I subscribe to Windows Secrets and receive regular email newsletters from them.
Their motto is: Everything Microsoft forgot to mention.
Am I paranoid where Microsoft is concerned? Damn straight I am! No, I realize I don't make a secret of this -- but I think there's good reason for concern. And if you're paranoid, too, then I suggest you read this article (under the cut) on how to protect yourself from silent Windows updates...
Protect yourself from silent Windows updates
By Scott Dunn
Microsoft has confirmed Windows Secrets' Sept. 13 story that Windows Update periodically installs certain files even if you've selected a "do not install" option.
Many companies and individuals require prior notification before any files are changed, so I explain today how you can completely prevent silent installs, if you wish.
Microsoft acknowledges the lack of notice
In my Sept. 13 article, I reported that Windows Update (WU) has been silently installing nine small executable files on Windows XP and Vista, despite the fact that users had disabled auto-installation. The files that WU has overwritten to date consist of benign support files — but many Windows users expressed outrage that any process was installing files without notification.
Reaction from Microsoft to the article was almost immediate. In a post
the same day on the Microsoft Update Product Team Blog, program manager Nate Clinton confirmed that updates to Windows Update itself are performed without notifying users. This is true even if users specify Let me choose when to install them or Notify me but don't automatically download or install (two of the four options available to users).
In his statement, Clinton acknowledged that the silent file writes are not what users expect after they disable automatic installs:
- "The point of this explanation is not to suggest that we were as transparent as we could have been; to the contrary, people have told us that we should have been clearer on how Windows Update behaves when it updates itself. This is helpful and important feedback, and we are now looking at the best way to clarify WU's behavior to customers so that they can more clearly understand how WU works."
- "Your comments are completely understandable and I'm making sure the WU team is well aware of how the community feels on this issue. You'll note in Nate's post (the one I linked to) that we freely admit to having fallen down on this issue and that we can, and should, do better when it comes to behaviors of this type and the necessary disclosure of same. Please know that we hear what you have to say and are taking your feedback seriously. (I, for one, want to avoid similar events in the future, as reactive posts such as this one are not what I want to spend my time blogging about.)"
- "The situation I am describing is *exactly* the same thing as happens with a out of the box XP SP2 install, you see a WU update available and nothing more. Once you install WU, you see the dozens of other updates available. Works great in theory, and in practice.
"There is absolutely no excuse for updating executable code on a customer's machine when the customer has selected a choice of 'but let me choose whether to install them.' Period. Full stop. No exceptions."
One of the first test centers to independently confirm WU's silent installs was eWeek Labs. An eWeek analyst, Andrew Garcia, published a blog entry on Sept. 13 documenting the logs of two test machines that had been set to Notify but do not install updates. According to Garcia, even though one of the PCs hadn't been touched in months, both machines showed evidence that version 7.0.6000.381 of the files had been installed in August.
The lab had acted at the request of eWeek's Microsoft Watch columnist Joe Wilcox, one of several journalists who picked up on a press release issued by Windows Secrets publicist Revell-Pechar Inc.
In a series of three blog posts, Wilcox wrote that nothing in the Windows Update Privacy Statement gives Microsoft "permission to update without user consent" (Sept. 12); that "the silent downloads also raise questions about ownership" of users' PCs (Sept. 13); and that Microsoft was using the existence of its employees' blog posts "to avoid answering tough questions the news media might ask about privacy and Windows Update" (Sept. 14).
One blog, Nynaeve, recounted yet another downside to the silent updates. The patching process had awakened the blogger's portable computer from standby mode at 3:00 a.m. while stored in an insulated laptop bag. Because the update process failed to put the computer back into standby after the installation, the laptop's battery was exhausted by the time the writer discovered the problem later that day. Furthermore, the fact that the computer was running in a bag for so long could damage the machine and might even pose a fire hazard.
To say this story has sparked controversy would be an understatement. The comments flying around the Web vary from outrage to the exact opposite position: that Microsoft is completely right to install WU support files, regardless the user's Automatic Updates preferences.
