Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stealthy Windows Update Raises Serious Concerns

Posted by Zonk on from the for-your-own-good dept.

UniversalVM writes "What is the single biggest issue that bothers open source advocates about proprietary software? It is probably the ability of the vendor to pull stunts like Microsoft's recent stealth software update and subsequent downplaying of any concerns. Their weak explanation seems to be a great exercise in circular logic: 'Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications.' News.com is reporting that all of the updated files on both XP and Vista appears to be in windows update itself. This is information that was independently uncovered by users and still not released by Microsoft."

15 of 362 comments (clear)

  1. So Windows Update Has Problems by dch24 · · Score: 5, Informative
    My biggest problem would be this list. One hundred and twenty three patches to reinstall Windows XP Service Pack 2 (with Office XP), which I plan to do for a long, long time. It really hurts someone like me when Microsoft decides to get rabies w.r.t. AutoPatcher.

    Here's the complete list to prove it (sorry for the lame formatting, it's Slashdot's lameness filter):
    • 001 WinGenuineCheck.exe
    • 002 WGAPluginInstall.exe
    • 003 WindowsInstaller-KB893803-v2-x86.exe
    • 004 KB898461 package installer.exe
    • 005 KB925902.exe 006 KB896423.exe 007 KB929338.exe 008 KB928255.exe 009 KB928843.exe
    • 010 KB927802.exe 011 KB924667.exe 012 KB927779.exe 013 KB918118.exe 014 KB926436.exe
    • 015 KB928090 cumulative ie update.exe
    • 016 KB931836 dst.exe
    • 017 KB929969.exe 018 KB923980.exe 019 KB926255.exe
    • 020 KB923694 cumulative outlook express.exe
    • 021 KB925398 windows media 6.exe
    • 022 KB923689.EXE
    • 022 KB923789 flash player 7.exe
    • 023 KB920213.exe 024 KB924270.exe 025 KB923414.exe 026 KB924496.exe 027 KB923191.exe
    • 028 KB924191.exe 029 KB922819.exe 030 KB922582.exe 031 KB916595.exe 032 KB919007.exe
    • 033 KB920685.exe 034 KB920872.exe 035 KB917422.exe 036 KB920670.exe 037 KB920683.exe
    • 038 KB914388.exe 039 KB911280.exe
    • 040 KB917734 windows media 9.exe
    • 041 KB914389.exe
    • 042 KB917344 jscript ENU.exe
    • 043 KB918439.exe 044 KB913580.exe 045 KB917953.exe 046 KB900485.exe 047 KB908531.exe 048 KB911562.exe 049 KB911927.exe
    • 050 KB911564 windows media player plugin.exe
    • 051 KB908519.exe 052 KB910437.exe 053 KB904706.exe 054 KB905749.exe 055 KB900725.exe 056 KB902400.exe 057 KB901017.exe 058 KB905414.exe 059 KB893756.exe 060 KB899591.exe 061 KB899587.exe 062 KB894391.exe 063 KB896358.exe 064 KB890859.exe 065 KB901214.exe 066 KB896428.exe 067 KB888302.exe 068 KB887472.exe 069 KB891781.exe 070 KB873339.exe 071 KB886185.exe 072 KB885836.exe
    • 073 KB925876 rdp 6.0.exe
    • 074 KB896344.exe
    • 075 KB885884 office.exe
    • 076 KB930178.exe 077 KB931261.exe 078 KB931784.exe 079 KB932168.exe 080 KB935448.exe
    • 081 KB927978 msxml4.exe
    • 082 KB923689.EXE
    • 083 OfficeXpSp3-kb832671-fullfile-enu.exe
    • 084 KB925673 msxml6.exe
    • 085 KB927977 msxml6.exe
    • 086 OGAPluginInstall.exe
    • 087 officexp-kb833858-client-enu.exe 088 officexp-kb837253-client-enu.exe
    • 089 officexp-KB925523-FullFile-ENU.exe 090 officexp-KB914796-FullFile-ENU.exe
    • 091 officexp-KB920816-FullFile-ENU.exe 092 officexp-KB920821-FullFile-ENU.exe
    • 093 officexp-KB929063-FullFile-ENU.exe 094 officexp-kb873379-fullfile-enu.exe
    • 095 officexp-KB905649-FullFile-ENU.exe 096 officexp-KB921594-FullFile-ENU.exe
    • 097 officexp-KB905758-FullFile-ENU.exe 098 officexp-KB923092-FullFile-ENU.exe
    • 099 officexp-KB894541-FullFile-ENU.exe 100 officexp-KB911701-FullFile-ENU.exe
    • 101 officexp-KB929061-FullFile-ENU.exe 102 officexp-KB904018-FullFile-ENU.exe
    • 103 officexp-KB913471-FullFile-ENU.exe 104 officexp-KB934394-FullFile-ENU.exe
    • 105 officexp-KB934453-FullFile-ENU.exe 106 officexp-KB934705-FullFile-ENU.exe
    • 107 WindowsXP-KB930916-x86-ENU.exe 108 WindowsXP-KB931768-x86-ENU.exe
    • 109 WindowsXP-KB927891-v3-x86-ENU.exe
    • 110 KB933566 cumulative ie6 update.exe
    • 111 KB929123 cumulative oe6 update.exe
    • 112 KB935839 kernel api.exe
    • 113 KB935840 schannel.exe
    • 114 kb937143 ie6 sp2.exe
    • 115 kb936181 msxml4.exe
    • 116 kb933579 msxml6.exe
    • 117 kb936782 wmplayer9.exe
    • 118 kb921503.exe
    • 119 kb936021 msxml3.exe
    • 120 kb938127 ie6 vml.exe
    • 121 kb938829 gdi.exe
    • 122 kb933360 dst.exe
    • 123 kb938828 explorer stop c0000005.exe
    1. Re:So Windows Update Has Problems by Anonymous Coward · · Score: 5, Informative

