Confirmation of stealth Windows Update

[Dravic]

Originally posted by: mechBgon

AU should be updated like any every other piece of software handled by AU and the AU servers should provide compatibility for down rev'd clients so that you can still get updates if you don't install the AU updates.

Don't you think that might make it a bit complicated to support a userbase of... whatever, hundreds of millions of Windows PCs?

Well unless that journalist started this thread too then there's at least 1 other person who didn't read what was right in front of their face when they clicked the option of their choice.

More accurate?

I dont ever recall reading the warning within the AU CP applet. Probably becasue i was asked when the box was built and havent changed it since. There is no such warning there unless you are installing Vista.

I do how ever have a couple of issues with the warning as it is presently started.

"Turning on Automatic Updates may automatically update Windows update software first, before any other updates."

1. It implies that it will happen with the other updates, just that it will happen first if you have automatic updates on ( next point).. maybe thats just the way i read it.

2. Is my fault i guess, as i assume that the option "Notify me but dont automatically download or install them" means that the "Turning on Automatic Updates" part of the warning wouldn't not apply to me. MS obviously doesnt agree, and the notify me option is in fact turning on automatic updates.

I dont see how Notify me but dont automatically download or install them as an option, can be implied as turning on automatic updates.

94% of the people that viewed that blog thought the updates were wrong. And I'm not the only on in this thread that was unaware of the warning.

and this

with the number of poorly-secured home computers in the world falling prey to the botmasters nowdays, ANYTHING that helps keep them updated gets an automatic +5 on its Goodness.

is a VERY slippery slope i chose not to grease.


I guess my stance is this. I chose the notifiction option beacsue i didnt want anything automiactally installed on my computer. I didnt know that was subject to MS interpertation.

With this setting the MS Security Center, also in the control panel, clearly states. Automatic updates is set to download and install updates ONLY AFTER checking with you... so MS which is it?

 

[mechBgon]

I dont ever recall reading the warning within the AU CP applet. Probably becasue i was asked when the box was built and havent changed it since.

Well, if you were asked when the box was built, then you were asked.

94% of the people that viewed that blog thought the updates were wrong.

I bet 94% of them don't think IE7 might actually be more secure than their favorite alternate browser, either. If you want quality information, those venues are not the right place to look for it.

Bottom line, it's under your control, it has been the entire time, nobody made any sort of secret of it, it's been doing that on several hundred million computers for over 5 years, and it hasn't done you any harm despite the fact you didn't read what you were OK'ing. No offense, but this reminds me of this previous thread where someone freaks out because he used Encrypting File System and it did what it was designed to do: secure his documents from unauthorized access, come heck or high water.

 

[Nothinman]

Bottom line, it's under your control, it has been the entire time,

But it's not, if you say "Download updates but don't install them until I approve them" it installs updates without your approval. The only option is to disable AU completely which is idiotic.

No offense, but this reminds me of this previous thread where someone freaks out because he used Encrypting File System and it did what it was designed to do: secure his documents from unauthorized access, come heck or high water.

That's different because EFS wasn't doing anything behind his back, he just didn't know what encryption actually meant and that copying files to another NTFS drive keeps the encryption.

 

[mechBgon]

Originally posted by: Nothinman

Bottom line, it's under your control, it has been the entire time,

But it's not, if you say "Download updates but don't install them until I approve them" it installs updates without your approval.

Only the ones it says it will, right up front in sixth-grader language.

The only option is to disable AU completely which is idiotic.

How the AU system was designed is not really what the thread is about, so feel free to think it works in an idiotic way, but the topic is whether it does stuff that people weren't given due notice of. Maybe Microsoft needs to reword the notification, or make it more prominent somehow.

No offense, but this reminds me of this previous thread where someone freaks out because he used Encrypting File System and it did what it was designed to do: secure his documents from unauthorized access, come heck or high water.

That's different because EFS wasn't doing anything behind his back, he just didn't know what encryption actually meant and that copying files to another NTFS drive keeps the encryption.

Well... who turned AU on, so that it could do stuff behind our backs? Someone with Admin powers on the system, right?

 

[Nothinman]

Only the ones it says it will, right up front in sixth-grader language.

So they say.

