Posted on 09/13/2007 8:40:04 AM PDT by ShadowAce
Microsoft has begun patching files on Windows XP and Vista without users' knowledge, even when the users have turned off auto-updates.
Many companies require testing of patches before they are widely installed, and businesses in this situation are objecting to the stealth patching.
Files changed with no notice to users
In recent days, Windows Update (WU) started altering files on users' systems without displaying any dialog box to request permission. The only files that have been reportedly altered to date are nine small executables on XP and nine on Vista that are used by WU itself. Microsoft is patching these files silently, even if auto-updates have been disabled on a particular PC.
It's surprising that these files can be changed without the user's knowledge. The Automatic Updates dialog box in the Control Panel can be set to prevent updates from being installed automatically. However, with Microsoft's latest stealth move, updates to the WU executables seem to be installed regardless of the settings — without notifying users.
When users launch Windows Update, Microsoft's online service can check the version of its executables on the PC and update them if necessary. What's unusual is that people are reporting changes in these files although WU wasn't authorized to install anything.
This isn't the first time Microsoft has pushed updates out to users who prefer to test and install their updates manually. Not long ago, another Windows component, svchost.exe, was causing problems with Windows Update, as last reported on June 21 in the Windows Secrets Newsletter. In that case, however, the Windows Update site notified users that updated software had to be installed before the patching process could proceed. This time, such a notice never appears.
For users who elect not to have updates installed automatically, the issue of consent is crucial. Microsoft has apparently decided, however, that it doesn't need permission to patch Windows Updates files, even if you've set your preferences to require it.
Microsoft provides no tech information — yet
To make matters even stranger, a search on Microsoft's Web site reveals no information at all on the stealth updates. Let's say you wished to voluntarily download and install the new WU executable files when you were, for example, reinstalling a system. You'd be hard-pressed to find the updated files in order to download them. At this writing, you either get a stealth install or nothing.
A few Web forums have already started to discuss the updated files, which bear the version number 7.0.6000.381. The only explanation found at Microsoft's site comes from a user identified as Dean-Dean on a Microsoft Communities forum. In reply to a question, he states:
"Windows Update Software 7.0.6000.381 is an update to Windows Update itself. It is an update for both Windows XP and Windows Vista. Unless the update is installed, Windows Update won't work, at least in terms of searching for further updates. Normal use of Windows Update, in other words, is blocked until this update is installed."Windows Secrets contributing editor Susan Bradley contacted Microsoft Partner Support about the update and received this short reply:
"7.0.6000.381 is a consumer only release that addresses some specific issues found after .374 was released. It will not be available via WSUS [Windows Server Update Services]. A standalone installer and the redist will be available soon, I will keep an eye on it and notify you when it is available."Unfortunately, this reply does not explain why the stealth patching began with so little information provided to customers. Nor does it provide any details on the "specific issues" that the update supposedly addresses.
System logs confirm stealth installs
In his forum post, Dean-Dean names several files that are changed on XP and Vista. The patching process updates several Windows\System32 executables (with the extensions .exe, .dll, and .cpl) to version 7.0.6000.381, according to the post.
In Vista, the following files are updated:
1. wuapi.dll
2. wuapp.exe
3. wuauclt.exe
4. wuaueng.dll
5. wucltux.dll
6. wudriver.dll
7. wups.dll
8. wups2.dll
9. wuwebv.dll
In XP, the following files are updated:
1. cdm.dll
2. wuapi.dll
3. wuauclt.exe
4. wuaucpl.cpl
5. wuaueng.dll
6. wucltui.dll
7. wups.dll
8. wups2.dll
9. wuweb.dll
These files are by no means viruses, and Microsoft appears to have no malicious intent in patching them. However, writing files to a user's PC without notice (when auto-updating has been turned off) is behavior that's usually associated with hacker Web sites. The question being raised in discussion forums is, "Why is Microsoft operating in this way?"
How to check which version your PC has
If a system has been patched in the past few months, the nine executables in Windows\System32 will either show an earlier version number, 7.0.6000.374, or the stealth patch: 7.0.6000.381. (The version numbers can be seen by right-clicking a file and choosing Properties. In XP, click the Version tab and then select File Version. In Vista, click the Details tab.)
In addition, PCs that received the update will have new executables in subfolders named 7.0.6000.381 under the following folders:
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups.dll
c:\Windows\System32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll
Users can also verify whether patching occurred by checking Windows' Event Log:
Step 1. In XP, click Start, Run.
Step 2. Type eventvwr.msc and press Enter.
Step 3. In the tree pane on the left, select System.
Step 4. The right pane displays events and several details about them. Event types such as "Installation" are labeled in the Category column. "Windows Update Agent" is the event typically listed in the Source column for system patches.
