Slashdot Mirror
Nerves Rattled By Highly Suspicious Windows Update Delivered Worldwide
An anonymous reader writes: If you're using Windows 7 you might want to be careful about which updates you install. Users on Windows forums are worried about a new "important" update that looks a little suspect. Ars reports: "'Clearly there's something that's delivered into the [Windows Update] queue that's trusted,' Kenneth White, a Washington DC-based security researcher, told Ars after contacting some of the Windows users who received the suspicious update. 'For someone to compromise the Windows Update server, that's a pretty serious vector. I don't raise the alarm very often but this has just enough characteristics of something pretty serious that I think it's worth looking at.'" UPDATE: Microsoft says there's nothing to worry about, the company "incorrectly published a test update."
http://www.zdnet.com/article/microsoft-accidentally-issued-a-test-windows-update-patch/
Microsoft said a highly suspicious Windows update that was delivered to customers around the world was the result of a test that wasn't correctly implemented.
They were just checking to see if you really wanted to upgrade to Windows 10
Never attribute to malice that which is adequately explained by stupidity. Could be that some Microsoft engineer accidentally published a test update.
"We incorrectly published a test update and are in the process of removing it," a Microsoft spokesperson wrote in an e-mail to Ars. The message included no other information.
The explanation came more than 12 hours after people around the world began receiving the software bulletin through the official Windows Update, raising widespread speculation that Microsoft's automatic patching mechanism was broken or, worse, had been compromised to attack end users. Fortunately, now that Microsoft has finally weighed in, that worst-case scenario can be ruled out.
I'm a little leery of the Microsoft claim. Admittedly I am perhaps a bit biased against Microsoft for their having integrated a web browser into their OS kernel such that the OS can be irrevocably compromised through a simple web page, but even without that history, that company is large enough that anyone in public relations to make the, "our bad," announcement might not have any idea what actually happened from a technical point of view. On top of that the formatting of the update doesn't give any clue that it's a test update either, as it appears to make no origin claims (at least by the article's included screen shot) and is simply strange.
Whenever I've done something as a test, I actually note in the comments that it's a damn test. I also note that I put it there. Microsoft might not want to publicly attribute something to a particular developer to intentionally obfuscate the development process from the user, but they still should have used something that identifies it as a test to the average person, and used something to make it clear to them that it's attributed to a specific person.
Do not look into laser with remaining eye.
They're apparently not content with only failing miserably in new markets like smartphones - they're now finding ways to destroy their successful businesses as well. They should just sit on their hands and keep collecting their checks.
Perhaps it's just me, but on days like this it almost looks like sacking thousands of QA employees might not have been the smartest idea ever.
"Microsoft confirmed Wednesday that a suspicious-looking update pushed out to Windows machines globally in the early hours was nothing more than a test gone errant."
http://www.zdnet.com/article/m...
The summary makes it sound like this is all a mystery and insinuates that Microsoft's update servers may have been compromised, however, the linked articles state that it was simple a mistakenly pushed test patch and nothing nefarious at all.
yeah - turns out to be a mistake. We can delete this post and all conversation after it.
I've been reading the support forum links where people claim that their PC where nuked with this update, nothing worked, everything failed, no System Restore, bla bla bla. I'm amazed how far the MS hate goes, even making up stories.
If this continues, I wouldn't do real work on [windows] ever again.
So this time didn't do it for you? There has to be another time? Given Win7+'s mod to auto install fixes deemed by MS to be critical, I think that time was at least years ago. Even IBM jumped ship.
The cesspool just got a check and balance.
a weather balloon!
We play the game with the bravery of being out of range
The updates are signed, but the metadata is not.
But shit from the metadata can be executed.
http://www.contextis.com/media...
Configuring SSL for WSUS (NOT the default, and NOT as simple as it should be) mitigates this by protecting the metadata from simple MITM attacks.
Trust no one.
You are welcome on my lawn.
As far as I am concerned from now on, every statement from M$ is potentially a lie, and ANY OS or program from M$ is potentially full of NSA backdoors and spyware, as well as the ever-present bugs. As far as anyone knows every M$ product all the way back to the first version of DOS was/is infested the same way!
M$, you are forever wiped from my computers and out of my life!!!
MonsterSlop, however, is not listing that in the descriptions.
if this is supposed to be a new economy, how come they still want my old fashioned money?
This right here would be what makes black hats drool. Get a payload in the Windows update server that is signed with keys that pass. you do that and you utterly own 60% of the internet in a span of 8 hours.
If you were smart about it, you would do a quick test that is benign. changing only 2 bytes in a MS patch and then look for it. If that works you get your best rootkit that you can conceive and get it out there. now WAIT for about 25-45 days and have it download and install the nasty that you want to unleash.
Luckily 99% of the black hats are so ADD that they shoot their load as soon as they can and brag all over the internet. It's that 1% that you never hear about and are never caught that are the truly dangerous ones.
Do not look at laser with remaining good eye.
No. A different article pointed to be the same URL explains that. You should probably learn how the internet works some day if you are going to make snarky comments on Slashdot.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Bullshit. No OS is "well made" enough that it will never need security updates. Not Windows, not MacOS, not Linux, not *BSD.
This is why it's really, really important for OS providers to maintain a trustworthy update service. If they use it for advertising purposes, or sell it out to various government agencies, or allow incompetent personnel to push "test" updates to the entire planet, it's no longer trustworthy. That means their OS itself is no longer trustworthy, if in fact it ever was.
Nobody at Microsoft seems to have the first clue how important Windows Update actually is, and how important it is not to screw with it. Windows Update is Windows, not just in a de-facto sense but as a vital corporate strategy. It's time they started acting like it.