How the AU system was designed is not really what the thread is about, so feel free to think it works in an idiotic way, but the topic is whether it does stuff that people weren't given due notice of. Maybe Microsoft needs to reword the notification, or make it more prominent somehow.

Actually it is since the "update crap behind your back" feature seems to be key to making it work. At the very least it needs to be made more prominent but designing it right in the first place wouldn't have required that notification at all.

Well... who turned AU on, so that it could do stuff behind our backs? Someone with Admin powers on the system, right?

That's irrelevant since everyone who buys a Windows machine is automatically granted Admin powers without any prerequisite tests, knowledge, etc.

 

[mechBgon]

In the interest of accuracy, here's what WinXP SP2 presents to the user during setup or mini-setup. I don't have XP RTM or XP SP1 to compare it to.

http://pics.bbzzdd.com/users/m...gon/update_options.jpg

So actually I was incorrect, it doesn't show the "this will update the updater" here. Then again, it doesn't present the intermediate options of "Notify Me First" or "Download, Then Ask Me," either, so I think that's a wash. The user who doesn't trust Microsoft's automatic updates will choose the "not right now" option. The one who does, will choose the other option. There is no way to get past this screen thinking you've got the "notify me first" or "download, but ask before installing" option turned on. To do so via the GUI, you'd need to go to the Control Panel > Automatic Updates applet.

That's irrelevant since everyone who buys a Windows machine is automatically granted Admin powers without any prerequisite tests, knowledge, etc.

The point is, it doesn't just fall from the sky. Someone has to choose to enable it.

 

[Dravic]

Looks like this is back in the news.

And who would of guess that these stealth updates may cause issues....

NO the NEVER happens....

Stealth updates break XP OS repairs

cliffs:
after XP repair the stealth update occur and borks windows updates, causing the 80 odd recommended updates to fail.

surely they tested this, i mean it was a benign update right...


oh yeah... so all those mon and pops out there that do repair installs because they dont have a good backup are really being protected here.. I'm mean its gotta be really secure using a repaired XP install that doesnt have 80 of the latest MS patches right...

But someone had to protect us against the hackers right?

but hey, maybe i'm just spreading FUD....

 

[Arkaign]

Originally posted by: mechBgon

Most users aren't bright enough to avoid Internet Exploder let alone understand that they need to update the updater!

I use IE7 on Vista to hunt malware every day on known malicious websites. And on WinXP before that. It seems pretty decent to me :thumbsup: and also has enterprise manageability features that none of the challengers seem interested in offering. But you're welcome to use what you heard was better

Bleh. I appreciate the tabs and improved security/management features of IE7, but I hate how slow it is on XP. It runs much better on Vista boxes (provided ram is not scarce). But Firefox + the freeware pre-loader = instant on web access. Not 4 seconds, not 2 seconds, not 1 second, but clickBAMit'sopen. For the past 9 months or so, I have become utterly tired of all of the windows patching, so I now run (on all my home and work boxes), WinXP SP2, no patches, no IE7, no media player update, nada from the Microsoft that wasn't on the SP2 disc to begin with. I take that back, I do install the .net service pack. I turn off the Windows firewall, and use tiny, along with KAV for AV. Not a single problem with virus/spyware/malware on any of them, but of course I'm not cruising dangerous sites either. It's also nice to run a system with less than 20 processes. I can open up an x264 1080p HD-DVD image with no discernible delay (.1 second?)with CCCP+Zoomplayer, which is cool. If I try the same thing with Media Player 11, it takes several seconds.

It's nice that so many great alternatives are out there. WMP, IE, OE, etc, are all very competent products, and Microsoft continues to impress me with great support and development as time goes on. For at least the near-future though, I'm not booting to my Vista drive, or using much of the pack-in software at all, for performance reasons.

On the issue of the 'stealth update', I agree with Stash and Smilin, it's not a big deal. It'd be a big deal if it were modifying user files or something out of the WU authority, but it's not.

Tempest in a teapot

 

[quikah]

Originally posted by: Dravic
Looks like this is back in the news.

And who would of guess that these stealth updates may cause issues....

NO the NEVER happens....

Great, so there is a bug in the update. Has happened before. MS will hopefully fix this.

But, lets go back to the original complaint. The big problem was that this update was installed without notifying the user. So, instead of the "stealth" update lets say MS notifies the user that an update for Windows Update is available. How does this prevent the screwed up restore? the user will click "Install the update" and they are in the same situation, unable to use restore.

