Confirmation of stealth Windows Update

[Dravic]

Zdnet info on the matter..


Looks like MS thought it would be a good idea to update software on PC that have automatic updates turned off.

I dont know how they thought this would be a good idea. THe EULA may give you the right to change the OS, but not to access my network without my permission.
Is egress filtering blocking microsoft the next step we are going to have to take. This just aint right.

Already considering they idea that this xp 64 install would be my last as vista hasn't wowed me. This isnt helping their case any.

 

[stash]

It's FUD.

It doesn't update itself when set to off. And when not set to off, it will update, and this is nothing new. It's been doing that for a long time.

http://blogs.technet.com/mu/ar...itself-up-to-date.aspx

 

[Dravic]

Originally posted by: stash
It's FUD.

It doesn't update itself when set to off. And when not set to off, it will update, and this is nothing new. It's been doing that for a long time.

http://blogs.technet.com/mu/ar...itself-up-to-date.aspx

You should learn the definition of FUD.

No offense, but that explanation doesn?t fly.

Why not have the client just notify the end use that an update is available, even if it?s just for the client side updater? People are under the assumption that when I set windows update to inform me that updates are available, that is all it?s going to do. If I wanted it to go ahead and use my network and my cpu cycles automatically I would have said so.

Try this:

?You version of windows update is no longer current, would you like to update now??
?Failure to update the windows client could leave your system at risk.?

Doesn?t seem too difficult to me.

This is not a minor issue. All this is going to do is force people to shut off the service completely, and begin to require manually patch downloads instead of web updates.

Voting was at 94% that this is wrong?.. It doesn?t look like many people were aware that the option to ?inform? me of updates actually means to update my computer.

 

[stash]

The FUD I was referring to was the popular sentiment on the web today that AU updates itself when AU is turned off. This is false.

The reason it doesn't offer the update is a chicken and egg problem. If you offer the update and people decline, they will never get ANY updates.

 

[Smilin]

Originally posted by: Dravic

Originally posted by: stash
It's FUD.

It doesn't update itself when set to off. And when not set to off, it will update, and this is nothing new. It's been doing that for a long time.

http://blogs.technet.com/mu/ar...itself-up-to-date.aspx

You should learn the definition of FUD.

No offense, but that explanation doesn?t fly.

Why not have the client just notify the end use that an update is available, even if it?s just for the client side updater? People are under the assumption that when I set windows update to inform me that updates are available, that is all it?s going to do. If I wanted it to go ahead and use my network and my cpu cycles automatically I would have said so.

Try this:

?You version of windows update is no longer current, would you like to update now??
?Failure to update the windows client could leave your system at risk.?

Doesn?t seem too difficult to me.

This is not a minor issue. All this is going to do is force people to shut off the service completely, and begin to require manually patch downloads instead of web updates.

Voting was at 94% that this is wrong?.. It doesn?t look like many people were aware that the option to ?inform? me of updates actually means to update my computer.

I give you 8/10 on drama and flair.


You missed a 10/10 with this statement:
"This is not a minor issue. All this is going to do is force people to shut off the service completely, and begin to require manually patch downloads instead of web updates."

It should have read:
"OMFG Microsoft is the Borg and they are assimilating your computer so you have to shut off automatic updates and instead do them one at a time entered by hand in binary while an MS minion whips you."

See? 10/10 baby!

 

[Dravic]

guess its not going away as fast as MS would like.

apparently we should just fall back in line.

 

[Canterwood]

Originally posted by: Smilin
I give you 8/10 on drama and flair.


You missed a 10/10 with this statement:
"This is not a minor issue. All this is going to do is force people to shut off the service completely, and begin to require manually patch downloads instead of web updates."

It should have read:
"OMFG Microsoft is the Borg and they are assimilating your computer so you have to shut off automatic updates and instead do them one at a time entered by hand in binary while an MS minion whips you."

See? 10/10 baby!

1/10 for trying to sweep the issue under the carpet and your pathetic attempt to ridicule the OP for having genuine concerns.

Installing files without the users consent is WRONG in many people's eyes.
Whether these files are critical or not, there should be some warning to let the user know whats going on.

 

[Smilin]

Originally posted by: Canterwood

Originally posted by: Smilin
I give you 8/10 on drama and flair.


You missed a 10/10 with this statement:
"This is not a minor issue. All this is going to do is force people to shut off the service completely, and begin to require manually patch downloads instead of web updates."

It should have read:
"OMFG Microsoft is the Borg and they are assimilating your computer so you have to shut off automatic updates and instead do them one at a time entered by hand in binary while an MS minion whips you."

