Windows installs patches without user consent

Windows downloads and installs patches on user’s systems without their consent, according to a new report by eWeek’s Microsoft Watch. The report isn’t about Windows’ built-in Automatic Updates tool, but about a Windows Update feature that apparently alters files entirely unbeknownst to end users—even when Automatic Updates is disabled.

The modified files in question are a collection of 18 executables used by Windows Update, including wuapi.dll, wuauclt.exe, and wups2.dll. "Microsoft is patching these files silently, even if auto-updates have been disabled on a particular PC," according to Scott Dunn from Windows Secrets. Both Windows XP and Windows Vista exhibit the same behavior

Besides the obvious privacy issues, the procedure can be problematic for businesses, as Yankee Group program manager Andrew Jaquith points out. "Silent updates are probably against corporate policy and will definitely mess up whitelisting programs if those are installed," Jaquith explains.

Comments closed
    • herothezero
    • 12 years ago

    Wow. Like Forge said, much ado about nothing. Nothing at all.

    Unless you’re like the client I visited yesterday with a crackpatched copy of WinXP, that just wouldn’t do anything anymore–no internet, no printer, half-assed Explorer functionality, et al.

    Have to wonder why people bother with that broken/hacked crap. Are people really too poor for a legit copy of Windows?

      • evermore
      • 12 years ago

      Well when a legit retail copy costs $200 (XP Home) or $220 (Vista Home Premium) even from an e-tailer, and even more from a retail store, and you’re screwed if you actually need any “professional” features, for a computer that might have only cost $300 to build, it’s not necessarily a matter of not having the money for it, as considering it a very poor value proposition. Obviously that doesn’t make it okay to pirate but it’s one reason it happens.

      In other cases, it’s just because people think they’re putting forth some sort of protest by not paying for it. Others just don’t want to pay for anything and they’ll do anything they have to in order to avoid it, short of finding alternatives.

        • WaltC
        • 12 years ago

        I think that all of those reasons are a complete cop-out, and I think that people running cracked OS copies who get themselves screwed because their crack flakes out–get exactly what they paid for. It’s amazing to me how people who don’t pay for their software imagine they have the right to complain about it….;)

        In the first place, you can buy a cheap box for a few hundred bucks that includes a legit copy of the OS you need. In the second place, regardless of how much or how little you pay for your hardware, it’s just a doorstop without an OS–it’s useless. In the third place, as a “value proposition” it simply does not get any better than an OS–as OS vendors typically support them for years and years, with improvements and updates that don’t cost you a dime. The same people who fantasize themselves justified in running a cracked OS are the same people who’ll spend $500 or more for 3d cards that will be replaced by something better in a year, and who will spend hundreds of dollars a year on computer games that will amuse them for a few weeks/months until they buy more games.

        I think any OS vendor is well within his rights to insist that you purchase a legitimate copy of the OS *if* you want to take advantage of the years of freebies that the OS vendor will supply. Such support is clearly meant for paying customers as opposed to freeloaders. I have no sympathy at all for the freeloaders–again, they should get exactly what they pay for–nothing.

    • PRIME1
    • 12 years ago

    You don’t own the software you are just “licensing” it.

    • Krogoth
    • 12 years ago

    IANAL, but I think a good legal read in EULA may clear this issue up.

      • stdPikachu
      • 12 years ago

      Since when was the EULA a legally binding contract?

      In any case, silent auto-updates are bad in principle. If there’s an update to the windows update code, make it a mandatory installation like with WGA and MSI 3.1. Why bother installing it silently?

        • BKA
        • 12 years ago

        “Since when was the EULA a legally binding contract?”

        As soon as you click “I agree”.

          • SPOOFE
          • 12 years ago

          Even if one is under 18?

            • Vrock
            • 12 years ago

            I bet the answer to that is in the EULA. ๐Ÿ˜‰

          • stdPikachu
          • 12 years ago

          So when did the contract negotiation period happen? When did I sign on the dotted line?