On systems that were checked recently by Windows Secrets readers, the Event Log shows two installation events on Aug. 24. The files were stealth-updated in the early morning hours. (The time stamp will vary, of course, on machines that received the patch on other dates.)
To investigate further, you can open the Event Log's properties for each event. Normally, when a Windows update event occurs, the properties dialog box shows an associated KB number, enabling you to find more information at Microsoft's Web site. Mysteriously, no KB number is given for the WU updates that began in August. The description merely reads, "Installation Successful: Windows successfully installed the following update: Automatic Updates."
No need to roll back the updated files
Again, it's important to note that there's nothing harmful about the updated files themselves. There are no reports of software conflicts and no reason to remove the files (which WU apparently needs in order to access the latest patches). The only concern is the mechanism Microsoft is using to perform its patching, and how this mechanism might be used by the software giant in the future.
I'd like to thank reader Angus Scott-Fleming for his help in researching this topic. He recommends that advanced Windows users monitor changes to their systems' Registry settings via a free program by Olivier Lombart called Tiny Watcher. Scott-Fleming will receive a gift certificate for a book, CD, or DVD of his choice for sending in a comment we printed.
I'll report further on this story when I'm able to find more information on the policies and techniques behind Windows Update's silent patches. Send me your tips on this subject via the Windows Secrets contact page.
Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.
Not a lot of difference between the linux variants. This one seems to have quite a following - especially for home use.
I have three files modified 9/3/07; I had no notification flag but I have auto update on.
However I believe I read in the paper that they were making updates last week.
I have no known problems.
I cannot believe that even Microsoft would try this. After seeing our new OS X “lab” in action, we have lots of envious Windows users at work.
Please try Linux on your PCs if you can, or go Mac if you can justify a new machine. The fewer Windows users there are, the better Windows shall become — and the better all of us will be!
you call the police. Who issue a warning, then a citation that you can appeal before a judge.
Everything in the open and spelled out.
Which is how it is suppose to work.
bookmark
I’m not exactly sure about making a slow transition from Windows to Linux. I’m not very computer literate, so I guess the Linux equivalent to the Blue Screen of Death would probably discourage me.
you call the police.
There's no excuse for most people not to patch, especially when your unpatched system is spewing spam and worms.
How do you do that?
Try it - you can download it free, and there is a lot of free documentation. Personally, I’d pay 20$ for the book (or less, if you get a used copy) to walk me through it if I was a newbie.
.
This kind of stuff wasn’t even dreamed of in SciFi 30 years ago.
That you know of.
There are several websites that discuss what Windows services a prudent individual ought to disable...
And there is no excuse for someone to access your computer without your consent much less without warning.
The solution is not to use Windows OR for MSFT to treat its customers as Apple does. They offer updates that are simple and upfront.
Of course, that gets us to the question as to why a Mac (or OSS) user whould be more likely to accept (i.e. trust) an update, which gets us to the heart of the problem.
Does this mean that MS has a backdoor into your computer? If so, what if someone hacks it? I’m on a Mac G4, so I don’t have to worry. Yet!
There is even less of an excuse for a software company to, in the background and when I have explicitly told it not to, update files on my system..
What’s a clipper?
A very easy way is to download Zonealarm, it's free for personal use. Install it, make sure it's set to block everything. Un-install (or turn off) your old firewall. From a new install, Zonealarm by default has all programs blocked. Now, as you use your computer, Zonealarm will start asking if you want this program and that program to have access to the internet, I select only the ones that I know I trust and actually need, like my browser, my email program...etc, and I leave the rest blocked. If I need to use a blocked program, I run it, and tell Zonealarm to allow access (just this one time). Not near as hard as it's sounds. If you know your firewall program well, you can also go in and just disallow any programs you don't want to automatically access the internet, like MS Update......
Linux as an operating systems comes in different ‘distributions’ (Distro). A Distro is basically just a collection of different software packages like the OS itself (Linux Kernel and GNU Libraries), a ‘windows’ environment, browser, office suite, and other packages. really the difference between two distro’s is usually in the target audience. One might be aimed at power users and has alot of server software (Life RedHat / Fedora / Suse), others are aimed at the desktop and focus more on the look / feel / Ease of use (Ubuntu / Mandriva).
One of the most user friendly distro’s is Ubunu which can be downloaded here (http://www.ubuntu.com/) Download it, burn it to a cd and start your computer up. It should boot off the CD and bring up ubuntu, you can try it out like this without uninstalling windows. To get back to windows simply restart the computer (taking out the CD which should eject when you run shutdown)
If you like what you see you can install off of the same CD.
Incidentally, if you are a gamer Linux will likely not be for you, while there are ways to run some windows software under Linux it tends to affect performance enough to bother gamers (if it will run at all).
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.