See? 10/10 baby!

1/10 for trying to sweep the issue under the carpet and your pathetic attempt to ridicule the OP for having genuine concerns.

Installing files without the users consent is WRONG in many people's eyes.
Whether these files are critical or not, there should be some warning to let the user know whats going on.

1/10 for reading comprehension.

If you turn off automatic updates nothing updates. Period. End of FUD.


If you turn on automatic updates it means **you actually wish to get automatic updates at some time in your life** then the auto-updater must keep itself updated in order to even check to see if updates are available. Once this is done it respects your wishes about which updates you want installed now, just downloaded, not installed etc etc etc..

If it didn't behave this way then the next 10 threads at AT would be about how everyone set auto-update to "notify" and now auto-update no longer works.

Spare me all the moral indignation and outcry. If you can think of a better way for MS to update a bajillion computers let's hear it. Live in the real world, people.

 

[MrChad]

Originally posted by: Smilin
If you turn on automatic updates it means **you actually wish to get automatic updates at some time in your life** then the auto-updater must keep itself updated in order to even check to see if updates are available.

Why is this? Why can't it just come down as a normal Windows update? I have Apple's Software Update utility installed to check for new versions of iTunes periodically. Recently, it notified me that a new version of Apple Update was available, so I installed it.

Microsoft's Windows/Microsoft Update ActiveX control doesn't update automatically; it notifies you that it needs to be updated the next time you check the Windows Update or Microsoft Update website.

It would be nice if Microsoft could explain why (specifically) the Automatic Update client must be stealthily updated in order to continue functioning.

 

[fierydemise]

The real problem with what Microsoft is doing is not that it is updating windows update but that these update occurred without telling the user, really Microsoft should have been more clear about what would have been happening and they wouldn't be in this mess to begin with. To fix this before it grows out of control and becomes the source of all manner of conspiracy theories they should issue an apolagy for the stealth updates and update Windows Update with a new option asking whether to allow Windows Update to update itself with the warning that not allowing Windows Update to update itself may prevent Windows Update from receiving future updates.

 

[Nothinman]

If you turn on automatic updates it means **you actually wish to get automatic updates at some time in your life** then the auto-updater must keep itself updated in order to even check to see if updates are available. Once this is done it respects your wishes about which updates you want installed now, just downloaded, not installed etc etc etc..

But that doesn't mean the automatic updater should ignore your request to be notified just because the update is for the updater itself. It's software just like any other and you should be notified just like you would with any other patch.

 

[mechBgon]

Here is a pic of my WinXP Automatic Updates panel:

http://pics.bbzzdd.com/users/mechBgon/duh.gif

Taking a look at the highlighted text, it says:

Turning on Automatic Updates

(meaning, selecting anything except the bottom Turn off Automatic Updates radio button)

...may automatically update Windows Update software first, before any other updates.

That seems easy enough to understand. Unless it's turned off, it may automatically update the Windows Update software. I believe this panel has been right there in Control Panel for the last 6 years for anyone to look at. And the initial choice of whether to enable Automatic Updates or not is presented to the user when WinXP is first fired up after sysprep, or during Windows XP Setup, depending on whether it's an out-of-the-box system or one that someone is installing Windows on from scratch.

In the corporate realm, if I were that worried about this (or even if I weren't worried about it at all, actually), I'd have my own WSUS servers so my boxes looked to my servers as the Windows Update server, rather than Microsoft's. At home, just click twice and Automatic Updates is turned off, if that's what you really want.

If people want to decide for themselves whether or not to let their Windows Update software be updated, then they should leave Automatic Updates turned off and just go to the Windows Update website periodically, where it will be up to them to accept or decline the updated version of the Windows Update software. If they decline, then they're going to have to manually download the updates they need and run the patches themselves.

 

[Nothinman]

That seems easy enough to understand. Unless it's turned off, it may automatically update the Windows Update software. I believe this panel has been right there in Control Panel for the last 6 years for anyone to look at. And the initial choice of whether to enable Automatic Updates or not is presented to the user when WinXP is first fired up after sysprep, or during Windows XP Setup, depending on whether it's an out-of-the-box system or one that someone is installing Windows on from scratch.

It probably has been but obviously no one's noticed until now. And that still doesn't explain why AU should be treated differently from the rest of the software on the machine. And this proves that even with AU set to download/ask before installing updates it's still possible for MS to push updates in behind your back if they want.

At home, just click twice and Automatic Updates is turned off, if that's what you really want.

