Stealthy Windows Update Raises Serious Concerns

UniversalVM writes "What is the single biggest issue that bothers open source advocates about proprietary software? It is probably the ability of the vendor to pull stunts like Microsoft's recent stealth software update and subsequent downplaying of any concerns. Their weak explanation seems to be a great exercise in circular logic: 'Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications.' News.com is reporting that all of the updated files on both XP and Vista appears to be in windows update itself. This is information that was independently uncovered by users and still not released by Microsoft."

So Windows Update Has Problems

[dch24]

My biggest problem would be this list. One hundred and twenty three patches to reinstall Windows XP Service Pack 2 (with Office XP), which I plan to do for a long, long time. It really hurts someone like me when Microsoft decides to get rabies w.r.t. AutoPatcher [slashdot.org].

Here's the complete list to prove it (sorry for the lame formatting, it's Slashdot's lameness filter):

• 001 WinGenuineCheck.exe
• 002 WGAPluginInstall.exe
• 003 WindowsInstaller-KB893803-v2-x86.exe
• 004 KB898461 package installer.exe
• 005 KB925902.exe 006 KB896423.exe 007 KB929338.exe 008 KB928255.exe 009 KB928843.exe
• 010 KB927802.exe 011 KB924667.exe 012 KB927779.exe 013 KB918118.exe 014 KB926436.exe
• 015 KB928090 cumulative ie update.exe
• 016 KB931836 dst.exe
• 017 KB929969.exe 018 KB923980.exe 019 KB926255.exe
• 020 KB923694 cumulative outlook express.exe
• 021 KB925398 windows media 6.exe
• 022 KB923689.EXE
• 022 KB923789 flash player 7.exe
• 023 KB920213.exe 024 KB924270.exe 025 KB923414.exe 026 KB924496.exe 027 KB923191.exe
• 028 KB924191.exe 029 KB922819.exe 030 KB922582.exe 031 KB916595.exe 032 KB919007.exe
• 033 KB920685.exe 034 KB920872.exe 035 KB917422.exe 036 KB920670.exe 037 KB920683.exe
• 038 KB914388.exe 039 KB911280.exe
• 040 KB917734 windows media 9.exe
• 041 KB914389.exe
• 042 KB917344 jscript ENU.exe
• 043 KB918439.exe 044 KB913580.exe 045 KB917953.exe 046 KB900485.exe 047 KB908531.exe 048 KB911562.exe 049 KB911927.exe
• 050 KB911564 windows media player plugin.exe
• 051 KB908519.exe 052 KB910437.exe 053 KB904706.exe 054 KB905749.exe 055 KB900725.exe 056 KB902400.exe 057 KB901017.exe 058 KB905414.exe 059 KB893756.exe 060 KB899591.exe 061 KB899587.exe 062 KB894391.exe 063 KB896358.exe 064 KB890859.exe 065 KB901214.exe 066 KB896428.exe 067 KB888302.exe 068 KB887472.exe 069 KB891781.exe 070 KB873339.exe 071 KB886185.exe 072 KB885836.exe
• 073 KB925876 rdp 6.0.exe
• 074 KB896344.exe
• 075 KB885884 office.exe
• 076 KB930178.exe 077 KB931261.exe 078 KB931784.exe 079 KB932168.exe 080 KB935448.exe
• 081 KB927978 msxml4.exe
• 082 KB923689.EXE
• 083 OfficeXpSp3-kb832671-fullfile-enu.exe
• 084 KB925673 msxml6.exe
• 085 KB927977 msxml6.exe
• 086 OGAPluginInstall.exe
• 087 officexp-kb833858-client-enu.exe 088 officexp-kb837253-client-enu.exe
• 089 officexp-KB925523-FullFile-ENU.exe 090 officexp-KB914796-FullFile-ENU.exe
• 091 officexp-KB920816-FullFile-ENU.exe 092 officexp-KB920821-FullFile-ENU.exe
• 093 officexp-KB929063-FullFile-ENU.exe 094 officexp-kb873379-fullfile-enu.exe
• 095 officexp-KB905649-FullFile-ENU.exe 096 officexp-KB921594-FullFile-ENU.exe
• 097 officexp-KB905758-FullFile-ENU.exe 098 officexp-KB923092-FullFile-ENU.exe
• 099 officexp-KB894541-FullFile-ENU.exe 100 officexp-KB911701-FullFile-ENU.exe
• 101 officexp-KB929061-FullFile-ENU.exe 102 officexp-KB904018-FullFile-ENU.exe
• 103 officexp-KB913471-FullFile-ENU.exe 104 officexp-KB934394-FullFile-ENU.exe
• 105 officexp-KB934453-FullFile-ENU.exe 106 officexp-KB934705-FullFile-ENU.exe
• 107 WindowsXP-KB930916-x86-ENU.exe 108 WindowsXP-KB931768-x86-ENU.exe
• 109 WindowsXP-KB927891-v3-x86-ENU.exe
• 110 KB933566 cumulative ie6 update.exe
• 111 KB929123 cumulative oe6 update.exe
• 112 KB935839 kernel api.exe
• 113 KB935840 schannel.exe
• 114 kb937143 ie6 sp2.exe
• 115 kb936181 msxml4.exe
• 116 kb933579 msxml6.exe
• 117 kb936782 wmplayer9.exe
• 118 kb921503.exe
• 119 kb936021 msxml3.exe
• 120 kb938127 ie6 vml.exe
• 121 kb938829 gdi.exe
• 122 kb933360 dst.exe
• 123 kb938828 explorer stop c0000005.exe

