Microsoft has released a toolkit to let businesses block service pack updates for Windows XP, Vista and Server 2003. Although service packs – particularly in the case of Vista – are keenly awaited by many users, some businesses prefer to test the packs before upgrading to assure compatibility with existing hardware and applications.
You need extra non-standard-issue software for a Windows system to be able to stopper the Windows Update backdoor.
Why would you need this if you had Windows Update turned off and it wasn’t actually a backdoor and installed stuff anyway despite your settings?
Why is it apparently being offered only to businesses?
Why does it let you block updates only for a limited time? Why can’t you just say “no thanks” permanently?
Whose Windows machine is it, anyway?
Edited 2007-12-10 23:19
All the software does is let you set a single registry value — the same one as set by the Windows Security Center control panel, apparently — in a way that it’s easy for administrators of large networks to do it remotely and en masse.
And ‘offered only to businesses’? There’s a Download button…
EDIT: A more informative link is included in the article:
http://www.microsoft.com/downloads/details.aspx?FamilyID=d7c9a07a-5…
Edited 2007-12-10 23:38
What good is that? We have already seen that Windows Update can ignore what you have set it to, and just install stuff without your permission to do so. What good is a blocker that doesn’t block? What good is a blocker that can only block for a limited time?
Further – why is it apparently necessary for a large company with a site license to change this setting on all machines? Why can’t they run their own “Windows Update” server for just their own machines, and put on that server only updates they have tested?
Certainly if a company had a large number of Debian or Ubuntu machines installed, they could easily run their own local repository on a server from where all their machines were updated.
“Further – why is it apparently necessary for a large company with a site license to change this setting on all machines? Why can’t they run their own “Windows Update” server for just their own machines, and put on that server only updates they have tested? “
They can, see:
http://technet.microsoft.com/en-us/wsus/default.aspx
It seems “thou doth protest too much”!
Edit: BTW I’m a UNIX admin, but I thought pretty much all IT people knew about WSUS?
Edited 2007-12-11 00:01
This is indeed the way I thought that my own machine at work was set up by my company.
So, I get back to the question … what exactly is the point of this “update blocker toolkit”?
The right tool to control updates roll-outs appears to be WSUS. We have already seen that settings on Windows clients don’t actually block Windows Update despite what they are set to. So tell me again what is the purpose of this toolkit?
Not all servers or installations can afford the time or cost of running a specialized server just to handle what the OS already does. Public education, for instance.
The OS doesn’t manage to do it. Some Windows Updates can get installed without asking, despite what you tell the OS to do in respect of updates. This has been documented to hapeen in at least one incident in the past.
Now we apparently have an offer of a “Windows update blocker tool” that still doesn’t block updates.
“Now we apparently have an offer of a “Windows update blocker tool” that still doesn’t block updates.”
Do you know that for sure? Past performance does not neccesarily indicate future results…
So I guess we’ll have to wait and see if the SP blocker indeed blocks SP installation. No reason to believe it won’t. Just like the next Xorg update from Ubuntu. I’m sure I’ll install it without much concern, even though in the past it has ‘hosed’ my system.
No, I don’t know for sure. I am just going on what the Windows cheerleader Almafeta said: “All the software does is let you set a single registry value — the same one as set by the Windows Security Center control panel, apparently”.
Since there has already been at least one well-documented and admitted instance of a Windows Update ignoring that selfsame registry setting, then if what Almafeta claims is true, then this new “update blocker tool” still won’t actually block updates.
Ha!
You have been using a reference to “That one time” in every post to this thread. Even if you assume that wasn’t a costly bug (like most professionals think it was), what would be the point of Microsoft risking billions of dollars of yearly income (both first-run sales and corporate support contracts) and reputation in the home user’s eyes (much harder to get back, and not exactly invincible) by pulling such a bone-headed move?
Not to mention that that kind of secret backdoor to install software on a user’s computer would be illegal (at least under US law, but as Microsoft is a US-based company, that’s the one that counts most).
Reiterating this ‘back door’ line as if it becomes more true with each telling isn’t adding anything to the conversation. If you’re going to skewer MS/Windows, then there are plenty of actual concerns to skewer it on — this article isn’t about one of them.
I think you are missing the point entirely.
There was a software package for desktop search that was somehow (most likely inadvertently) marked in such a way that the Windows Update clients on end-user’s machines (and even some servers apparently) installed it automatically without asking for permission. It just went straight on to the machines, regardless of the setting in the registry.