It shouldn't be an ultimatum, if you tell AU to notify you about updates it should notify you about all updates including those to the AU client.

If people want to decide for themselves whether or not to let their Windows Update software be updated, then they should leave Automatic Updates turned off and just go to the Windows Update website periodically, where it will be up to them to accept or decline the updated version of the Windows Update software. If they decline, then they're going to have to manually download the updates they need and run the patches themselves.

I don't think I've ever seen the AU client mentioned on the website when grabbing patches, but I also can't say that I've read the text of every patch either. So I'm guessing that either WU doesn't update AU for you or it's also done behind your back.

 

[mechBgon]

It probably has been but obviously no one's noticed until now.

After selling as many copies as it has, I think someone must've noticed. It's a Control Panel applet and that text isn't buried in some obscure EULA that people skipped through.

And that still doesn't explain why AU should be treated differently from the rest of the software on the machine. And this proves that even with AU set to download/ask before installing updates it's still possible for MS to push updates in behind your back if they want.

Predictably, this topic now devolves into "well it should've this and it shouldn't have that" when the core issue has been addressed: not that it does this or that, but that it does this or that without people having received due notice that it's going to. Due notice is given when installing Windows or going through mini-setup, and is present in the Control Panel applet on an ongoing basis. I think what we really have here is the classic case of "assume" making you-know-what out of you-know-whom.

It shouldn't be an ultimatum, if you tell AU to notify you about updates it should notify you about all updates including those to the AU client.

As Smilin pointed out, if people did say "no," then they might as well disable it altogether and be done with it. Same effect: no updates from there on. And this isn't something like IE7 versus IE6, it's boring core OS files that check to see if you need updates for the latest MS software that didn't exist when WinXP was released. For example, Windows Update downloaded an update for Microsoft Network Monitor 3.0 a couple months ago for my system; I doubt that would be possible using the original Windows Update software.

I don't think I've ever seen the AU client mentioned on the website when grabbing patches, but I also can't say that I've read the text of every patch either. So I'm guessing that either WU doesn't update AU for you or it's also done behind your back.

Ever noticed that the minute you start downloading patches at Windows Update, the Automatic Updates yellow ! shield appears, stating that it's downloading patches? I believe they're one and the same, under the surface. Maybe one of the MS employees can verify that for you.

 

[Nothinman]

Predictably, this topic now devolves into "well it should've this and it shouldn't have that" when the core issue has been addressed: not that it does this or that, but that it does this or that without people having received due notice that it's going to. Due notice is given when installing Windows or going through mini-setup, and is present in the Control Panel applet on an ongoing basis. I think what we really have here is the classic case of "assume" making you-know-what out of you-know-who.

Yes, when people click "Notify me before installing updates" they rightfully assume that it applies to all updates not only to updates to MS thinks they should be notified about.

As Smilin pointed out, if people did say "no," then they might as well disable it altogether and be done with it. Same effect: no updates from there on.

Which shouldn't be the case, older versions of WU should still be able to download updates.

And this isn't something like IE7 versus IE6, it's boring core OS files that check to see if you need updates for the latest MS software that didn't exist when WinXP was released. For example, Windows Update downloaded an update for Microsoft Network Monitor 3.0 a couple months ago for my system; I doubt that would be possible using the original Windows Update software.

It sure as hell should be possible with original WU, updating the available software catalog and determining if you've got something installed isn't exactly rocket science.

Ever noticed that the minute you start downloading patches at Windows Update, the Automatic Updates yellow ! shield appears, stating that it's downloading patches? I believe they're one and the same, under the surface. Maybe one of the MS employees can verify that for you.

Can't say that I have.

 

[stash]

Ever noticed that the minute you start downloading patches at Windows Update, the Automatic Updates yellow ! shield appears, stating that it's downloading patches? I believe they're one and the same, under the surface. Maybe one of the MS employees can verify that for you.

Yes, the WU website uses the AU service. If the service is disabled, the website will throw an error telling you to turn on the service. Note that this is different from Disabling AU through the control panel. In that case, the service is still running, so you could still manually update through WU.

 

[mechBgon]

Yes, when people click "Notify me before installing updates" they rightfully assume that it applies to all updates not only to updates to MS thinks they should be notified about.

Except it says plain as day that if it's turned on, it may automatically update the Windows Update software, just like it has since 2001. If it didn't say that, maybe the complaint would have some merit.

The rest is a rhetorical discussion which everyone is welcome to mire themselves in at their leisure if they want to.