Re:So Windows Update Has Problems

[Anonymous Coward]

Why don't you stop using Windows? I know that's not an option for everyone, but these days it's something you should consider. It's not like there aren't alternatives out there. There are! A Google search just turned up several blog posts that talk about Windows alternatives:

Langa Letter: Exploring Windows Alternatives [informationweek.com]
Avoid Windows Vista anti-piracy shenanigans by using BSD, OpenSolaris or Linux. [blogsavy.com]
Mac OS X Leopard vs Microsoft Windows Vista [pirillo.com]
Dump Windows Update, use alternatives [windowssecrets.com]
Alternatives to Windows Software [linux.ie]

I'm sure you could find a lot more information, too. So there's really no excuse for still using Windows, especially if there's really nothing keeping you from switching to one of the many alternatives.

Re:

[Ka D'Argo]

I can't switch to Linux for several reasons. While my knowledge of Windows kernel is very little (actual code knowledge that is, I know nothing), I know even less about Linux. So while modern day Linux distros are all very GUI friendly and look similar to Windows, what if something went drastically wrong with it? I don't know nearly enough about Linux's command line system or anything. While I know a decent bit about DOS I've seen a small touch of Linux when I ran a Half Life 1 server on a Linux box for a m

Re:So Windows Update Has Problems

[NeverVotedBush]

A few things to consider if you really would like to explore Linux - you can dual boot. You don't have to give up your Windows system to start checking Linux out. Linux can make room on your hard drive (assuming you have enough free space) and you can switch back and forth between them with just a reboot. (there are other ways too with virtualization but you can Google more info if that might interest).

As for no guarantee your PC could even run Linux, just download and burn (or just buy) a "live CD". A live CD is a CD you just boot from and it boots your computer up in Linux. During boot it will check hardware and you can see for yourself if it finds everything natively. If it doesn't, keep in mind that you can search the web for whatever hardware and Linux and see if drivers might be available. You would be surprised how much hardware is well supported under Linux although there are holes. Another thing about a live CD - since it is running from the CD, don't be put off by the slowness. Running from the CD will be much slower than if it was installed. If you have a lot of RAM, it may not seem that slow but CDs are much slower than hard drives. All you are doing is seeing what it looks like and if/how it will run on your computer.

As for Wine, it supposedly works pretty good but it may not support what you want to run. If you are wanting to run Windows programs under Linux, check out Crossover Office from Codeweavers. I use it to run Microsoft Office under Linux and it works perfectly. (I spend much more time now in Open Office though) So do a number of other supposedly Windows-only programs. But if you dual boot, you can always just run whatever you want under Windows but do your long haul stuff under Linux. You will probably be a lot safer doing anything requiring good security under Linux than under Windows. I never order anything online or do any financial stuff in Windows. It's just too risky.

ANd about upgrading to run Linux - not necessary. If your computer was running OK with Windows, it will seem quite peppy under Linux. Windows is a memory and resource hog. Linux is not. Anyone with a computer that now can't run Vista ought to take a look at running Linux instead. They will get what feels like a new computer and get a very nice OS at the same time.

And don't let the supposed complexity of Linux fool you and keep you away. It isn't that complex. In Windows you just can't do a lot of stuff or they make the decisions for you. In Linux, you can do pretty much whatever you want. In Linux, everything is file based. You have config files and such that you just edit to make changes. Nothing is hidden from you. A lot of the internals are best accessed on the command line once you get more familiar but you can also admin the machine from the GUI if you want. As you get more experienced, you'll want to learn the command line though - much more efficient and really easier. Or you can stick to the GUI and pretend you are just running a really stable and fast version of Windows. You don't have to dig into the guts of Linux if you don't want to. It's just that you can if you would like.

