Slashdot Mirror
Microsoft 'Stealth Update' Proving Problematic
DaMan writes "According to the site WindowsSecrets, the stealth Update that Microsoft released back in August isn't quite as harmless as the company claims. The site's research has shown that when users try to do a repair to XP subsequent to the update, bad things happen. 'After using the repair option from an XP CD-ROM, Windows Update now downloads and installs the new 7.0.600.381 executable files. Some WU executables aren't registered with the operating system, preventing Windows Update from working as intended. This, in turn, prevents Microsoft's 80 latest patches from installing -- even if the patches successfully downloaded to the PC.' ZDNet's Hardware 2.0 has independently confirmed that this update adversely affects repaired XP installations: 'This issue highlights why it is vitally important that Microsoft doesn't release undocumented updates on the sly. Even the best tested update can have unpleasant side-effects, but if patches are documented properly and released in such a way that users (especially IT professionals) know they exist, it offers a necessary starting point for troubleshooting.'"
Why not just let everyone patch their systems, and shut off the "non genuine" check or whatever is blocking this? Why wouldn't you want people to patch the systems? Doesn't an unpatched and infected system equate more directly to lost revenue than a "non-genuine" flagged system?
stuff |
Wasn't it for windows update to "work properly" that those patches were released? Way to go MS, foot in mouth, lather, rinse, repeat...
True. They have a tough road ahead to make Vista live up to Win98. But seriously, I suspect that there are many great code advances in Vista, and that if it where not encombered by paranoid we-must-control-the-consumer DRM security model, it might actually be better than XP. As long as the consumer (vs corporate) is not Microsoft's actual customer, they will continue to offer the opertunity for user friendly Linux distros like Ubuntu to gain market share.
If you want news from today, you have to come back tomorrow.
How do these antivirus programs know for sure that these updates were 'harmless' and 'normal behaviour'.
In light of this revelation, I think corporates must now take action against these antivirus firms for not preventing this breach. Let's see what Microsoft has to say to this 'harmless' update that allows users to 'know and be informed of further updates'. A Media Defender style expose' of internal communications on this issue would be very interesting indeed.
Updates are run under the system user process. If you had ever been a Windows admin, you'd know that there are all sorts of ways to hide updates and the like from users...which means that there's something in the process that MS can enable to hide it from their users. The reason no AV caught it is because it was using an update service already approved by the AV program and was running it under the already accepted system user.
I'm not saying that I approve of their actions, I don't. But just because an AV program didn't pick it up isn't surprising, nor should they have.
Do these people realize that the ENTIRE POINT of Microsoft forcing the Windows Update patch was to make sure that future updates would trigger whatever policies the user had selected for the machine?
In other words, if Microsoft had not updated Windows Update automatically, and a user had chosen to be notified of future updates, these notifications would not work. The only way to ensure that the user's settings were properly respected was to update Windows Update.
So now this article says that the silent update wasn't harmless because Windows Update was broken after they did a restore. Do they realize that without this update, Windows Update *definitely* wouldn't work, and that the fact that this update may have a bug in it regarding restoration is completely besides the point?
Should Microsoft have made it more clear that they were doing an update? Yes. Is this update proof of Microsoft's desire to ignore user preferences and do whatever the hell they want? Obviously not.
I know what is being installed
You know whats installed, eh? So you go through and check the source of all code that is being installed on your Linux box? I understand the idea that because it is open source, there must be no problems with what you are installing, but don't make the false assumption of this, because as Linux becomes more and more popular the chance of something getting on your system that you were unaware of will most likely grow. Everything might not always be so hunkydory.
at a minimum, if any given end-user doesn't have the time or ability to look at the source of each piece of code, there is a worldwide community of individuals who can pool their time and ability to dive into the source, and if anything suspicious or odd is going on, there's a good chance (at least compared to closed-source) that it will be found and reported. So even the Linux newbs who don't know source code from morse code still benefit. (disclaimer: naturally, it's not completely so rosy. Any given grandma isn't going to be looking up this information, but I think the point is still valid)
And it should be obvious to anyone who knows the company... upgrade to Vista, and you won't have to worry about repairing your XP installation anymore!
Who says this is an -unintended- side effect?
The stealth "upgrade" will make XP quite unstable. And MS will just say, XP has been end-of-lifed and Vista upgrade will fix the problems. Then Wall Street will get comfortable numbers about Vista sales. Things will continue as normal.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
If a virus or trojan has that access already, you're screwed anyway. Might as well wipe the box and start over. However, to get that access, they usually need an exploit or to run an executable to grant them that access.
I don't think you have a very good understanding of what a virus program is expected to do. If a system account isn't allowed the power to update system files, then why have it in the first place?
Sadly, for the vast majority of Windows users, the patronizing attitude is probably the least painful approach. Like most here on /., I don't take too kindly to MS slipping unauthorized patches onto my systems. But for mom, pop, and grandma, well what they don't know might be good for them. Telling them too much would just confuse them and result in expensive tech support calls. So MS rolls the dice that most won't have a problem with the update and won't care to know the details anyway.
I'm not saying people should be like this, but it is often the case.
To the making of books there is no end, so let's get started
What a long winded way to say the Windows update is such a horrible mess it isn't funny.
Me, I like rolled up file based updates. Download it and save it off. When the beta testers say it is OK, I apply. I have earned with over 20 OSes behind me that you patch to point in time from proven groups of patches. This idea of "auto" update is so fundamentally flawed...
I believe the reference is to how well Windows 98 (and 98 SE) was received by Windows 95 users (98 offered lots of good fixes and new features over 95) as opposed to how poorly Windows Vista is being received by Windows XP users (since it doesn't really offer any must-have features or bug fixes).
Portable versions of Firefox, GIMP, LibreOffice, etc
I have no idea what is "protecting" these software vendors other than the halo that we are dealing with software and everyone expects things to go very bad once and a while in the field but the threat of lawsuits at this point is laughable.
Note: I am merely reporting on the actual state of things, this does not mean I agree with it.
You have zeroed in on the heart of this problem with laser like precision. I couldn't agree more.
If you run a business on an OS you need to know the details of upgrades. You need to test all upgrades against your production machines before applying the upgrade.
I am not talking about a home desktop, or even a corporate desktop system here. Think about computers used to control water or fuel delivery. Maybe a system that reconciles ATM transactions at a bank, or adjusts inventory databases from sales at retail locations, or the automated system that routes calls to a city's 911 emergency center.
Businesses and Governments depend on many customized pieces of software day in and day out. All software changes must be tested and shown to have no ill effects before thay are applied to enterprise production systems.
Any OS that does not allow the user to control the application of patches and updates, and instead updates systems by stealth, is not ready for the enterprise.
Think about the problems that could result if people use an OS like Windows in misssion critical applications that involve lives.
Even if lives are not involved businesses cannot tolerate amateur stunts like stealth patches from an OS vendor. They could lose billions of dollars trying to find out the cause of a problem.
This highlights how out of touch Microsoft is with the needs of enterprise level customers.
You're asking for a nightmare... Can you imagine trying to do a big update (say a service pack) with your AV flagging every single file? You'd spend days clicking "Yes, install the File"The AV assumes that WU is updating Windows... It's what Windows Update does, the alternative would be to never get anything done as your AV tries valiantly to block every update MS puts out.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
Well it wouldn't be the first time. See the (early) Windows deliberately crashing on DR-Dos fiasco.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.