 

[stash]

But, lets go back to the original complaint. The big problem was that this update was installed without notifying the user. So, instead of the "stealth" update lets say MS notifies the user that an update for Windows Update is available. How does this prevent the screwed up restore? the user will click "Install the update" and they are in the same situation, unable to use restore.

Yep. Home users don't test updates before they apply them, so I don't see how giving them the option to install it would help them. The only people who test updates before rolling them out are enterprises, who can already control when machines get WU updated, by using WSUS.

 

[mechBgon]

Originally posted by: Arkaign
For the past 9 months or so, I have become utterly tired of all of the windows patching, so I now run (on all my home and work boxes), WinXP SP2, no patches, no IE7, no media player update, nada from the Microsoft that wasn't on the SP2 disc to begin with.

Based on my observations :camera:, I'd suggest you also vet the system for vulnerabilities with Secunia's Personal Software Inspector and consider using a non-Admin user account on WinXP. And update the Microsoft stuff regardless of whether you intend to use it or not.

I take that back, I do install the .net service pack. I turn off the Windows firewall, and use tiny, along with KAV for AV. Not a single problem with virus/spyware/malware on any of them, but of course I'm not cruising dangerous sites either.

[/quote]

Kaspersky is good. No one updates faster or responds more quickly to malware submissions, and the heuristics in KAV7 take it up another notch (if you enable them, anyway). But it's still far from infallible in "right-now" detection of the malware the bad guys are using for any particular 20-minute window, so give thought to your other layers of defense. You might not think you cruise dangerous sites, but if a normally-safe site gets compromised, such as AnandTech Forums...? What's Plan B?

 

[Arkaign]

Originally posted by: mechBgon

Originally posted by: Arkaign
For the past 9 months or so, I have become utterly tired of all of the windows patching, so I now run (on all my home and work boxes), WinXP SP2, no patches, no IE7, no media player update, nada from the Microsoft that wasn't on the SP2 disc to begin with.

Based on my observations :camera:, I'd suggest you also vet the system for vulnerabilities with Secunia's Personal Software Inspector and consider using a non-Admin user account on WinXP. And update the Microsoft stuff regardless of whether you intend to use it or not.

I take that back, I do install the .net service pack. I turn off the Windows firewall, and use tiny, along with KAV for AV. Not a single problem with virus/spyware/malware on any of them, but of course I'm not cruising dangerous sites either.

Kaspersky is good. No one updates faster or responds more quickly to malware submissions, and the heuristics in KAV7 take it up another notch (if you enable them, anyway). But it's still far from infallible in "right-now" detection of the malware the bad guys are using for any particular 20-minute window, so give thought to your other layers of defense. You might not think you cruise dangerous sites, but if a normally-safe site gets compromised, such as AnandTech Forums...? What's Plan B?[/quote]

Thanks, Mech, I'll look into it. My plan B is my backup image, which is on 2 DVDs, containing my original XP load, drivers, and the handful of apps I use. I also have my data stored on a seperate drive that gets imaged nightly (onetouch auto-archiving, very simple). So, if Windows gets jacked, I'll just re-image my boot drive, and restore my data if necessary. So far, so good though, I have yet to see problem 1 on any of my boxes. I forgot, I also do the 'immunization' from Spybot about 1x a week, but don't know if that really helps much. I don't run the Spybot active process.

I run a PC shop, and it makes me sad how many people bring systems in with FULLY updated Norton or McAffee, but their system is crawling with viruses, spyware, and etc. I can't believe how bad those products are. They must survive on marketing alone, because their stuff is worse than useless. It downgrades your system, and then insults you by letting all the crap get on your system.

 

[heymrdj]

What are you honestly going to tell the 80 year old grandma's using a computer? Get your head out of your rear end and think about it. Every time AU needs to CHECK for updates it's going to have to ask a person if it can update the updater for these specific very complicated reasons of compatibility so it can see if there's any important updates it needs. All updates are needed to keep the darn hackers at bay..period..closed. I get sick of people brining a blaster infested computer to me, and they haven't updated the thing in years because "the tech guys said the updates are bloaty". Boo freakin hoo. You bought the machine and that OS, you set it how you freakin please. Either turn it off, and never get notified and live with your "faster" computer, until it's eaten by viruses anyway. Or turn the darn AU on, understanding that for everything to work, it may have to do a few things automatically to get what it needs. I mean...how big is a AU update people? Honestly. The AU system only uses idle processes and it's bandwidth use is negligable. In fact, I turned it off so they would actually download faster than a few hours because I hated a windows update take forever because it babied my connection. I can get them in a few minutes just by going to the site.

