OT:Windows is updating whether you like it or not

TGS wrote on 9/13/2007, 12:28 PM
I've been suspecting this for a while, but what can you do?

http://blogs.zdnet.com/hardware/?p=779#more-779

September 13th, 2007
Confirmation of stealth Windows Update
Posted by Adrian Kingsley-Hughes @ 3:46 am Categories: Microsoft, Stealth Update Tags: Microsoft Windows Update, Information Technology, Update, Stealth, Microsoft Windows, Adrian Kingsley-Hughes
In Focus » See more posts on: Polls, Vista
icn_balloon_154x48
+212
246 votes Worthwhile?

I can now confirm that the stealth Windows Update that I blogged about yesterday actually exists - because I’ve detected its presence on a machine at the PC Doc HQ.

At the PC Doc HQ we have several systems set not to update automatically. This is so that they are kept at a specific patch level for testing duties. Many of these systems are virtual machines but some are physical. When I heard about this stealth update I decided to take a look at one of these systems that don’t update automatically (it was set to download and notify) - and within seconds I found what I was looking for.

Which files are updated depends on the OS you are running. The updated files on Vista are:

* wuapi.dll
* wuapp.exe
* wuauclt.exe
* wuaueng.dll
* wucltux.dll
* wudriver.dll
* wups.dll
* wups2.dll
* wuwebv.dll

And on XP SP2:

* cdm.dll
* wuapi.dll
* wuauclt.exe
* wuaucpl.cpl
* wuaueng.dll
* wucltui.dll
* wups.dll
* wups2.dll
* wuweb.dll

The test system was running Windows XP SP2. Reports and rumors suggest that this update was being pushed out on or around the 24th of August so I fired up Event Viewer and scrolled down to this date … and here’s what I found:

Here’s the entry showing the update kicking off.

windowsstealthupdate_1_sm.jpg

Update completed successfully - but not the lack of information regarding the update.

windowsstealthupdate_2_sm.jpg

Here’s one of the updated files.

windowsstealthupdate_3_sm.jpg

These updates without notification is a slippery slope. I just don’t like the idea of having updates foisted upon systems without being aware that they are coming in and having the option to postpone them. Why? Simple. IT’S MY PC!!! If a user chooses not to have updates installed automatically, Microsoft needs to respect this decision. Period. If this is not possible, notifications should be made after the update has been installed clearly identifying the updates, describing what it does and giving users a way to roll back the system if they want to.

Comments

Former user wrote on 9/13/2007, 12:32 PM
I've been suspecting this for a while, but what can you do?

Do what I do. Shut off Automatic Updates. No way MS can update anything if it's off.

VP
TGS wrote on 9/13/2007, 1:08 PM
It's set so it's supposed to ask me first, then I choose if I want it or not.
The day before yesterday, the 2nd tuesday of the month, the normal day of Windows updates, I was only offered the suspicious malware check, which happens on every 2nd Tuesday of the month, but usually there's another 4MB or more of other update stuff too. Nothing else this last Tuesday.
Former user wrote on 9/13/2007, 1:47 PM
As long as your Auto Updates service is running - who knows what MS can do? Shut off the service and then turn it back on manually just after Patch Tuesday and do your updates.

Been doing this for years without an issue.

VP
p@mast3rs wrote on 9/13/2007, 1:48 PM
Turning off Auto Updates DOES NOT prevent the silent update.
Former user wrote on 9/13/2007, 2:16 PM
I didn't say turn it off (the 4th option on System Properties->Automatic Updates) . I said disable the service - then and only then is it truly off.

VP
TGS wrote on 9/13/2007, 2:38 PM
Please give me some 'vocal points' on how to do this. Because you say it like you think everybody knows already. It may be obvious to some, but I'm still relatively new to the computer world, compared to some who have grown up with it.
I've been taking all the updates anyway, but I don't like knowing that they're being done behind my back, without even being informed.
I honestly feel as if I'm going to have to build a machine that never gets connected to the internet, just to feel safe.
Just knowing this, makes me feel as if I'm in old Communist Russia.
Kennymusicman wrote on 9/13/2007, 2:41 PM
Try peerguardian - it'll block anything and everything you want from actually getting out, it's free, and damn useful for stopping advert companies getting through too.

Try it - it might just scare you how much of the internet is "inhabited" by the advertisers....

HTH

Ken
riredale wrote on 9/13/2007, 2:48 PM
MS usually gives several ways to accomplish a task, but here's one way:

(1) Start/Run

(2) Type in "services.msc"

(3) Scroll down to the "Automatic Updates" entry and double-click on it.

(4) Under the General tab, hit "Stop", then change the Startup Type to "Disabled."

Or at least this is how I can get to it on my XPpro SP1 system. I've never used the Automatic Updates service on my system (I like to know exactly what it's being fed) so maybe others will have additional input.
TGS wrote on 9/13/2007, 3:17 PM
I use an older free version of Zone Alarm and it will shut off the win32 services from connecting, but if I shut em down then I can't get on the internet. So, Windows makes it possible that they have access to your computer as long as you're connected. Those Win 32 services are quite active. But why? Why do we need a connection to WIndows when connected to the internet. I don't remember this being done with good ol' WIndows ME. lol.
This is what gives me the 'Big Brother' vibe.
I don't really use Zone Alarm so much as a Firewall. It's just a way to control some programs from taking liberties of connecting every time I start them up, which also annoys me.
Former user wrote on 9/13/2007, 7:27 PM
TGS,

Riredale had a good method. You could also go Control Panel->Admin Tools->Services and disable Automatic Updates. Many ways actually - but just shut it down if you are worried about anything slippin' in "unannounced".