I'll just add that the sub-title of this thread, "This can't be good," is pretty myopic... with the number of poorly-secured home computers in the world falling prey to the botmasters nowdays, ANYTHING that helps keep them updated gets an automatic +5 on its Goodness.

 

[Nothinman]

Except it says plain as day that if it's turned on, it may automatically update the Windows Update software, just like it has since 2001. If it didn't say that, maybe the complaint would have some merit.

It's called the principle of least astonishment, when I say "notify me about all updates" I expect to be notified about all updates, not all except whatever MS decides not to notify me about. And the fact that people are talking about it now means that that text obviously wasn't enough because people didn't notice it. I know I've never noticed it when setting up the few Windows boxes in the past.

The rest is a rhetorical discussion which everyone is welcome to mire themselves in at their leisure if they want to.

No doubt, but that's sort of the point. If MS can push through WU updates without any notification what's stopping them bypassing notification for any other updates?

I'll just add that the sub-title of this thread, "This can't be good," is pretty myopic... with the number of poorly-secured home computers in the world falling prey to the botmasters nowdays, ANYTHING that helps keep them updated gets an automatic +5 on its Goodness.

Yes, but I don't see why WU has to be special-cased. On all of my boxes I know about every single update that comes in, the package manager, kernel, etc are handled no differently from any other package on the system. And I remember reading somewhere that Apple does the same thing, Update Notifier (or Manager or whatever it's called) updates are exactly the same as any other package so why does MS feel the need to be different?

 

[stash]

And the fact that people are talking about it now means that that text obviously wasn't enough because people didn't notice it. I know I've never noticed it when setting up the few Windows boxes in the past.

No, the only reason people are talking about it is some sensationalist "journalist" wrote a piece full of FUD to generate ad clicks.

I'm curious what people want here. Do you want a dialog popping up that says "I'm about to update AU for you, but since we can't trust you to install this yourselves and since it is required for your machine to receive ANY updates, you won't have the option to decline this update. Would you like to proceed? Yes/Cancel (but do it anyway)"

 

[Nothinman]

No, the only reason people are talking about it is some sensationalist "journalist" wrote a piece full of FUD to generate ad clicks.

Well unless that journalist started this thread too then there's at least 1 other person who didn't know about this until now.

I'm curious what people want here. Do you want a dialog popping up that says "I'm about to update AU for you, but since we can't trust you to install this yourselves and since it is required for your machine to receive ANY updates, you won't have the option to decline this update. Would you like to proceed? Yes/Cancel (but do it anyway)"

AU should be updated like any every other piece of software handled by AU and the AU servers should provide compatibility for down rev'd clients so that you can still get updates if you don't install the AU updates. There should not be a way for MS to "do it anyway".

 

[mechBgon]

AU should be updated like any every other piece of software handled by AU and the AU servers should provide compatibility for down rev'd clients so that you can still get updates if you don't install the AU updates.

Don't you think that might make it a bit complicated to support a userbase of... whatever, hundreds of millions of Windows PCs?

Well unless that journalist started this thread too then there's at least 1 other person who didn't read what was right in front of their face when they clicked the option of their choice.

More accurate?

 

[Pabster]

I don't like the stealth update, but I understand why they did it.

Most users aren't bright enough to avoid Internet Exploder let alone understand that they need to update the updater!

 

[Nothinman]

Don't you think that might make it a bit complicated to support a userbase of... whatever, hundreds of millions of Windows PCs?

They manage to maintain compatibility with software 20 years old so designing a decent network protocol should be simple for them, right? The complicate part would be all of the local "figure out what's installed" code and AFAIK those methods don't change with AU updates, getting the list of what's available could be as simple as using HTTP to get a file like APT does.

More accurate?

Sure, but that doesn't change the fact that MS essentially has a backdoor into every PC running WU whether it's set to automatically install patches or not.

 

[mechBgon]

Most users aren't bright enough to avoid Internet Exploder let alone understand that they need to update the updater!

I use IE7 on Vista to hunt malware every day on known malicious websites. And on WinXP before that. It seems pretty decent to me :thumbsup: and also has enterprise manageability features that none of the challengers seem interested in offering. But you're welcome to use what you heard was better

 

[Pabster]

mech, I agree IE7 on Vista is a major improvement over IE6. The extra security Vista offers along with the improvements to IE7 have made it a much better platform.

That said, I don't use it regularly. I've been an Opera man for many years now.

I guess my point was that Joe Schmoe will never understand the concept of having to "update" the "updater" and problems will arise.