Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft 'Stealth Update' Proving Problematic

Posted by Zonk on from the we're-all-learning-together dept.

DaMan writes "According to the site WindowsSecrets, the stealth Update that Microsoft released back in August isn't quite as harmless as the company claims. The site's research has shown that when users try to do a repair to XP subsequent to the update, bad things happen. 'After using the repair option from an XP CD-ROM, Windows Update now downloads and installs the new 7.0.600.381 executable files. Some WU executables aren't registered with the operating system, preventing Windows Update from working as intended. This, in turn, prevents Microsoft's 80 latest patches from installing -- even if the patches successfully downloaded to the PC.' ZDNet's Hardware 2.0 has independently confirmed that this update adversely affects repaired XP installations: 'This issue highlights why it is vitally important that Microsoft doesn't release undocumented updates on the sly. Even the best tested update can have unpleasant side-effects, but if patches are documented properly and released in such a way that users (especially IT professionals) know they exist, it offers a necessary starting point for troubleshooting.'"

8 of 257 comments (clear)

  1. I've run into this and the fix isn't hard. by domatic · · Score: 4, Informative

    I ran into this a couple of weeks ago. When the attempt to use update.microsoft.com fails, the "troubleshooter" will direct you to a Knowledge Base article that advises you to do the following:

    At the command prompt, type the following commands, press ENTER after each command, and then click OK every time that you receive a verification message: regsvr32 wuapi.dll
    regsvr32 wuaueng1.dll
    regsvr32 wuaueng.dll
    regsvr32 wucltui.dll
    regsvr32 wups2.dll
    regsvr32 wups.dll
    regsvr32 wuweb.dll


    Once that is done, you'll be able to use Microsoft Update again.

    1. Re:I've run into this and the fix isn't hard. by mcmonkey · · Score: 2, Informative

      I ran into this a couple of weeks ago. When the attempt to use update.microsoft.com fails, the "troubleshooter" will direct you to a Knowledge Base article [microsoft.com] that advises you to do the following:

      Go to http://windizupdate.com/ with a supported (non-IE) browser.

      Once that is done, you'll never have to use Microsoft Update again.

      That's something you can tell your grandmother over the phone.

  2. Re:Why did no antivirus s/w pick this up? by alexhs · · Score: 3, Informative

    A dozen system files have been updated as part of this undocumented stealth update... and yet not a single antivirus software reported this. Why? 1) Most antivirus software can only detect known viruses. They do not detect viral activity, only a numeric signature. Won't detect stealth updates, if that update doesn't match a signature.

    2) For the few behavioral antivirus software, my guess is that they're monitoring activity under some user accounts, and that they're not able to monitor activity of the "System" accounts and other special accounts.
    --
    I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
  3. Re:My experience by pintpusher · · Score: 2, Informative

    I'm not trolling, seriously.

    I can't speak to the internal reasons behind windows decision to include that feature (though I have a couple good guesses), but based on the number of people I know who think a backup is when the white lights come on at the back of the car, its a much needed feature. This is what backups are for people. No matter what OS. a proper backup scenario would allow recovery from any problem like this. In the linux world, due to plaintext config files and the modular nature of the system, you can even restore selective parts of the system and get back to a usable state pretty easily.

    SO to answer your question about system restore in linux, just keep good backups of /etc, multiple kernels installed, and if you're really worried, or don't understand how to manually tweak your update system to allow rollbacks, then back up /[s]bin, and /usr/[s]bin and you're probably good. Its not that hard.

    --
    man, I feel like mold.
  4. That explains the trouble I had! by TheRealBurKaZoiD · · Score: 2, Informative

    FTFA:

    "This, in turn, prevents Microsoft's 80 latest patches from installing -- even if the patches successfully downloaded to the PC."

    That the trouble I had recently! A few weeks ago, a friend asked me to clean up three of her family computers that were crawling with spyware/adware, and trojans, as well as upgrade them from WinXP Home to WinXP Pro. I got them cleaned up fine, and did the upgrade. After booting to the desktop the first time, I ran Windows Update to grab the latest patches. On all three machines, WU would install some needed components, reboot, download all outstanding patches (approximately 80+), and then fail on the install on every single update.