OK, so that one instance proves that the mechanism exists. Windows Update can install, at the system level, stuff that it has downloaded from the Internet without asking you, the owner of the machine, for permission to do so.
That is established. Just one instance of this actually happening is enough to establish that it can happen. Microsoft has done nothing since to remove that backdoor … so even if it is not an intentional backdoor, it still exists.
I don’t think so.
Read the Windows EULA. It says does it not that you have agreed to let Microsoft install stuff at Microsoft’s discretion … you have given them that right.
Edited 2007-12-11 02:52
You are confusing EULA’s with legally binding contracts. Just because something is in the EULA does not mean it’s legal.
LOL?
you actually believe the sheeple will think less of MS because they install updates without asking? newsflash: if the sheeple actually had some demands, they’d not be running an antiquated piece of hardware sucking malware.
“So, I get back to the question … what exactly is the point of this “update blocker toolkit”? “
First of all, it just adds a registry entry “DoNotAllowSP” to stop ‘Service Pack’ updates not *all* updates.
Maybe someone at a smaller company would deploy it because they don’t use WSUS, or for laptop/mobile users so when they login outside of the corporate network they don’t ‘accidentally’ install the Service Pack, or maybe the Vista user implemented the OEM BIOS hack and wants to use Vista for another year for free (or another hack surfaces? ) There’s probably many scenarios it would be useful. It’s just another tool Windows users could deploy.
The setting in the Windows registry that this tool sets doesn’t actually stop Windows Update from installing some updates without asking. This has been shown to be the case by an incident some months ago where a desktop search tool was installed by Windows Update without asking permission, despite what the Windows registry was set to.
Therefore, the question remains. What actual good is this “Windows Update blocker” tool supposed to achieve … since it doesn’t actually block updates?
The automatic Microsft Search installation only happened becuase of a mistake with the WSUS updates. It did not effect non-WSUS updated computers.
The SP update blocker is designed for non-wsus environements.
Sigh!
Why does everyone have such a huge disbelief on this topic, and such blind and unjustified faith in Microsoft?
I saw that some of my earlier posts have been marked down … posts which were on topic, factual and contained no insults or jibes to anyone. Sigh!
Anyway, for those people who do not have hands over their ears and eyes on this topic, FWIW:
Part of the story surrounding the “automatic Microsft Search installation” incident that eventually came out and fully admitted by Microsoft was that “updates to Windows Update install automatically without asking permission”.
If any given package is simply marked as an “update to Windows Update” then this “SP update blocker” which is the topic of this thread will not actually block it.
Nowhere have I seen any indication, or even a claim made by Microsoft, or any claim of any checking done by anyone or any client software anywhere, that a package marked (acidentally or otherwise) as being an “update to Windows Update” is necessarily guaranteed to be in actuality an “update to Windows Update”.
Windows Update is therefore a backdoor to Windows systems, and Microsoft admitted as much.
http://www.windowssecrets.com/2007/09/13/01-Microsoft-updates-Windo…
There you are. Research. How about that.
Supplied expressly for: Mr. Doubter, Thomas, and the three monkeys.
Edited 2007-12-12 03:02
So you’re changing the goalposts and NOW compalaining that a SERVICE PACK installer blocker will not stop updates to the Windows update package? this is not a Windows Update Update blocker, but a SERVICE PACK install blocker.
No, not a bit of it. Use your imagination.
You are confusing “apparent intention behind the code” with “what the code allows”.
Point (1) : Windows Update accepts some updates and installs them without asking permission, regardless of the settings in the registry.
That point is established.
Point (2) : Microsoft themselves admit point 1, and they claim it does this for “updates to Windows Update”.
This is just a claim. We don’t actually know how the entry into Windows identified at point (1) actually knows if a given update is an “update to Windows Update” or any other type of normal update, such as a SP.
Point (3) : It is not known how, or even if, Windows Update identifies updates to itself. Microsoft hasn’t said. Maybe some packages are just simply marked as such.
Point (4) : In one such recent “update to Windows Update” a desktop search tool was included. This was probably accidental … but it stresses the point that the correct identification of “updates to Windows Update” can, and on this occasion did, fail.
Point (5) : Point 4 indicates that such things as SPs, if incorrectly identified (either intentionally or not, either incorrectly or not) by Windows Update as updates to itself, would be automatically installed without asking permission regardless of the registry settings.
Point 5 on its own makes Windows Update itself a backdoor.