          And TBH, I don’t give a crap even if it’s legal or not. It’s just impolite behaviour to have your computer do something secretly at the whim of a manufacturer.

            • BKA
            • 12 years ago

            The same as any other contract that you sign online, its digital. As soon as you click “I agree” you’ve signed. Just like any other contract or agreement, you should always read it before signing or agreeing. I initially had a problem with how you digitally sign IRS returns but oh well that’s the way things are now with the “I want it right now” generation.

            • stdPikachu
            • 12 years ago

            Ah OK. That makes it all fine then.

    • emi25
    • 12 years ago

    Somebody installs something on my computer without my knowlege ?
    this isn’t the bahavior of spyware or viruses ?

    • Archer
    • 12 years ago

    NVM my comments

    • seeker010
    • 12 years ago

    /[

      • evermore
      • 12 years ago

      Is there any reason you would NOT want it to update the automatic updates software, which it MUST do if you want it to automatically check for updates? It’s implicit that you want the software to work when you tell it to check for updates, and it happens that it needs to update itself sometimes. Being able to decline a Windows Update is one thing, but being able to decline the update that allows you to check for updates is pointless.

        • Anomymous Gerbil
        • 12 years ago

        Some big assumptions in that comment.

          • evermore
          • 12 years ago

          Assumptions like if you turned it on you want it to work?

        • boing
        • 12 years ago

        Yep, there is one reason I can think. That is if you’re using a pirated version of Windows with a crackpatched Microsoft Update. ๐Ÿ˜‰

        • davidedney123
        • 12 years ago

        How about if you’re in a validated environment (pharmaceuticals for me) so you have to get things re-validated if there are ANY changes. We don’t connect any validated machines to the internet just because of issues like this – and because in cases like the MS Blast worm our validated machines are vulnerable because they haven’t been patched since initial validation.

        More than anything it’s the principle – you tell MS not to go updating shit, but they do it anyway. That’s just the sort of guys they are.

    • barich
    • 12 years ago

    If Automatic Updates is completely disabled, the Windows Update client will not automatically update itself. You do not have to disable the “Automatic Updates” service to do this. You merely have to disable it in the Automatic Updates control panel.

    If, however, it is set to ask before installing updates, or ask before downloading updates, it will install updates for itself without asking.

    I’m not sure why this is a big deal, or even news at all. If you want to be notified when updates are downloaded or available, the Windows Update client needs to be the proper version to actually do it.

      • Archer
      • 12 years ago

      #12…Automatic Updates service and BITS are turned off on my PC’s, and they still got updated.

        • evermore
        • 12 years ago

        Did you actually see an update event in the event viewer? Or did you go to the Windows Update website or install updates through some other means?

          • Archer
          • 12 years ago

          Nope. I was surprised to see that my files had been updated.

    • somegeek
    • 12 years ago

    There are a lot of good reasons to hate Vista and Windows but this doesn’t appear to be one of them:

    “…WU does not automatically update itself when Automatic Updates is turned off…”
    Nate Clinton, Program Manager, Windows Update

    ยง[<http://blogs.technet.com/mu/archive/2007/09/13/how-windows-update-keeps-itself-up-to-date.aspx<]ยง

    • droopy1592
    • 12 years ago

    I have updates off, but when I reboot lately (every 2 weeks or so) it says “installing updates” during the shutdown.

      • evermore
      • 12 years ago

      Your system is slowing down. It probably always said that but went by too fast to see.

      What I see during startup/shutdown in that box has changed several times over the years, with various patches and add-on software. My work computer shows “playing startup sound” even though I have no startup sound enabled. I think it’s an inaccurate description, it’s more like “checking to see whether a startup sound should play” or “checking whether updates need to be installed”.

    • provoko
    • 12 years ago

    Windows update updates it’s self silently? WTF!….

    • 2_tyma
    • 12 years ago

    This isnt as bad as the Sony root kit in 2005.
    if its any consolation

    • Forge
    • 12 years ago

    Ok, I expect Slashdot to put up stories without fact checking, but I’m surprised that TR repeated it.

