disabled by the user manually if desired. Edit: corrected service name "

Not that I use Windows, but anyway that is apparently not quite the whole story.

http://blogs.zdnet.com/hardware/?p=779

I can now confirm that the stealth Windows Update that I blogged about yesterday actually exists - because I’ve detected its presence on a machine at the PC Doc HQ.

At the PC Doc HQ we have several systems set not to update automatically. This is so that they are kept at a specific patch level for testing duties. Many of these systems are virtual machines but some are physical. When I heard about this stealth update I decided to take a look at one of these systems that don’t update automatically (it was set to download and notify) - and within seconds I found what I was looking for.

[UPDATED - Just to clarify, I can confirm that this stealth update was applied to systems where Windows Update was set to "Download updates but let me choose whether to install them" and "for updates but let me choose whether to download and install them" but not on systems set to "Never check for updates."]


I might also add that when I first read about this, that last quoted paragraph was not present, so the rider about but not on systems set to "Never check for updates" is new to me.

Anyway, it seems that you choices are: (a) enable a backdoor to your Windows system, or (b) manually check for updates all the time yourself (in which case stealth updates would probably happen anyway once you had manually checked), or (c) don't update.

Reply Parent Score: 3