Is Microsoft Doing a Stealth Update?

Published: 2007-09-13. Last Updated: 2007-09-27 19:32:41 UTC
by Deborah Hale (Version: 2)
0 comment(s)

We have received several emails from reader’s today regarding concern over reports that Microsoft had begun patching files on Windows XP and Vista without users' knowledge.  It was reported that even though the user had turned off auto-updates some of the files were still being updated. 

 

windowssecrets.com/2007/09/13/01-Microsoft-updates-Windows-without-users-consent

blogs.zdnet.com/hardware/

blogs.zdnet.com/hardware/

There is a lot of concern about these updates and rightfully so.  One of our reader’s, Wade, posed some very interesting questions in regard to this issue.  Here is what he had to say:

 “In the case of compliance auditing, does this revelation mean that unless we completely block access to the Microsoft update servers at the firewall, we cannot attest that we have full knowledge and control of all changes to our systems?  Does this functionality classify as malware, in that changes to "your" system are occurring without your explicit knowledge or consent? (Ignoring the fact that you "signed" the EULA absolving Microsoft from any wrong doing in any situation).”

 As I thought about his questions, I have to admit that I agreed with him and that it does raise some issues in the area of compliance auditing and the ability to say without a doubt we have full control and knowledge of all changes made to our system. I was concerned about how I would answer this question on my next audit.

So I decided to check with Microsoft to see what this was all about.  I quickly received information that has helped to at least put my mind at ease.  From what I can tell from the Microsoft information this update is not taking place automatically, but rather takes place when you go to their update site. So if you never go to the update site or you never check for updates… you will not get the updates.

blogs.technet.com/mu/archive/2007/09/13/how-windows-update-keeps-itself-up-to-date.aspx

Microsoft’s article contains this:

 “Before closing, I would like to address another misconception that I have seen publically reported. WU does not automatically update itself when Automatic Updates is turned off, this only happens when the customer is using WU to automatically install upgrades or to be notified of updates.

So, I guess I feel a little better about this.  There is still the possibility, I suppose, Microsoft could install some other program via this process with out our knowledge. (Malware and virus authors having been silently installing these programs for years).   For this reason we have to remain vigilant, watchful, and not become complacent when it comes to our computers and our networks.   

Thanks to everyone that contributed links and information.

 Update:   (2007-09-27 19:15 UTC by jac) There was a followup story in Windows Secrets today about machines with this update being unable to reinstall patches if the "repair" option was used to reinstall the OS.  Our Microsoft sources have responded that they were only aware of one support call on the issue but stated

  • We are aware of reports about customers not being able to download some updates from Windows Update when using the latest version of the Windows Update client and after reinstalling Windows XP system files from CD.
  • We take this issue very seriously and are investigating the root cause of this behavior and what options are available to address it.
  • Customers that are experiencing this issue are urged to contact customer support at no charge at 1 (866) PCSAFETY (http://www.microsoft.com/protect/support/default.mspx).

 

 

Keywords:
0 comment(s)

Experimental Storm Worm DNS Blocklist

Published: 2007-09-13. Last Updated: 2007-09-13 12:49:58 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Threatstop is currently experimenting with a DNS based blocklist scheme to dynamically block storm worm infected hosts. Its a test list they offer for free to get some feedback on how well it works for people. The basic idea of their blocklist scheme is not like traditional DNS blocklists, which require a DNS lookup for each new IP address seen. Instead, you add a hostname to your blocklist, which will then resolve to multiple A records, each of which is an IP address to be blocked. It appears that most firewalls will refresh the list whenever the TTL for the record expires. Currently, the following hostnames can be used: basic.threatstop.com basic1.threatstop.com basic2.threatstop.com basic3.threatstop.com basic4.threatstop.com Each one resolves to a set of storm infected IPs. This is just a temporary service to test this distribution method with a larger set of users. For more details, see the threatstop.com website.
Keywords:
0 comment(s)

Comments


Diary Archives