      Why don't you stop using Windows? I know that's not an option for everyone, but these days it's something you should consider. It's not like there aren't alternatives out there. There are! A Google search just turned up several blog posts that talk about Windows alternatives:

      Langa Letter: Exploring Windows Alternatives
      Avoid Windows Vista anti-piracy shenanigans by using BSD, OpenSolaris or Linux.
      Mac OS X Leopard vs Microsoft Windows Vista
      Dump Windows Update, use alternatives
      Alternatives to Windows Software

      I'm sure you could find a lot more information, too. So there's really no excuse for still using Windows, especially if there's really nothing keeping you from switching to one of the many alternatives.

    2. Re:So Windows Update Has Problems by NeverVotedBush · · Score: 5, Informative

      A few things to consider if you really would like to explore Linux - you can dual boot. You don't have to give up your Windows system to start checking Linux out. Linux can make room on your hard drive (assuming you have enough free space) and you can switch back and forth between them with just a reboot. (there are other ways too with virtualization but you can Google more info if that might interest).

      As for no guarantee your PC could even run Linux, just download and burn (or just buy) a "live CD". A live CD is a CD you just boot from and it boots your computer up in Linux. During boot it will check hardware and you can see for yourself if it finds everything natively. If it doesn't, keep in mind that you can search the web for whatever hardware and Linux and see if drivers might be available. You would be surprised how much hardware is well supported under Linux although there are holes. Another thing about a live CD - since it is running from the CD, don't be put off by the slowness. Running from the CD will be much slower than if it was installed. If you have a lot of RAM, it may not seem that slow but CDs are much slower than hard drives. All you are doing is seeing what it looks like and if/how it will run on your computer.

      As for Wine, it supposedly works pretty good but it may not support what you want to run. If you are wanting to run Windows programs under Linux, check out Crossover Office from Codeweavers. I use it to run Microsoft Office under Linux and it works perfectly. (I spend much more time now in Open Office though) So do a number of other supposedly Windows-only programs. But if you dual boot, you can always just run whatever you want under Windows but do your long haul stuff under Linux. You will probably be a lot safer doing anything requiring good security under Linux than under Windows. I never order anything online or do any financial stuff in Windows. It's just too risky.

