Stealth Windows updates without user permission or notification.
(This is a somewhat old story.) I left a comment on Bruce Schneier’s cryptogram blog on his article about how Microsoft Windows Update was found to be updating even in the event where the user had turned off automatic updates. The article is located here.
Adrian Kingsley-Hughes reported the secret updates on ZDNet. Nate Clinton, PM for Windows Update, responds on his blog.
My comment on Bruce Schneier’s blog is below:
After a careful reading of Adrian Kingsley-Hughes’s ZDnet article and Nate Clinton’s (PM for Windows Update) blog response on this, I’d have to say that MS is in the wrong, for this point:
The silent update was (I assume from Clinton’s blog) so that WU itself can continue to function and notify the user of future updates. They seem to have made the assumption that the user wants WU updated so they can continue to receive update notifications. The problem is that users who select “2) Download updates but let me choose whether to install them” or “3) Check for updates but let me choose whether to download and install them” are EXPLICITLY saying that every update, no matter how crucial, should be subject to their discretion, not Microsoft’s.
Think about it: I assume most Grandpa J. NewUsers have “1) Install updates automatically” set because they don’t understand the technology or have an implicit trust in MS. The people who set to have WU notify them before downloading/installing have that set for a reason, be it for controlled testing environments or system stability or whatever. Selecting the notify-first option is not the choice the “just make the computer work”-user makes. They want to be notified before ANY changes, and understand the risks of not immediately updating.
The fact that Clinton himself states that (”of course”) the WU client is not silently updated for WSUS or SMS enterprise customers shows that they realize the merit of my above point.
So unless my premises are flawed, the WU team’s decision was perhaps expedient but dead wrong. It is very troubling that their software does the exact opposite of the user intention, especially during a time when DRM and so-called anti-piracy systems are increasingly pushed as “necessary security features”.
I had thought that everybody was overreacting, but having just read this, I agree with you.
Comment on September 30, 2007 @ 3:16 am
Great find, bravo. If we didn’t have people like you sticking their necks out and pointing these things out i don’t think we would have gotten out of the dark ages.
Thank you.
Comment on September 30, 2007 @ 9:12 pm
There are very real risks that will spin off from this approach that many need to understand a lot better!
see http://www.pcprofile.com/Microsoft_Stealth_Updates.pdf
Comment on October 3, 2007 @ 4:47 am
Hey Al, great site. Keep on posting.
Comment on October 6, 2007 @ 5:40 pm
Hey Al, your video “Why Is Evolution So Unpopular?” is not working. I watched all the others, I want to see that one as well.
Rob
Comment on October 9, 2007 @ 4:44 am
Stick to the atheism and other interesting issues more, leave all the FUD and anti-DRM 3rd grade whining to tech sites, Al.
Comment on October 10, 2007 @ 12:12 pm
Hey Josh,
Am I to depend on you for critical exposition of problems such as Al touched on? Sorry, “dude”, “like, no way!”. I mean, it’s like, dude, you don’t have any, like credibility man.
ROTFLMAO! Josh, Al has more credibility than you will ever have. Why are you so troubled by Al’s comments? Leaving it to the tech-sites, huh? Thought so…
Comment on October 13, 2007 @ 10:06 pm
Something in me dies when my paranoias are justified.
Comment on October 18, 2007 @ 12:09 am
Haha, flamer.
Excellent points, I’m glad someone can bring them forth to the general masses.
Josh: You do realize you are speaking to someone who has a vested interest in computer code and network security yes? The tech sites are no more or less qualified than any industry professional.
Comment on May 29, 2008 @ 5:30 pm