Jump to content
  • Who's Online   0 Members, 0 Anonymous, 19 Guests (See full list)

    • There are no registered users currently online

Microsoft updating Windows without permission


Beerman

Recommended Posts

Article

 

I can now confirm that the stealth Windows Update that I blogged about yesterday actually exists - because I’ve detected its presence on a machine at the PC Doc HQ.

 

At the PC Doc HQ we have several systems set not to update. This is so that they are kept at a specific patch level for testing duties. Many of these systems are virtual machines but some are physical. When I heard about this stealth update I decided to take a look at one of these systems that don’t update automatically - and within seconds I found what I was looking for.

 

Which files are updated depends on the OS you are running. The updated files on Vista are:

 

* wuapi.dll

* wuapp.exe

* wuauclt.exe

* wuaueng.dll

* wucltux.dll

* wudriver.dll

* wups.dll

* wups2.dll

* wuwebv.dll

 

And on XP SP2:

 

* cdm.dll

* wuapi.dll

* wuauclt.exe

* wuaucpl.cpl

* wuaueng.dll

* wucltui.dll

* wups.dll

* wups2.dll

* wuweb.dll

 

The test system was running Windows XP SP2. Reports and rumors suggest that this update was being pushed out on or around the 24th of August so I fired up Event Viewer and scrolled down to this date … and here’s what I found: Read the rest of this entry

Link to comment
Share on other sites

I checked on the Win2000 - not all of them - but several were updated 30July07 (not when I would've been going to Microsoft on the 2nd Tuesday or therabout), and another updated in Auguest.

 

So that's what's been causing a blocked line - they think they can do it in the "background", but on 56k there is no "background".

 

They should advise they are doing it - not that I would necessarily stop it, but I want to know what's coming down. (And when I break a "blocked line" connection and redial, it doesn't help their cause, either.)

 

Lynn

 

Edit: I was given a 13 GB HD, and a CD of Ubunto 7. Don't push me.

Link to comment
Share on other sites

I decided to take a look at one of these systems that don’t update automatically - and within seconds I found what I was looking for. wuapi.dll

 

 

I see no updates for XP SP2, on 24 Aug 07. For wuapi.dll.

7.0.6000.374 (winmain(wmbla).070416-2057)

 

"The point of the article is that updates were/are taking place with the update service turned off."

 

Stealth updates - Right or wrong?

 

Wrong on my machine!

 

cd

Link to comment
Share on other sites

cd,

 

I did a bit of digging and found two entries for one of those .dlls. They're in...C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\5.8.0.2469\.........

and one C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.374 dated August 24

 

Something you might want to check. Go to the Microsoft Windows Update site and check your Update History.

 

I have Automatic Updates shut off and have had them shut off for over a year. I do manual updates On August 25th, I have several entries marked Automatic Update for that date. Now it's possible that I updated on a Saturday, but highly unlikely.

 

Most of my other updates are marked 'Windows Update'.

 

Do you happen to have updates marked August 25th?

Link to comment
Share on other sites

So that's what's been causing a blocked line - they think they can do it in the "background", but on 56k there is no "background".

When something takes over my connection, I terminate immediately.

 

Side note . . . I just got the muBlinder thing up and running yesterday and it works a treat!

 

Edit: I was given a 13 GB HD, and a CD of Ubunto 7. Don't push me.

I installed Feisty on a second box with only a 9GB drive! It has a secondary 30GB drive that I want to network and use for backup - almost got the NFS mounting thing figured out. Too much to learn . . . so little time . . .

Link to comment
Share on other sites

 

cd,

 

I did a bit of digging and found two entries for one of those .dlls. They're in...C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\5.8.0.2469\.........

and one C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.374 dated August 24

 

Something you might want to check. Go to the Microsoft Windows Update site and check your Update History.

 

K

 

I have Automatic Updates shut off and have had them shut off for over a year. I do manual updates On August 25th, I have several entries marked Automatic Update for that date. Now it's possible that I updated on a Saturday, but highly unlikely.

 

Most of my other updates are marked 'Windows Update'.

 

Do you happen to have updates marked August 25th? NO

 

 

" They're in...C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\5.8.0.2469\........."

 

5.8.0.2469 built by: lab01_n(wmbla) Modified Thursday, May 26, 2005, 4:16:30 AM

 

"C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.374 dated August 24"

 

7.0.6000.374 (winmain(wmbla).070416-2057) Modified Monday, April 16, 2007, 10:47:36 PM.

 

 

Do you show a "C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.374??

 

cd

Link to comment
Share on other sites

I checked my Update History on the M$ update site. Last updates I downloaded were in May until the ones I manually downloaded yesterday. I was delighted to see that WGA has NOT been downloaded and installed. WOOT!! Seems my Automatic Updates really are turned off. During the update process I have noticed several sneaky options to enable them. It would be easy to click one by mistake.

 

Do you show a "C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.374??

Yes, I do! But it came via yesterday's muBlinder updates.

 

Now I need to check if MC 7.5 still works!

Link to comment
Share on other sites

I'm happy to note that my list of wu*.* and cdm.dll shows none of them have been touched.

 

What worries me though, is how does MS push these things onto people's machines when their updates are turned off. Does the new update system that MS pushed out some while back actually have a backdoor activator?

 

We've all known that lots of MS stuff is ad-ware, and spy-ware. Does this prove it has trojan modules as well?

 

Brendon

Link to comment
Share on other sites

I'm happy to note that my list of wu*.* and cdm.dll shows none of them have been touched.

 

What worries me though, is how does MS push these things onto people's machines when their updates are turned off. Does the new update system that MS pushed out some while back actually have a backdoor activator?

 

We've all known that lots of MS stuff is ad-ware, and spy-ware. Does this prove it has trojan modules as well?