Games have been automatically updating their updaters for years people. Novalogic games have been auto updating their updaters since 1996. It almost always has to update the updaters to update the game. It's a fact of life. Get over it.

As to APT like I saw earlier. Why when i install a certain program should I have to update. Why should a program have to update it's compatibility? MySQL 1 applications should work seamlessly with 5. Well lets face it people, this is the real world, and taking all that damn time to backwards compatible all the crappy programs in the world is a load of bull. Update your updaters so it can keep a seamless ready loading set of files to update your computer, and live with it.

 

[mechBgon]

Thanks, Mech, I'll look into it. My plan B is my backup image, which is on 2 DVDs, containing my original XP load, drivers, and the handful of apps I use. I also have my data stored on a seperate drive that gets imaged nightly (onetouch auto-archiving, very simple). So, if Windows gets jacked, I'll just re-image my boot drive, and restore my data if necessary.

In today's world of keystroke loggers and such, that will not undo the damage. When you restore from your restoration discs, your stuff doesn't come back from Russia after it's been FTP'ed away. Your files don't become unencrypted after ransomware encrypts them and demands ransom for the decryption utility. Your eBay account doesn't de-fraud itself, your PayPal funds won't come back after being stolen, your World Of Warcraft stuff won't reappear after being stolen and auctioned, your game CD keys won't return after being blackmarketed. Maybe you just use Windows as an unimportant browsing terminal and never expose anything that would matter, of course.

So far, so good though, I have yet to see problem 1 on any of my boxes.

Using the typical keystroke logger as an example, what symptoms would you expect to see?

I run a PC shop, and it makes me sad how many people bring systems in with FULLY updated Norton or McAffee, but their system is crawling with viruses, spyware, and etc. I can't believe how bad those products are. They must survive on marketing alone, because their stuff is worse than useless. It downgrades your system, and then insults you by letting all the crap get on your system.

I can remark that McAfee seems to have lost the initiative really badly. I send them samples directly via Webimmune.net, and heck, at one point I had about 240 samples sitting there in the queue, all verified in-the-wild malware, and they were just dropping off the end of the queue because they were so old. Of course, what am I expecting them to do, analyze the malware? :roll: Oh dear, that would be difficult :roll: Right now they're busy ignoring a rootkit I submitted three times and a sizeable stack of Trojans and adware. If you can't get a vendor to detect malware by handing it to them on a silver platter... :frown: They need to either get it in gear or admit they don't belong in the home-user security market, IMHO.

/rant

 

[DasFox]

As long as XP has been out I've never done any updates other then installing service packs, and I've never had problems.

Most of the Windows updates are a waste.

 

[Schadenfroh]

Interestingly high amount of people using XP without updates......

Hopefully autoupdate is keeping most of you that do not run Windows (or Microsoft) update updated. You will get exploited one day and spend many hours repairing it (and possibly losing data). Some viruses use exploits do not even require much (if any) intervention on your part other than that you do not keep your system updated.... Much pain can be prevented by enabling autoupdate or just spending ~10 minutes once a month on patch Tuesday to update your system.

 

[stash]

Originally posted by: DasFox
As long as XP has been out I've never done any updates other then installing service packs, and I've never had problems.

Most of the Windows updates are a waste.

That's some twisted logic you've got there. Hopefully nobody will follow your lead.

 

[Genx87]

Are you kidding me? THis is a non-issue. All it is doing is updating windows update. Most likely updating the client to look for more options.

If you dont want these types of updates turn off windows update all together.

 

[Genx87]

Originally posted by: Nothinman

No, the only reason people are talking about it is some sensationalist "journalist" wrote a piece full of FUD to generate ad clicks.

Well unless that journalist started this thread too then there's at least 1 other person who didn't know about this until now.