    Windows Update would NOT run without erroring out. It took me a few hours to realize I had to manually re-register all of the components for windows update, after which I also had to delete ALL of the downloaded patches, as well as all of the $NTUninstallKBXXXXX stuff.

    Then again, maybe I just did the update wrong three times in a row?

  5. Re:Why did no antivirus s/w pick this up? by Etrias · · Score: 5, Informative

    So, does an antivirus program run as a normal user process or system user process? If it is the latter, then how is it that the stealth update managed to escape attention??

    And if antivirus s/w firms do not know systems programming, why do they exist at all? Looks like most anti-virus programs have been configured / patched NOT TO REPORT this particular stealth update... I cannot see any other logical explanation for this lapse
    Like I mentioned, it seems that you have not ever been a Windows admin, nor have ever dealt with a large roll-out of a system patch.

    Whether or not the AV program runs under a user process (highly unlikely) or a system process, it doesn't matter. You're ignoring what AV programs are looking for anyway. If a trusted process and service (windows update) run by a trusted user (SYSTEM), the chances that the AV program is even going to log such activity is doubtful. As far as the AV program is concerned, the service (Windows Update) is doing it's job...which in a way, it is. Windows Update has the control to change system files. No big secret there.

    You seem to think that every time a system file gets updated by whatever process, that should be flagged and prevented. It's not some rogue program that is being run to update the files, it's the WU service that's on every single XP (and other MS OS's) machine out there.

    Like I said, I'm not defending MS on this...no one I bitch about more. But to say that the AV companies have culpability on this, that's off the mark. A trusted Windows service did what it was built to do. Nothing to see here. Move along.
  6. Re:Following your train of thought by Anonymous Coward · · Score: 1, Informative

    Probably not. If word ever got out that Microsoft was intentionally shipping defective software, there would be legal hell to pay (antitrust lawsuits, consumer class-action lawsuits, shareholder lawsuits, etc.). And, as far as I can tell, Microsoft leaks memos like a sieve.

    More to the point, they don't need to. Software design being what it is, a project of even moderate complexity is guaranteed to have bugs. If it is in C++, it will most likely have buffer overflows or memory leaks. If it touches the network, there will be security issues. And if you have refined your product to the point where all obvious defects are eradicated, you can easily introduce more by adding a few features, supporting more or newer standards, or merging with another product.

    So Microsoft can keep shipping updates indefinitely, even without intentionally introducing malicious code. And that won't change without a major improvement in software engineering or a major shift in consumer interest from new software to stable software.

  7. Re: windows and linux problems by Medievalist · · Score: 2, Informative

    I've set it to default to Windows, because windows boots over and over, sometimes for hours, before it finally relents and comes to life. I've suspected a BIOS setting it doesn't like, or that Windows wants its own FAT instead of LILO, but could it be that Windows is trying to phone home, even though my internet access has been shut off for a couple of months? Even though it's a fresh install and the PC hasn't been connected to the internet since before the install? Sounds like a hardware problem, to be honest. Like a bad bit or two in low memory, for example... do you have memory testing turned on in your BIOS? If it's set to "fast boot" it will skip nearly all useful testing, fast boot is just a way to generate money for PC repair shops. :)

    And do thay have any idea what a pain in the ass it is to "register" that God damned OS without internet access? Don't remember if I've tried it with Windows, but for most windows programs that nag for registration you just tell it you'll register by snail mail, when it asks for a printer tell it to print the registration page to a file, and delete the file at your leisure.

    If I could get the S-Video out to work with Linux, XP would be history on my PC. If you've got a Hauppage card, ivtv will probably do the job for you. If not, post your card type (preferably including video output chipset information, if you can figure out how to get that... sometimes it's in dmesg) in a MythTV forum. The myth guys are generally pretty helpful, if you are even minimally polite.