Linked by Thom Holwerda on Thu 19th Nov 2009 23:22 UTC
Windows Earlier this week, a senior National Security Agency official told US Congress that the NSA had worked on Microsoft's latest operating system, Windows 7. This spurred a flurry of rumours about the NSA building backdoors into Windows 7, but Microsoft has today categorically denied these claims.
Thread beginning with comment 395571
To view parent comment, click here.
To read all comments associated with this story, please click here.
umccullough
Member since:
2006-01-26

Microsoft have admitted in the past for XP that an "update to Windows update" can be pushed and installed silently on XP without Microsoft having to know any local machine password, regardless of user settings.

http://blogs.zdnet.com/hardware/?p=779

If Microsoft can silently update Windows update, then they have a backdoor. After silently updating Windows update Microsoft can always put it back again the way it was.


A backdoor that is easily thwarted by disabling the automatic update service?

To be clear, the updates aren't "pushed" in the sense that your machine is contacted by Microsoft and the updates are installed forcefully - they are pulled - by the automatic update service that can be disabled by the user manually if desired.

Edit: corrected service name

Edited 2009-11-20 02:23 UTC

Reply Parent Score: 2

lemur2 Member since:
2007-02-17

"Microsoft have admitted in the past for XP that an "update to Windows update" can be pushed and installed silently on XP without Microsoft having to know any local machine password, regardless of user settings. http://blogs.zdnet.com/hardware/?p=779 If Microsoft can silently update Windows update, then they have a backdoor. After silently updating Windows update Microsoft can always put it back again the way it was.
A backdoor that is easily thwarted by disabling the automatic update service? To be clear, the updates aren't "pushed" in the sense that your machine is contacted by Microsoft and the updates are installed forcefully - they are pulled - by the automatic update service that can be disabled by the user manually if desired. Edit: corrected service name "

Not that I use Windows, but anyway that is apparently not quite the whole story.

http://blogs.zdnet.com/hardware/?p=779

I can now confirm that the stealth Windows Update that I blogged about yesterday actually exists - because I’ve detected its presence on a machine at the PC Doc HQ.

At the PC Doc HQ we have several systems set not to update automatically. This is so that they are kept at a specific patch level for testing duties. Many of these systems are virtual machines but some are physical. When I heard about this stealth update I decided to take a look at one of these systems that don’t update automatically (it was set to download and notify) - and within seconds I found what I was looking for.

[UPDATED - Just to clarify, I can confirm that this stealth update was applied to systems where Windows Update was set to "Download updates but let me choose whether to install them" and "for updates but let me choose whether to download and install them" but not on systems set to "Never check for updates."]


I might also add that when I first read about this, that last quoted paragraph was not present, so the rider about but not on systems set to "Never check for updates" is new to me.

Anyway, it seems that you choices are: (a) enable a backdoor to your Windows system, or (b) manually check for updates all the time yourself (in which case stealth updates would probably happen anyway once you had manually checked), or (c) don't update.

Reply Parent Score: 3

umccullough Member since:
2006-01-26

Anyway, it seems that you choices are: (a) enable a backdoor to your Windows system, or (b) manually check for updates all the time yourself (in which case stealth updates would probably happen anyway once you had manually checked), or (c) don't update.


There's a *huge* difference between setting the automatic updates setting, and disabling the service entirely.

If you're worried about someone slipping an update in that might open a door - then any system you use to install updates that you "trust" is just as fragile...

The only relatively sure way to prevent unwanted backdoors is to review the code and compile your OS yourself.

Reply Parent Score: 3