      ANd about upgrading to run Linux - not necessary. If your computer was running OK with Windows, it will seem quite peppy under Linux. Windows is a memory and resource hog. Linux is not. Anyone with a computer that now can't run Vista ought to take a look at running Linux instead. They will get what feels like a new computer and get a very nice OS at the same time.

      And don't let the supposed complexity of Linux fool you and keep you away. It isn't that complex. In Windows you just can't do a lot of stuff or they make the decisions for you. In Linux, you can do pretty much whatever you want. In Linux, everything is file based. You have config files and such that you just edit to make changes. Nothing is hidden from you. A lot of the internals are best accessed on the command line once you get more familiar but you can also admin the machine from the GUI if you want. As you get more experienced, you'll want to learn the command line though - much more efficient and really easier. Or you can stick to the GUI and pretend you are just running a really stable and fast version of Windows. You don't have to dig into the guts of Linux if you don't want to. It's just that you can if you would like.

      But Linux is a lot easier to try out and use than a lot of people imagine. It's why it is growing so much in user base recently. Give a live CD a try and see for yourself. That's the best way to experience it.

    3. Re:So Windows Update Has Problems by marcansoft · · Score: 4, Insightful

      Wine Is Not an Emulator.

      The overhead of using Wine is very small. It is a thin layer on top of native Linux, and Windows itself isn't emulated. The difference between Linux and Windows is much more important with regard to performance. As it turns out, sometimes the Windows drivers are faster and sometimes the Linux drivers are faster. I've seen games run faster under Wine than under native Windows.

    4. Re:So Windows Update Has Problems by Phroggy · · Score: 5, Insightful

      I can't switch to Linux for several reasons. While my knowledge of Windows kernel is very little (actual code knowledge that is, I know nothing), I know even less about Linux. So while modern day Linux distros are all very GUI friendly and look similar to Windows, what if something went drastically wrong with it? I don't know nearly enough about Linux's command line system or anything. While I know a decent bit about DOS I've seen a small touch of Linux when I ran a Half Life 1 server on a Linux box for a mod. Using PuTTy into it was a pain cause all these strange Linux command line commands were no where near what I was used to. Linux has progressed a bit since then. Try Ubuntu 7.04; you can just boot from the CD and give it a try without touching your hard drive. For most things, you shouldn't have to touch a command line.

      Now the real kicker reason why I can't switch; I have no guarantee for my PC being able to use it. Like I said, try the live CD. There's no risk.

      While I'm sure I could find a distro that has decent drivers for my hardware, what am I to do about the PC games I play that do not have Linux ports? Now you've hit upon a potential issue.

      I could use some Linux emulation software like Wine right? I mean that's the easiest solution. Emulate Windows to run those must-have Windows applications. Well my PC is rather old. You figure in running Linux, plus emulating Windows, plus running a Windows based MMORPG where I normally got 20 fps on a PC, I doubt I'd get anywhere a playable state. While I'm sure some Linux distros themselves run faster, use less memory etc than Windows XP, having to run that and emulate Windows + Game probably negates any resources I had freed up from running Linux itself, if not making the game run even worse. Ah, but you're forgetting: Wine Is Not an Emulator. It's a reverse-engineered clone of the Win32 APIs, running natively on Linux. When you run a Windows game on Wine, the game is actually running natively, on your hardware, using Win32 API calls, just like it runs on Windows... except it's not running on Windows. So, there should be no performance hit at all, and memory usage shouldn't be any higher.

      (Disclaimer: I've never used Wine and have no idea what I'm talking about.)