Point (6) : Even if the mechanism of points 4 & 5 does not apply, then since things identified somehow as “updates to Windows Update” are allowed in by the backdoor, then this fact alone could be used to “bootstrap” a full service pack via that backdoor. All that would be required by such a “boostrap” process is to first update Windows Update … opening the door wider. Then send the service pack to the relaxed Windows Update, and finally send another “update to Windows Update” to restore original Windows Update code and cover your tracks.
So, even if Windows Update is shown not to be a direct backdoor, it is certainly a bootstrap backdoor.
Finally, I ask once again: “Why does everyone have such a huge disbelief on this topic, and such blind and unjustified faith in Microsoft? “
Edited 2007-12-12 11:12
Hint: This is a matter of the type of Windows Update package being correctly “labeled” on transmission and/or “identified” on receipt.
There is at least one incident on record where Microsoft got this wrong. It was probably accidental, or if you like unintentional … but it was still wrong. Windows Update misidentified the type of update somewhere in the process of sending it out or deciphering it on receipt.
IOW, a service pack can be misidentified as an “update to Windows update” package. Such a thing is possible, and a similar thing has already happened.
BTW, if it is possible to accidentally get it wrong, and you figure out how you got it wrong, it is also then possible after that to do it again … to deliberately get it wrong.
Edited 2007-12-12 14:06
Granted, but the point of the service-pack blocker is to stop CORRECTLY MARKED packages from being installed. Unfortunately, it is very difficult to write software that is 100% tolerant of user error.
IOW, a service pack can be misidentified as an “update to Windows update” package.
There is no evidence that this could happen, I’m sure that MS internal processes are good enough to prevent such an obvious error.
Let’s analogize the point that you are making:
People die in aeroplane crashes. People die in cycling accidents. So someone invents a crash-helmet to help prevent cycling deaths. Your logic would claim that crash helmets are pointless because they wouldn’t significantly reduce the danger of dying in an aeroplane crash.
There is the thing … you would think that, wouldn’t you? Apparently, however, misidentification, or perhaps bundling incorrectly or some similar error, of the desktop search program co-mingled with an “update to Windows Update” was apparently exactly the problem that caused the recent incident.
So in actual fact, not only is there eveidence that it could happen, in reality it actually did happen. You can’t get more solid “evidence” than that.
…
Not quite. My point is that there is a vulnerability in Windows Update. It is a backdoor. Microsoft should fix it (by removing the hole whereby some types of updates get installed without asking for permission). Microsoft seem very reluctant to do this … so one has to ask is this because Microsoft actually WANT there to be a way for them to automatically install software without having to ask the machine owner’s permission? Their EULA does, after all, specifically mention this possibility …
My point is also about vulnerability of literally billions of computers worldwide:
(1) they are relying on Microsoft not to make a mistake with Windows Update, or they could all inherit a vulnerability or even crash.
(2) the key with which Microsoft signs Windows Update packages is by many orders of magnitude the most valuable single piece of information on the planet. Let’s hope Microsoft’s internal security is up to the task of stopping it from being copied … or even sold to the black market.
(3) If there ever was a key worth cracking, the signing key to Windows Update has got to be it.
Just on point 3, considering that cracking keys is a mathematical problem that adapts well to parralel computing, if you were a hacker organisation, you might think about a way to “collect” a large number of machines together to have a go at cracking this key, so that you could sign your own nasty software as being an “update to Windows Update” and send it out to an unsuspecting world.
http://en.wikipedia.org/wiki/Botnet
… oh, wait.
Edited 2007-12-12 23:28
You are mistaken. The windows desktop search was installed by a complicated mistake that had nothing to do with windows update updates. It was an Operating system patch update. it was only installed thru WSUS, and only if the original patch had been authorised by the administrator in the first place.
Meh. Take that with a grain of salt, I would.
Nevertheless, it was still a mis-identification, and it was still a mistake in Microsoft’s output for Windows Update.
The main point stands: “My point is that there is a vulnerability in Windows Update. It is a backdoor. Microsoft should fix it (by removing the hole whereby some types of updates get installed without asking for permission). ”
http://www.windowssecrets.com/2007/09/13/01-Microsoft-updates-Windo…
Once you can update Windows Update without having to ask for permission, you can then of course “bootstrap” any change you want into a Windows system without having to ask permission.
Can you offer a reason why Microsoft refuse to close this backdoor? Other than that Microsoft would prefer to have a backdoor, of course.
Edited 2007-12-13 12:27
Of course, but then why bother releasing a SP blocker at all if you are going to then force everyone to upgrade. This is a courtesy utility that Microsoft are releasing to help people out, your trolling about other [very real] issues with Windows Update is just pointless.
