Monday, September 17, 2007

Microsoft Defends Stealth Windows Updates

Paul Henry, Secure Computing's VP of technology evangelism, said that although Microsoft's stealth updates have not yet created any reported issues, the ramifications could be significant. With no way of turning off Windows Update, he said, the use of a compromised update process could become an attractive vehicle for a would-be hacker.

Microsoft has crossed the line with some Windows users by secretly deploying software through Windows Update -- even to users who had turned off automatic updates. Microsoft has issued an apology, of sorts, but some security experts are still warning that the practice of updating Windows without user consent could lead to dire consequences.

As its name suggests, Windows Update is a service that primarily delivers updates to Windows. To ensure ongoing service reliability and operation, Microsoft must update and enhance the Windows Update service itself, including its client-side software.

However, Microsoft discussion boards this week revealed that Redmond was updating Windows without permission. Specifically, Windows Update has updated nine files in both Windows XP and Windows Vista over the past few weeks, according to reports.

Disaster Waiting To Happen?

Paul Henry, Secure Computing's vice president of technology evangelism, verified the stealth updates on a Windows machine in his own lab. Henry said that what initially struck him as unusual is that Microsoft began the updates without any end-user notification. Beyond this, he said, there are larger security concerns.

"First, with no way of turning off Microsoft updates, it makes the use of a compromised update process a very attractive vehicle for a would-be hacker," he explained. "Second, this also raises concerns for law enforcement." Henry pointed out that a great deal of caution is exercised to maintain stability in certain environments. For example, documented Microsoft installs in computer forensics are necessary to assure that potential evidence isn't compromised.

Henry said that although the Windows process has not yet created any reported issues, the ramifications of Microsoft's stealth updates have the potential to be significant. He said he can easily imagine a patch being automatically deployed that causes things to break and go terribly wrong in a Windows environment.

"Just look what happened to Skype in the last month," he explained. "An update was released by Microsoft that caused so many PCs to reboot and reinitialize simultaneously that it impacted Skype's ability to reconnect its worldwide network."

Microsoft Defends the Updates

For those who want to know why Microsoft updated the files automatically, even if users had not opted for automatically installing updates, Redmond offered an explanation.

"Any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available. Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications," said Nate Clinton, program manager for Windows Update, in a statement.

In addition, Clinton said that the result of not updating the files would have caused users to believe that they were secure even though there was no installation or notification of upgrades. To avoid creating such a false impression, he continued, the Windows Update client is configured to check for updates whenever a system uses the service, independent of the selected settings for handling updates.

"The point of this explanation is not to suggest that we were as transparent as we could have been; to the contrary, people have told us that we should have been clearer on how Windows Update behaves when it updates itself," Clinton concluded. "This is helpful and important feedback, and we are now looking at the best way to clarify Windows Update's behavior to customers so that they can more clearly understand how Windows Update works."