But Linux is a lot easier to try out and use than a lot of people imagine. It's why it is growing so much in user base recently. Give a live CD a try and see for yourself. That's the best way to experience it.

Re:So Windows Update Has Problems

[cortana]

This is because Ubuntu's installer is crap. Use their 'alternate install CD' and you get the original Debian installer, which will let you resize partitions to your heart's content.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Burz]

I use and like both Kubuntu and OS X.

You may consider buying a pre-installed Ubuntu system (or something that claims Linux compatibility). Less costly than a Mac, though IMO both types of systems are really worth it!

Some Linux system vendors:

Dell
HP
System76
Emperor Linux

Re:So Windows Update Has Problems

[NeverVotedBush]

One more thing - you mentioned what if something went drastically wrong. In Windows, your option is pretty much limited to reinstalling from scratch. So if you had to reinstall Linux from scratch, how much of a difference is that really?

But the fact is that under Linux you don't have so many programs hooking themselves into the OS to even cause the same kinds of problems as under Windows. Also, it's a more advanced topic, but under Linux, you can separate out your personal files (your home directory) from the OS. That way, if you did have to reinstall the OS, the next time you log in, your experience is like you never left. This also makes backing up easier.

The reality, though, is that you reinstall Linux rarely. Windows you have to reinstall much more frequently.

And the last thing - Linux is FREE. Windows is not. And you can install it on as many computers as you want. No phoning home. No stealth installs. No crap.

Re:

[Anonymous Coward]

"Fixed" in the sense of what should have been done to your father, perhaps.

Re:So Windows Update Has Problems

[marcansoft]

Wine Is Not an Emulator.

The overhead of using Wine is very small. It is a thin layer on top of native Linux, and Windows itself isn't emulated. The difference between Linux and Windows is much more important with regard to performance. As it turns out, sometimes the Windows drivers are faster and sometimes the Linux drivers are faster. I've seen games run faster under Wine than under native Windows.

Re:So Windows Update Has Problems

[Phroggy]

I can't switch to Linux for several reasons. While my knowledge of Windows kernel is very little (actual code knowledge that is, I know nothing), I know even less about Linux. So while modern day Linux distros are all very GUI friendly and look similar to Windows, what if something went drastically wrong with it? I don't know nearly enough about Linux's command line system or anything. While I know a decent bit about DOS I've seen a small touch of Linux when I ran a Half Life 1 server on a Linux box for a mod. Using PuTTy into it was a pain cause all these strange Linux command line commands were no where near what I was used to.

Linux has progressed a bit since then. Try Ubuntu [ubuntu.com] 7.04; you can just boot from the CD and give it a try without touching your hard drive. For most things, you shouldn't have to touch a command line.

Now the real kicker reason why I can't switch; I have no guarantee for my PC being able to use it.

Like I said, try the live CD. There's no risk.

While I'm sure I could find a distro that has decent drivers for my hardware, what am I to do about the PC games I play that do not have Linux ports?

Now you've hit upon a potential issue.

I could use some Linux emulation software like Wine right? I mean that's the easiest solution. Emulate Windows to run those must-have Windows applications. Well my PC is rather old. You figure in running Linux, plus emulating Windows, plus running a Windows based MMORPG where I normally got 20 fps on a PC, I doubt I'd get anywhere a playable state. While I'm sure some Linux distros themselves run faster, use less memory etc than Windows XP, having to run that and emulate Windows + Game probably negates any resources I had freed up from running Linux itself, if not making the game run even worse.

Ah, but you're forgetting: Wine Is Not an Emulator. It's a reverse-engineered clone of the Win32 APIs, running natively on Linux. When you run a Windows game on Wine, the game is actually running natively, on your hardware, using Win32 API calls, just like it runs on Windows... except it's not running on Windows. So, there should be no performance hit at all, and memory usage shouldn't be any higher.

(Disclaimer: I've never used Wine and have no idea what I'm talking about.)

For some people, upgrading or buying a new PC simply so they can use Linux instead of Windows isn't an option. If I was going to shell out that much money, I'd go get another copy of Windows XP that has the current SP2 streamlined into the install to greatly reduce install and patch time. If I didn't play PC games that needed Windows, I might consider running Linux cause pretty much everything else I use can be used on Linux (Firefox, IRC, mp3 player, VLC, etc).