 

Brendon

I wondered this to but can we trust that when we do allow an update say for Junk Filter or spyware or whatever, that they are not also sneaking in other things?

Link to comment
Share on other sites

During the update process I have noticed several sneaky options to enable them. It would be easy to click one by mistake.

 

My automatic update has been OFF for several months. Microsoft did manage to turn it on last year and for some time I had their http:\\ address blocked to prevent them from turning it on. I'd do it again, but who knows what addresses they're using to update now. There were 2 of them last year - one was not obvious.

 

If there were an good alternative to MS's 'Big Brother' Operating Systems, I'd be using it.

Link to comment
Share on other sites

I would like to address another misconception that I have seen publically reported. WU does not automatically update itself when Automatic Updates is turned off, this only happens when the customer is using WU to automatically install upgrades or to be notified of updates.

 

So what he's saying is that if you peep through their keyhole to see what updates are inside, you will be grabbed and held down and you will receive the WU updates, whether you want them or not.

 

That would help explain why MS shut down other sites distributing genuine MS updates - they don't slip the stealth updates into your drink when you're not looking.

Link to comment
Share on other sites

What actually happened, when I went to Microsoft Update on one occasion, was that it asked to install the activeX for the updater, which installed those files. I could have refused, but then would not have been able to use Microsoft Update. I can't really see the problem, myself: if one wants to manually update (as I do) by going to Microsoft Update, then it seems quite reasonable that if they change the update software that you should have your version updated. If one is using one or other option of Automatic updates, ditto.

 

But of course bashing Microsoft is a popular sport, played with greater enthusiasm, the more paranoid the player.

 

If you want a replacement for Autopatcher, check out

 

http://www.heise-security.co.uk/articles/80682

Link to comment
Share on other sites

Microsoft responds to stealth update issue

 

Filed under: Windows (general)There have been some questions raised about how we service the Windows Update components and concerns expressed about software installing silently. I want to clarify the issue so that everyone can better understand why the self-updating of Windows Update acts the way it does. So first some background: Windows Update is designed to help our consumer and small business customers (customers without an IT staff) keep their systems up-to-date.

 

To do this, Windows Update provides different updating options:

1) Install updates automatically,

2) Download updates but let me choose whether to install them,

3) Check for updates but let me choose whether to download and install them, and

4) Never check for updates.

 

Our goal is to automate the process wherever possible so that we can increase the likelihood of a system being secure and up-to-date, while giving customers the flexibility to control how and whether updates are installed. The reasons for this are both philosophical and practical. Philosophically, Microsoft believes that users should remain in control of their computer experience. Practically, customers have told us that they want to have time to evaluate our updates before they install them. That said, and to the benefit of both customers and the IT ecosystem, most customers choose to automate the updating experience. So what is happening here? Windows Update is a service that primarily delivers updates to Windows. To ensure on-going service reliability and operation, we must also update and enhance the Windows Update service itself, including its client side software. These upgrades are important if we are to maintain the quality of the service.

 

Of course, for enterprise customers who use Windows Server Update Services (WSUS) or Systems Management Server (SMS), all updating (including the WU client) is controlled by the network administrator, who has authority over the download and install experience. One question we have been asked is why do we update the client code for Windows Update automatically if the customer did not opt into automatically installing updates without further notice? The answer is simple: any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available. Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications. That result would not only fail to meet customer expectations but even worse, that result would lead users to believe that they were secure even though there was no installation and/or notification of upgrades. To avoid creating such a false impression, the Windows Update client is configured to automatically check for updates anytime a system uses the WU service, independent of the selected settings for handling updates (for example, “check for updates but let me choose whether to download or install them”). This has been the case since we introduced the automatic update feature in Windows XP. In fact, WU has auto-updated itself many times in the past.

 

The point of this explanation is not to suggest that we were as transparent as we could have been; to the contrary, people have told us that we should have been clearer on how Windows Update behaves when it updates itself. This is helpful and important feedback, and we are now looking at the best way to clarify WU’s behavior to customers so that they can more clearly understand how WU works.At the same time, however, we wanted to explain the rationale for the product’s behavior so our customers know what the service is doing: WU updates itself to make sure it continues to work properly. We are also confident that the choice to use Automatic Updating continues to be the right choice. Before closing, I would like to address another misconception that I have seen publically reported. WU does not automatically update itself when Automatic Updates is turned off, this only happens when the customer is using WU to automatically install upgrades or to be notified of updates. Providing and maintaining the WU service is important to enable us to service our customers and help them maintain safe, more secure and reliable computers.

 

We take this responsibility very seriously and we are proud of the impact that Windows Update has had to help users with safety security and reliability over the years. Updating the client has been and remains a critical piece to this approach. We appreciate the feedback and I hope that this post helps you to understand the situation and our strategy.

Link to comment
Share on other sites

I checked each of the files that Paul originally posted for XP/sp2 and here's what I have on my computer:

 

cdm.dll-----------------------------------2-28-06

wuapi.dll---------------------------------Created 4-21-07

Modified 2-28-06---That doesn't make sense (Modified before being created)

wuauclt.exe----------------------------same as above

wuaucpl.cpl-----------------------------same as above

wuaucpl.cpl (manifested)-----------4-21-07

wuaueng.dll------------------------------Created 4-21-07------Modified 2-28-06 ???

wucltui.dll--------------------------------same as above

wups.dll-----------------------------------same as above

wuweb.dll---------------------------------same as above

 

I read MS's explanation of why the "stealth" type downloads and I think it was just a bunch of words to appease those that were complaining. IMHO, I wouldn't trust MS as far as I could throw them. That's one good reason to turn OFF the updates.

 

Frank...

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...