This is a matter of opinion.
Personally, I can’t see the point (other than misleading PR) of releasing what turns out to be simply a convenience (as you say, a courtesy) allowing you to make a registry setting across multiple machines, and calling it an “SP Update blocker” … when there is a known backdoor in your update system anyway.
Surely this is focussing on the trivia and ignoring the elephant in the room.
The elephant in the room being “why don’t Microsoft fix the Windows Update backdoor instead of stuffing around with trivia”?
If you and others repeatedly accuse me of “trolling” about this important issue, and others repeatedly try to deny the issue … then perhaps I should (trying to remain polite here) point out to you that your behaviour looks to me very much like “deflection”.
Hey, look at the wookie, pay no attention to that man behind the curtain … that type of stuff.
Why would you need this if you had Windows Update turned off and it wasn’t actually a backdoor and installed stuff anyway despite your settings?
Maybe some people want to keep Windows Update on Automatic mode to silently install all updates but at the same time skip SP1.
Edited 2007-12-11 05:27
Would it kill you to do some damn research for once before trolling a story?
When it comes to topics surrounding Microsoft, this is you:
http://en.wikipedia.org/wiki/Three_wise_monkeys
http://en.wikipedia.org/wiki/See_No_Evil%2C_Hear_No_Evil
I’ll take that as a “Yes it would kill me”
No. It was a “I did the research already … see above”.
http://www.windowssecrets.com/2007/09/13/01-Microsoft-updates-Windo…
Edited 2007-12-12 13:52
This is hilarious! You must install some software from your software maker to prevent it from updating itself!
Anyway, I can prevent my BIND from updating to version 8 if I want in my Gentoo anytime, without special tools (_if_, _if_ I want to!)
News like that remind me how lucky I am!
No, that’s not correct, and the article didn’t really clear up the confusion, either. This isn’t a “non-standard tool”; in fact, it’s merely a group policy editor that allows administrators of networks to easily and transparently deploy a single registry key — the same one used by the Control Panel | Windows Update applet — which controls Windows Update. So, for example, when you log into your domain at work, your admin can prevent your machine from downloading updates. This policy editing mechanism is available for a WIDE VARIETY of system configurations option. It doesn’t apply specifically to Windows Update.
I think the point which the author of the post you were replying to is trying to get at is this; why does one need to install a special piece of software to stop updating which should never have been setup to be auto-update? Sure, I can understand in the situation of consumers but for enterprise, you’d think that in the case of Windows, it would be set to, by default, not to automatically update.
I can’t believe that a company which has 79,000 employees, there isn’t the common sense nouse to work out that in a large organisation the IT staff needs to test patches before deployment – not necessarily to outright stopping update, but so that they can get on the buzzer to third parties if there are issues; its like a domino effect, an update released, and it something changes, then without adequate testing by deployment within an organisation, it could mean millions of dollars of down time that could have been avoided.
I think the point which the author of the post you were replying to is trying to get at is this; why does one need to install a special piece of software to stop updating which should never have been setup to be auto-update?
SIMPLE: Some companies may allow end users to perform windows updates on their own (I’ve seen virtual workers with laptops who were able to do this). The company may not want them to be able to install a full service pack from Windows update. This tool disables the ability to install the service packs but still allows the usage of windows update for other software patches.
Sure, I can understand in the situation of consumers but for enterprise, you’d think that in the case of Windows, it would be set to, by default, not to automatically update.
Windows is set by default to ask you if you want Auto Update turned on or off, its been that way on every single install I’ve ever touched except in the case of an Enterprise image where the company has pre-configured the installation and auto-update was already disabled and WSUS configurations were on the machine.
Ok, I guess we all had some of our applications broken after an OS upgrade (whether Windows, Linux, MacOS, etc).
But Microsoft should be commended for their zealous work to try to support all those “archaic” software which can no longer run because they use undisclosed APIs and abuse the normal ones. (Come on they had a special “hack” in Win95 since simcity was mangling with the internal of windows memory management).
Since corporations does not want to upgrade $1000/seat software, just because the original developer won’t support on a better platform, Microsoft has to do these dirty workarounds.
My $0.02
“Since corporations does not want to upgrade $1000/seat software, just because the original developer won’t support on a better platform, Microsoft has to do these dirty workarounds. ”
If MS didn’t have do these dirty workarounds, we’d HAVE a better os, so obviously it is the customers fault, not MS’s
“If MS didn’t have do these dirty workarounds, we’d HAVE a better os, so obviously it is the customers fault, not MS’s”
Well, it is not exactly like that
These “hacks” are application specific, and does not interfere with the rest of the system (except for more storage and maybe a few CPU cycles).