      For some people, upgrading or buying a new PC simply so they can use Linux instead of Windows isn't an option. If I was going to shell out that much money, I'd go get another copy of Windows XP that has the current SP2 streamlined into the install to greatly reduce install and patch time. If I didn't play PC games that needed Windows, I might consider running Linux cause pretty much everything else I use can be used on Linux (Firefox, IRC, mp3 player, VLC, etc). Actually, many people switch to Linux because they have older hardware, because Linux tends to run on older hardware better than Windows does. As for getting a copy of Windows XP with all the current patches slipstreamed in, you'll have to pirate that - as another poster complained, there are a ton of patches you have to install, even if you start with an SP2 CD. They're releasing SP3 next year, but who knows whether it will even be possible to buy an XP SP3 CD anywhere; remember that they'd rather you switched to Vista.

      Anyway, not trying to argue; Linux probably isn't a good option for you right now. But try the Ubuntu live CD, and the next time you reinstall XP, consider repartitioning and setting up a Windows/Linux dual-boot. That way you can use Windows to get your work done and play your games, and fiddle with Linux in your spare time to see if you can get your games to run there. You said your main problem is that you don't know much about Linux; this would be a good way to do something about that.
      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
    5. Re:So Windows Update Has Problems by cortana · · Score: 4, Informative

      This is because Ubuntu's installer is crap. Use their 'alternate install CD' and you get the original Debian installer, which will let you resize partitions to your heart's content.

    6. Re:So Windows Update Has Problems by Zonk+(troll) · · Score: 4, Informative

      OK, tax software. I'm Australian, and the tax office allow you to lodge online using their own application. I have found instructions to run the Java app under Ubuntu, but I had no success at all. You likely have GIJ set as the Java runtime, which is what Ubuntu (and Fedora, IIRC) does by default. This doesn't support Swing or much else, and has horrible performance. This can be fixed easily, though:


      sudo apt-get install sun-java6-jre sun-java6-plugin sun-java6-fonts
      sudo update-alternatives --config java
      (select the number that says "/usr/lib/jvm/java-6-sun/jre/bin/java")
      sudo gedit /etc/jvm
      (add /usr/lib/jvm/java-6-sun as the first entry)


      Now all Java should work properly.

      Cue VMWare player. Free, included in the packages for Ubuntu. I figured I'd use this until the ATO software can be installed in Linux (which I'm sure it can be). There's a way to create basic VMWare images using a QEMU which can then be saved as VMWare images. So a licensed version of windows 2000 went on for the sole purpose of doing my tax. This is my current project to make this thing run under Linux, an ongoing quest. Install VMWare Server. Ubuntu provides packages for it and to get it to work all you have to do is go to vmware.com and request a (free) license key for it. You can then create virtual machines easily. It rocks.

      You can also give VirtualBox a try. It works well and offers a "seamless" mode (Windows apps appear on the Linux desktop). The only downside to VirtualBox is licensing. The binary that's available is under their "Personal Use and Evaluation License", but they do provide an Ubuntu repository for it. There is a GPL version available that does the same things, but you have to compile it from source.

      At the moment I'm using both VMWare Server and VirtualBox OSE (the GPL version) equally.

      Paint shop pro, well, it wouldn't install using WINE, Buy CrossOver Office instead (there's a 30 day demo available). It's based on WINE, but actually works.

      Haven't figured out how to save alpha transparencies to PNG's yet. But it's doing it. Just save it as a PNG. Unless you index it first it will save the alpha transparencies by default.
      --
      "The Federal Reserve is a fraudulent system."--Lew Rockwell
      End The FED. -
  2. Not a big deal by ejdmoo · · Score: 5, Informative

    Just a bunch of people bitching for no reason, trying to generate traffic to their blogs. Let's see...

    The update only updated the Windows Update software itself, nothing in Windows.

    It did not update if you have automatic updates turned off.

    It did update if you had "Notify me" turned on. This is a point of contention, but MS says they needed to do the update to continue to notify users of actual updates.

    Finally, this doesn't apply to any networks running a WSUS (or whatever it's called now) server.

    1. Re:Not a big deal by This_Is_My_Happening · · Score: 5, Informative

      It actually updated no matter if you had the auto-updates on or off. Incorrect. Automatic Updates has several settings:

      - Automatic (downloads and installs updates automatically)
      - Download but not install (downloads automatically, but you choose when to install)
      - Notify but not download (notifies you of updates, but doesnt download)
      - Turn off Automatic Updates

      If the 4th setting above is selected, there are no updates at all, stealth or otherwise. The service is off, and no communication is done with the WU servers.