    MS didn’t push down updates to random machines, they installed updates to the Windows Update software itself, when the users VISITED THE WINDOWS UPDATE WEB SITE!!!!

    I don’t like MS much, but this is making a mountain out of a very samll molehill.

      • evermore
      • 12 years ago

      Actually, the article says nothing about the Windows Update website. They are talking about the service/application running within Windows.

      There is some misleading language though, and they are blowing it up to be bigger than it is. The installs they’re complaining about occur when you set Windows Update to either download updates but ask before installing, or to get the update list but ask before downloading them. They’re calling this “disabling” Windows Update, but it’s not. It’s just an alternate setting for the service. The only way to disable it is to disable the Automatic Updates service in the Services list.

      However doing that prevents the WU website from working (which means it’s more than just Automatic Updates, but we’re using to MS slapping together unrelated code in DLLs anyway). So you set WU to not perform any downloads and let you do it manually. This does not disable Windows Update, but it turns off automatic updates of any kind.

      If you choose to let the service download updates or download the list, then the service must be updated in order to run. That’s inherent in the way Microsoft does it. If you go to the website, you must install the latest version even to view the update list. So it’s inherent in any form of automatic updating that the service will download and install its latest version, because you’ve told the system you want it to perform updating of some sort. You’ve implicitly given it permission to update the WU service.

      The Vista privacy statement they refer to sounds like explicit permission to run these updates to me, even if it’s not spelled out. I’m not sure what they’re talking about saying Windows Update isn’t in the list. It is, under Privacy Statements for additional features and services, which they seem to have found but don’t count as part of the list because it’s not “supplemental”. The Update privacy statement also points out that you can disable it or set it to ask for permission before installing. It doesn’t explicitly state that the WU service is updated automatically, it’s just implied by you wanting it to run.

        • BiffStroganoffsky
        • 12 years ago

        You have to give Microsoft some credit for that misleading language as one option in the auto update tab is ‘turn off auto update’…but it doesn’t inform you that you still have to turn the service off. I turned both off on my box over a year ago and I found that I have had some DRM .dlls and other files dated around 08/2007 when I scanned with hijackthis. Since this is my workstation, I chalked it up to the IT department’s shenanigans with the WUS service since I don’t log into the AD. I wouldn’t be too surprised if they found that you could push packages to any machine within the broadcast range of a Windows Update Server without consent.

          • Master Kenobi
          • 12 years ago

          I work as an infrastructure engineer in my IT department and frankly we update whatever we want when we want as long as change control procedures are adhered to. Users have 0 rights to their machines.

      • WaltC
      • 12 years ago

      Agreed, Forge. The really funny thing, in addition to all of the usual strained hyperbole surrounding these non-events, is that every time users visit a web page they’d be amazed to learn–I guess–that lots of files are downloaded to their boxes without ever making themselves known or asking for permission to install.

      If Microsoft isn’t found to actually be loading evil stuff on people’s machines “without their permission” I guess people have got to make up stuff to try and assert a negative where none exists. But really, this kind of alarmist stuff stems from ignorance as much as it does from anything else. It wasn’t too long ago that people were accusing ATi of downloading “spyware” inside their drivers just because Windows checked the WIndows update site every time they’d install a new gpu driver…;)

    • Vrock
    • 12 years ago

    So the question is, why?

      • lethal
      • 12 years ago

      They’ll just probably say “security concerns” or something along the lines to try to justify it, but who knows how long have they been doing it without anyone noticing.

        • UberGerbil
        • 12 years ago

        Actually, this kind of thing gets noticed almost immediately. Changes to any of the executables in the system directory looks like a potential virus infection, trojan, or other malware, and that causes a lot of people to have a look. They don’t make a big deal out of it when they see it’s MS updating things via Windows Update, but they do notice.

Pin It on Pinterest

Share This