I'm curious what people want here. Do you want a dialog popping up that says "I'm about to update AU for you, but since we can't trust you to install this yourselves and since it is required for your machine to receive ANY updates, you won't have the option to decline this update. Would you like to proceed? Yes/Cancel (but do it anyway)"

AU should be updated like any every other piece of software handled by AU and the AU servers should provide compatibility for down rev'd clients so that you can still get updates if you don't install the AU updates. There should not be a way for MS to "do it anyway".

This is silly, it is Automatic Updates. WTF is the problem? Honestly!

And no, MS shouldnt have to provide backwards compatibility for older AU clients. It adds time and cost onto the patching process. Either decide to update or get off the wagon.

 

[Genx87]

Originally posted by: Schadenfroh
Interestingly high amount of people using XP without updates......

Hopefully autoupdate is keeping most of you that do not run Windows (or Microsoft) update updated. You will get exploited one day and spend many hours repairing it (and possibly losing data). Some viruses use exploits do not even require much (if any) intervention on your part other than that you do not keep your system updated.... Much pain can be prevented by enabling autoupdate or just spending ~10 minutes once a month on patch Tuesday to update your system.

I heard some stats at a tech conference about some 70% of windows machines in the corporate world arent routinely updated. That is scary. I can only imagine it being worse on the home side.

 

[stash]

Originally posted by: Genx87

Originally posted by: Schadenfroh
Interestingly high amount of people using XP without updates......

Hopefully autoupdate is keeping most of you that do not run Windows (or Microsoft) update updated. You will get exploited one day and spend many hours repairing it (and possibly losing data). Some viruses use exploits do not even require much (if any) intervention on your part other than that you do not keep your system updated.... Much pain can be prevented by enabling autoupdate or just spending ~10 minutes once a month on patch Tuesday to update your system.

I heard some stats at a tech conference about some 70% of windows machines in the corporate world arent routinely updated. That is scary. I can only imagine it being worse on the home side.

Scary, yet not surprising. The number of orgs out there with NT boxes and no custom support agreement with MS is frightening. These are boxes that have not been patched in almost three years.

 

[Nothinman]

This is silly, it is Automatic Updates. WTF is the problem? Honestly!

AU shouldn't be an exception to the rule, exceptions are bad and should be avoided whenever possible. And for the tinfoil-hat people, if MS can push AU updates without confirmation what else can they updated without permission?

 

[Smilin]

Originally posted by: Nothinman

This is silly, it is Automatic Updates. WTF is the problem? Honestly!

AU shouldn't be an exception to the rule, exceptions are bad and should be avoided whenever possible. And for the tinfoil-hat people, if MS can push AU updates without confirmation what else can they updated without permission?

Read the dialog carefully. When AU is enabled, updates for AU itself will be sent out automatically. It does not say you will be notified like it says for other updates. It's simply a case of reading comprehension.

And yes, MS *could* push out lots of stuff without telling anyone. They'll won't because they'd catch hell for it. Look how much fuss is happening here when they tell people but some blogger doesn't read carefully enough.

 

[Nothinman]

Read the dialog carefully. When AU is enabled, updates for AU itself will be sent out automatically. It does not say you will be notified like it says for other updates. It's simply a case of reading comprehension.

Whether or not the dialog explains it or not AU shouldn't be a special case.

 

[VirtualLarry]

I have to agree with Nothingman here in this discussion. MS screwed up, plain and simple, and violated the user's trust. MS needs to make right in this situation, and so far, they haven't. Not a good sign. As MS-DRM gets more intrusive, it's not out of the question that they might perhaps "auto-update" their DRM subsystems without a user's consent either. And of course the predictable response from the MS camp is that the user agreed to such steath updating in the EULA. But that doesn't make it any less wrong.

The user should be in control of the PC. Period.

Violations of this deserve a severe repremand, IMHO.


MS breaking users computers when doing a restore install from CD just compounds the problems.



Also, I have a technical curiousity - if the user, during the install of XP SP2, says "Not right now", when prompted to enable auto-updates, the default selection of the dialog-box is set to some "limbo value", that leads to NONE of the available listed selections being selected in the control panel auto-update dialog box. Given this limbo setting state, will the stealth updates be installed?

Edit: PS. I disable MS's various auto-update background services when doing an install. Call me paranoid if you like, but crap like MS just pulled, doesn't happen on my systems.