Microsoft Downplays Stealth Update Concerns
Microsoft Corp. Thursday essentially called the concerns over undercover updates to Windows XP and Windows Vista a tempest in a teapot, saying that silent modifications to the Windows Update (WU) software have been a longtime practice and are needed to keep users patched.
"Windows Update is a service that primarily delivers updates to Windows," said Nate Clinton, program manager in the WU group on the team's blog Thursday. "To ensure ongoing service reliability and operation, we must also update and enhance the Windows Update service itself, including its client-side software."
Microsoft was moved to respond after the popular "Windows Secrets" newsletter looked into complaints that WU had modified numerous files in both XP and Vista, even though users had set the operating system to not install updates without their permission. In many cases, users who dug into Windows' event logs found that the updates had been done in the middle of the night.
Windows gives users some flexibility in how their PCs retrieve and install updates and patches from the company's servers. In Vista, for example, users can turn off Automatic Updates entirely; allow the operating system to check for, but neither download or install, any fixes; or allow it to download files but not install them.
Clinton tackled the stealth install issue in some detail. "One question we have been asked is why do we update the client code for Windows Update automatically if the customer did not opt into automatically installing updates without further notice? The answer is simple: Any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available."
Failing to do so, he argued, would have ultimately run counter to what a user wants and needs. "Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications." The result, he said, would be to leave users at risk to attack via vulnerabilities Microsoft has patched. "That would lead users to believe that they were secure, even though there was no installation and/or notification of upgrades."
In fact, the practice has been going on for some time, Clinton claimed. "The Windows Update client is configured to automatically check for updates anytime a system uses the WU service, independent of the selected settings for handling updates. This has been the case since we introduced the Automatic Update feature in Windows XP. In fact, WU has autoupdated itself many times in the past," he said.
That would be news to the majority of people who filled several threads on Microsoft's own support newsgroups starting in late August. "I found this information by myself, checking the Windows directories," griped someone identified as Frank. "But the point is that I didn't allow the update (Automatic Update properties on 'notify') and there is no information about this update on Microsoft [Web pages]. Why [didn't] Microsoft publish any information about this update?"
Clinton also disputed user accounts of stealth updates to WU even when they had completely disabled the automatic update feature in the operating system. "WU does not automatically update itself when Automatic Updates is turned off, this only happens when the customer is using WU to automatically install upgrades or to be notified of updates," said Clinton.
He did issue a mea culpa -- of sorts. Although he stopped short of apologizing for the lack of information, he said Microsoft is considering changes. "[This] is not to suggest that we were as transparent as we could have been," he admitted. "To the contrary, people have told us that we should have been clearer on how Windows Update behaves when it updates itself. We are now looking at the best way to clarify WU's behavior to customers so that they can more clearly understand how WU works."
That's crucial for both end users and companies, said Andrew Storms, director of security operations at nCircle Network Security Inc., a security and compliance vendor. "The question is, why haven't users been more clearly educated that this is the way [WU] updates work?" Storms asked. "I'm glad to see software updated, but the better tack would have been to fully explain this.
"Frankly, this surprises me a bit. Microsoft's making an effort to provide us with more information, especially in the last year."
Microsoft didn't completely address one question Storms had, however: In corporations, where system integrity is not only demanded, but often crucial, how is Microsoft handling these kinds of updates to the WU client files on machines patched through Windows Server Update Services (WSUS), the server-side update manager?
Microsoft's Clinton mentioned WSUS in passing. "[For] enterprise customers who use WSUS or Systems Management Server, [the now-obsolete predecessor to WSUS], all updating, including the WU client, is controlled by the network administrator, who has authority over the download and install experience."
Microsoft's own technical documentation is unclear as to exactly what control administrators have over Automatic Updates. In a page headlined "Automatic Updates client self-update feature," WSUS administrators are told much the same as consumers, in some of the same language Clinton used in his blog. "Each time Automatic Updates checks the public Web site or internal server for updates, it also checks for updates to itself. This means that most versions of Automatic Updates can be pointed to the public Windows Update site, and they will automatically self-update," the document reads.
That's exactly how the process works for users not connecting to a WSUS-equipped server.
Even the alternative -- "You can also use the WSUS server to self-update the client software," the document said -- doesn't spell out what oversight administrators have over the modifications. In fact, this approach relies on the Internet Information Services (IIS) component of Windows Server to ping the same public servers Microsoft uses to push WU updates to anyone not using WSUS.
IIS, according to another support document, feeds the updates to a virtual directory named "Selfupdate" under the Web site running on port 80 of the WSUS server. Dubbed the SelfUpdate Tree, this folder contains the WSUS-compatible Automatic Updates software, said Microsoft.
The company did not provide more information on how, or whether, silent updates are processed by WSUS.
"This could be a very big deal to enterprises," said Storms, depending on exactly what happens in a WSUS environment. "You just don't want unknown files installed or changed."
And it's the not-knowing that bothers him. "What's really interesting here is that we don't know, do we?" said Storms. "We're looking for a more holistic view of what WU does. And Microsoft hasn't given it to us."