FWIW - I checked my event logs for August 24. Nadda in there about anything being updated.
p@mast3rs wrote on 9/14/2007, 12:59 AM
http://windowssecrets.com/comp/070913/#story1
GenJerDan wrote on 9/14/2007, 2:11 AM
And every one of those files is part of Microsoft/Windows Update.

Yawn.

All it's doing is updating itself, not anything else on your system.
fwtep wrote on 9/14/2007, 12:14 PM
GenJerDan,
Let's say you're in the middle of a very long render (I've had 4 day renders) and MS decides to do an update without asking me and it messes something up (it's not at all unheard of for a patch to be faulty or have installation problems). Bam, there goes a couple of days' rendering. I'm not saying that WOULD happen, but it very well COULD happen, so I don't like the idea of MS doing something without my permission even if it *is* just a little OS update and not something malicious.
blink3times wrote on 9/14/2007, 1:13 PM
"Riredale had a good method. You could also go Control Panel->Admin Tools->Services and disable Automatic Updates. Many ways actually - but just shut it down if you are worried about anything slippin' in "unannounced"."
==============================================
It's a good idea... but a good third party firewall is by far the best way of doing it. I use Sygate as oppose to TGS and his zone Alarm. But the point is that you can control EVERYTHING going in and out of your machine. And EVERY in/out signal attempt is logged so you can easily check what program(s) are trying to sneak a connection.
nolonemo wrote on 9/14/2007, 1:18 PM
Seems to me that because the software firewall could be compromised because it must interact with the OS per MS's specs in order to run, that the only secure blocking (apart from unplugging from the internet) is to block MS sites in your router's firewall.
TGS wrote on 9/14/2007, 3:09 PM
What I want to know is, what is a 'Generic host for Win 32 services'? Because I seem to always have two of these operating in the firewall at all times when connected to the internet. If I disable these, I can't connect. It sounds like a catch 22. You want to get on the internet? You have to go through M$.
GenJerDan wrote on 9/14/2007, 5:00 PM
Let's say you're in the middle of a very long render (I've had 4 day renders) and MS decides to do an update without asking me. . .

On long renders (or similar), I'd disconnect from the internet, anyway. Or just disable the NIC, since the network cable is way the heck down there under the desk.

Under normal circumstances...I'd rather they did security updates without waiting around for me to approve them. Much better than coming back to my computer and finding someone has gotten in while I was off watching Desperate Housewives. (And their lawyers probably prefer it, too.)

I'd really like it if they updates on subsystems that actually *do* access the main system as a matter of course...like Windows Update and such.

craftech wrote on 9/14/2007, 6:15 PM
Get rid of the Windows Genuine Advantage Validation Update. It was a "required" update to benefit Microsoft at your expense.

Here are several suggestions on how to get rid of it. One you get rid of that disable Automatic updates. Here is another method.

John
riredale wrote on 9/14/2007, 10:07 PM
I was stunned to hear about this stealth update. It's one thing to be notified of an update and quite another thing for MS to quietly change your system files WITHOUT any prior approval.

Someone made a big mistake at MS in doing this. I expect that this will flare up and MS will quickly apologize. Problem is, if they can do it once they could do it any time in the future they wanted. The only recourse I see is to disable (not just "turn off" but disable) the auto-update function.
craftech wrote on 9/15/2007, 6:03 AM
What I want to know is, what is a 'Generic host for Win 32 services'? Because I seem to always have two of these operating in the firewall at all times when connected to the internet. If I disable these, I can't connect. It sounds like a catch 22. You want to get on the internet? You have to go through M$.
===============
'Generic host for Win 32 services'' basically consolidates (hosts) dlls from other processes so that svchost.exe can set up the services required.

Second post here explains it in detail if you want to read it all. Bottom line: There is no way around it from Windows 2000 and up. Although my main editing computer runs Windows XP Pro, I use a W98SE computer for every day computing. Love it.

John
fwtep wrote on 9/15/2007, 8:43 AM
GenJerDan wrote:
On long renders (or similar), I'd disconnect from the internet, anyway. Or just disable the NIC, since the network cable is way the heck down there under the desk.

What I'd rather do is have MS respect my settings. I often still use the internet when I'm rendering-- nothing that will slow down or cause problems with the render of course.

And here's the other thing: Even if I was OK with disconnecting from the internet during a render, how was I supposed to know that I should do that, since I set XP to not update without my permission, and until this story surfaced there was no way I could know MS was doing it behind my back? (It's not like the average person thinks "hey, I have auto update set to ask for permission, let me poke around and see if MS did a stealth update without my approval.")

I'd rather they did security updates without waiting around for me to approve them.

Well you CAN set it like that-- it's even the default. But it's wrong of them to do auto updates even when you've specifically told them NOT to.

And what if something's updating (that I'm unaware of) and I shut off my machine in the middle of it? That could cause problems.

I'm not saying I'm outraged, and that MS should be sued or anything, I'm just saying that a) your original comment that it was just an OS update and nothing malicious is irrelevant because it could still cause serious problems, and b) they should stop.

they should stop.
TGS wrote on 9/27/2007, 12:05 PM
If anybody is interested, a little more on this:
http://blogs.zdnet.com/hardware/?p=817&tag=nl.e622