      This stealth update was a surprise for the people who had the 2nd or 3rd setting above selected. Under these settings you expect the update to be downloaded (or you expect to be notified of it) but you do not expect it to be installed without your input. Under these settings your computer still communicates with the Update servers on a regular basis to check whether new updates are available.

      MS claims that the stealth update to the Windows Update system itself was required so that it could still check for new updates. Im not sure if I buy that myself, but as long as the limit this behaviour to Windows Update updates only, I can live with it. If they try it for any other updates (like WGA or the like) you can bet I'll be disabling the service entirely right quick.
      --
      God made me an atheist. Who are you to question his wisdom?
    2. Re:Not a big deal by Kjella · · Score: 4, Insightful

      MS claims that the stealth update to the Windows Update system itself was required so that it could still check for new updates.

      Even if that was true, that's not proper behavior. Under the circumstances, I might see a level 3 being upgraded to a level 2 (download), and after download it should simply prompt and notify that further update checks may fail and that additional patches may be available after this update. That's the whole point of those settings, to not having anything installed without permission. If you know that that upgrade *is* pending and that others *may* be pending, it should be sufficient for everyone and without secretly installing anything. That said, not exactly a big issue IMO.

      --
      Live today, because you never know what tomorrow brings
  3. Oh man, this one again? by Anonymous+Brave+Guy · · Score: 5, Informative

    We already did this one just two days ago.

    The anti-Microsoft FUD was thoroughly debunked by numerous Slashdot posters. It was also thoroughly debunked by numerous comments in reply to the various external sources cited in the older Slashdot article.

    They updated Windows Update, when people explicitly visited the Windows Update site. That is all. They are not pushing out updates to critical system files without any user intervention.

    Last time, several posters asked whether Slashdot would at least have the decency to correct the blatantly Microsoft-bashing headline/article. They didn't, they posted it again. <sigh> Go Zonk!

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  4. Re:Not a big deal... so now that hackers know... by Fallen+Kell · · Score: 4, Interesting

    So now that hackers know there exists a backdoor to the windows update which will let them update a stealth patch to anything they want in the system because it runs with admin rights, this isn't a big deal to you?

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  5. Re:Sabotaging certified systems. by Ant+P. · · Score: 5, Insightful

    If you're using an internet-facing Windows XP to run mission-critical systems, let us know which ones - so I can make a mental note never to use your services.

  6. Big Deal... by nutrock69 · · Score: 4, Informative

    It did not update if you have automatic updates turned off.
    Really? Last I read, the claim that it does update when the feature is turned off was supported by several reputable computer trades, each of which (supposedly) verified this independently on PC's they own and test with. Has anybody besides Microsoft claimed otherwise? Remember, having a computer that didn't update on its own is not proof that it won't, only that it might not have been in the list to receive the patch. The lack of evidence does not prove a contrary opinion in this case.

    The biggest problem I have with this update, is that it proves beyond any doubt that Microsoft deliberately placed a "hole" in the security of their OS for their own purposes. It is nothing less than something on the internet contacting the OS, opening a hole, then running software with root/admin permissions to change something in the OS itself. Something many people have suspected because of the so-called security patches that move holes around instead of actually closing them, has now been proven to be true.

    This must be a holy grail for a Windows hacker. This hole was put in the OS specifically to take over a computer, and Microsoft's reaction to its discovery shows they obviously have no intention of closing it - just continuing to use it when desired. You can bet that finding this hole and ways to exploit it are now the top priority of hackers around the world.
  7. What append if ... by denisbergeron · · Score: 4, Insightful

    If I suppose this sentence true :

    Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications.

    What append when someone install XP (OR Vista) from zero and get the OldAndBad Windows Update ? He will never be able to get update ?

    Someone have feet in his mouth.

    --
    Ceci n'est pas une Signature !