One account, in the Handler's Diary blog, said there was no cause for concern since the Turn off Automatic Updates setting in the Automatic Updates control panel prevents the silent updates from occurring. (This is true, although it generates repeated boot-up warnings, as described below. Some readers incorrectly inferred from my article that even this setting allows stealthy updates; it does not.)
Perhaps the situation is best summed up by reporter Todd Bishop, who wrote in a Seattle Post-Intelligencer article:
- "But all of those details shouldn't obscure the bottom line: According to the evidence assembled by Windows Secrets, these updates were silently downloaded and installed, without notifying end users, even in cases where those end users had specifically told Microsoft, through their PC settings, not to install updates without letting them choose to do so."
It's important to note that there is no reason to remove or roll back the updated support files that Windows Update may have installed on a PC. There's no evidence that these files are harmful or cause any software conflicts.
Furthermore, if you use a corporate patch management solution, such as Microsoft's WSUS (Windows Server Update Services), you circumvent Windows Update and no files will be installed by WU.
But if you're an individual or a small business using Windows Update (or its enhanced sibling, Microsoft Update), you may be concerned about Microsoft installing patches before you've had a chance to research their reliability. In that case, you can completely turn off the Automatic Updates Agent, thereby preventing updates or even notifications from occurring.
If you take this step, you'll become solely responsible for learning about new Microsoft patches yourself. I'll explain below how to adapt to this situation. In the meantime, here's how to turn off Automatic Updates and prevent stealth installs:
In Windows XP, take these steps:
Step 1. Open Control Panel and launch Automatic Updates (in the Security Center category).
Step 2. Select Turn off Automatic Updates. Click OK.
In Windows Vista, take these steps:
Step 1. Open Control Panel and launch Windows Update (in the System and Maintenance category).
Step 2. In the left pane, click Change settings.
Step 3. Click Never check for updates (not recommended). Click OK.
Step 4. Click Continue, if prompted by User Account Control.
With Automatic Updates turned off, Windows Update will still update itself (and notify you of patches), but only when you manually launch Windows Update and give your consent.
What to do about repeated boot-up warnings
Turning off Automatic Updates can cause Windows Security Alert pop-up balloons to appear in the taskbar tray every time you log on. (See Figure 1.)
If this bothers you, Windows XP allows you to suppress any warnings that relate to Automatic Updates. You can also do this in Vista but, unfortunately, the newer OS forces you to turn off all security alerts just to suppress the Automatic Updates warnings.
To eliminate the warning balloons about Automatic Updates in both XP and Vista, take these steps:
Step 1. Double-click the red shield icon in the taskbar, or open the Control Panel and launch the Security Center.
Step 2. In the left pane or box, click Change the way Security Center alerts me.
Step 3. In XP, uncheck Automatic Updates and click OK. In Vista, select the second or third option.
Use Secunia's Software Inspector to check for updates
With the Windows Update Agent turned off, how will you know if you have the latest security patches and updates you need?
First, read the Windows Secrets Newsletter that comes out two days after Patch Tuesday. Look in our paid section for descriptions of any patches that are reported to have negative side-effects, and use our recommended workarounds if any problems might affect you. (How to get the paid version.)
Then, to check for needed updates to Windows and dozens of other programs, use the Secunia Software Inspector. This free service was described in the Aug. 16 and Sept. 6 issues of Windows Secrets.
Once you know what updates you need, you can visit the Microsoft Update Web site, which offers updates for both Windows and Microsoft Office. The Secunia report includes a link to Microsoft's site and other update sites so you don't even have to bookmark them.
Users don't expect Microsoft to be perfect. But because of the company's very human mistakes with some previous updates, many customers understandably want to do their homework before installing every patch Microsoft offers. If the company's own software settings can't be trusted to provide that level of control, users will continue to seek alternatives.
Yikes and double yikes. This is exactly the type of behavior I've been worried about!
And Microsoft wants us to believe we can trust them?
I think not.