But you’re actually right that it’s users fault. When there is a new Linux kernel and NVidia driver breaks, everybody goes to NVidia (because kernel dev’s answer would be “we did not write it – we cannot fix it”).
However when such a problem exists on Windows, people say “Vista breaks my games” instead of going to EA and telling “please fix your broken product, it no longer works on latest Windows”.
Actually, the vast majority of linux drivers are open, and/or written by the community. This means that when the kernel breaks something, anyone with the knowledge and interest can, and will, fix the problem, not just the vendor.
When vendors refuse to publish their interface specifications, then that is not possible, so people go the vendors and demand a public interface specification. It’s companies like NVidia who refuse to tell you how to use/interface wit the product that you’ve just paid for who cause these problems
“However when such a problem exists on Windows, people say “Vista breaks my games” instead of going to EA and telling “please fix your broken product, it no longer works on latest Windows”.”
Exactly. MS is to blame for a lot of things, but I am amazed at the level of compatibility they have managed to maintain over the years, and most of it is caused by this very reason, people blame MS instead of their software vendor.
Of course, the (free) alternative is to set the corporate DNS to return the ip of a local filtering proxy (or even localhost) whenever someone tries to get to “microsoft.com”.
I’ve done similar things locally. Works like a charm.
Even better: don’t use a system (like Microsoft Windows) that doesn’t give you any real choice, and treats your machine and data as the property of the company that made the OS rather than the property of those who paid for it. But I guess that’s still beyond most people yet.
I see what they are trying to do here.
They issue a block for windows updates for businesses as they assume the network admin will test all updates before rollout.
Therefore, the main floor is blocked while the updates are installed in a few test machines/networks to see if anything breaks before the block times out and the updates go on all the machines.
Good idea.
Every Windows Service Pack has a quite long Beta (and Release Candidate) test period. Certainly that period is long enough to iron out incompatibilities.
Why can’t companies use that time and instead rely on tools like these?
Edited 2007-12-11 11:35 UTC
Too many permutations, for example…
Program A works perfectly with the update
Program B works perfectly with the update
Program C works perfectly with the update
A + B works
A + C works
B + C does not work
Now, multiply these 3 programs by the hundreds of thousands available, and you see no amount of beta testing time can cover all the different variations of programs running together.
And, this in no way counts the number of scripts that admins have to keep compatible…
Are probably breathing a sigh of relief.
some businesses prefer to test the packs before upgrading to assure compatibility with existing hardware and applications
This is a reality. Insurance Companies, for one, create many custom programs & apps. I worked at one large insurance company that wrote many for specific needs. While their programs worked as they should, migrating from Win95 to Win2K caused gruesome problems with the apps, forcing complete rewrites. Same thing happened when they wanted to upgrade to WinXP.
There were also times when [what was thought to be] simple updating caused many home-grown apps to fail.
The bottom line for these folks is $$$. If their apps don’t work, for whatever reason, they lose a lot of money and right away in many cases. Their wanting to control the update process is nothing new when many companies need to protect their interests.
Back then I asked if it would be possible to have MS certify their apps so they’d be able to get support for the updates, etc. They’d investigated this possibility and the fees MS would charge over the course of a 2-year deal were outrageous. It was far cheaper to hire a team of consultants to develop the apps & bring them back when necessary.
My 2 cents.
That is the fault of the ‘Insurance Companies’ for skimping on programmers. If your business relies on independently produced software, then you should damn well make sure that it is written by someone competent.
That is the fault of the ‘Insurance Companies’ for skimping on programmers.
I’ve worked with banks where network engineers routinely went out of their minds when Microsoft would put unpublished fixes in some of the patches. These folks went crazy when certain types of financial transfer scripts would be broken with no clear reason because of an undocumented action in an MS patch.
Ask anyone who’s been there and they’ll tell you that no matter how good the programmers are & thorough the QA Testing is they’ll never catch everything all of the time. There’s too many variables when dealing with closed-source & MS.
I’ve written software and scripts that have survived service-packs and MS os upgrades, and understand the anxiety that accompanies hoping that your work will survive, however I have never had any problems.
Perhaps if you provide an example, I will be able to properly explain the point I was trying to make.
The reason they are making this available is simply because some companies may allow end users to perform Windows Updates but they may not want an end user to install a full service pack.