Actually, many people switch to Linux because they have older hardware, because Linux tends to run on older hardware better than Windows does. As for getting a copy of Windows XP with all the current patches slipstreamed in, you'll have to pirate that - as another poster complained, there are a ton of patches you have to install, even if you start with an SP2 CD. They're releasing SP3 next year, but who knows whether it will even be possible to buy an XP SP3 CD anywhere; remember that they'd rather you switched to Vista.

Anyway, not trying to argue; Linux probably isn't a good option for you right now. But try the Ubuntu live CD, and the next time you reinstall XP, consider repartitioning and setting up a Windows/Linux dual-boot. That way you can use Windows to get your work done and play your games, and fiddle with Linux in your spare time to see if you can get your games to run there. You said your main problem is that you don't know much about Linux; this would be a good way to do something about that.

Re:So Windows Update Has Problems

[martijnd]

Ah, but you're forgetting: Wine Is Not an Emulator. It's a reverse-engineered clone of the Win32 APIs, running natively on Linux. When you run a Windows game on Wine, the game is actually running natively, on your hardware, using Win32 API calls, just like it runs on Windows... except it's not running on Windows. So, there should be no performance hit at all, and memory usage shouldn't be any higher. (Disclaimer: I've never used Wine and have no idea what I'm talking about.)

The problem for games comes in the form of DirectX (7,8,9) which Linux of course does not have a native version off. So WINE can't just call the equivalent operating system functions; and instead has to build a bridge through OpenGL; which IS supported by the video driver. This gives a performance hit as of course you try to refresh the screen as often as possible for a smooth experience; and that is a lot of function calling. If I play Eve Online under Wine, I get about 30-40 fps ; while under Windows the same hardware would get about 70-100fps (depending on the level of complexity of the screen). Still I am amazed it works at all -- Wine has come a LONG way since the early days, and its two week release schedule makes continues improvements pretty aggressively.

Re:

[pizpot]

Do you know what I tell people before I put linux to dual boot on their computer? I say "it will be just like vindows. you read the messages and click OK or Cancel." So far, out of 13 installs, no one worried after I said that. LOL. And dude, just download ubuntu and stick it in, and make your bios boot to cd and try it out.

Re:

[thebdj]

If I didn't play PC games that needed Windows

I gotta ask, what games? You might be shocked at the list of stuff I have running either natively or through wine. BTW, there are games that have been reported to run faster in wine then in Windows, go figure.

Re:

[Centurix]

I know a few people have replied to your comment about switching. But I think I could probably lend my experience to this by stating that I had exactly the same questions about the switch that you have listed. I've been a windows developer for many years, and I had very little understanding of unix, X, linux or anything to do with this type of kernel. I had fiddled around for a while with various live CD's without being convinced. Then I realised that the reason I didn't switch is because I actually investe

Re:So Windows Update Has Problems

[Zonk (troll)]

OK, tax software. I'm Australian, and the tax office allow you to lodge online using their own application. I have found instructions to run the Java app under Ubuntu, but I had no success at all.

You likely have GIJ set as the Java runtime, which is what Ubuntu (and Fedora, IIRC) does by default. This doesn't support Swing or much else, and has horrible performance. This can be fixed easily, though:


sudo apt-get install sun-java6-jre sun-java6-plugin sun-java6-fonts
sudo update-alternatives --config java
(select the number that says "/usr/lib/jvm/java-6-sun/jre/bin/java")
sudo gedit /etc/jvm
(add /usr/lib/jvm/java-6-sun as the first entry)


Now all Java should work properly.

Cue VMWare player. Free, included in the packages for Ubuntu. I figured I'd use this until the ATO software can be installed in Linux (which I'm sure it can be). There's a way to create basic VMWare images using a QEMU which can then be saved as VMWare images. So a licensed version of windows 2000 went on for the sole purpose of doing my tax. This is my current project to make this thing run under Linux, an ongoing quest.

Install VMWare Server. Ubuntu provides packages for it and to get it to work all you have to do is go to vmware.com and request a (free) license key for it. You can then create virtual machines easily. It rocks.

You can also give VirtualBox [virtualbox.org] a try. It works well and offers a "seamless" mode (Windows apps appear on the Linux desktop). The only downside to VirtualBox is licensing. The binary that's available is under their "Personal Use and Evaluation License", but they do provide an Ubuntu repository for it. There is a GPL version available that does the same things, but you have to compile it from source.

At the moment I'm using both VMWare Server and VirtualBox OSE (the GPL version) equally.

Paint shop pro, well, it wouldn't install using WINE,

Buy CrossOver Office instead (there's a 30 day demo [codeweavers.com] available). It's based on WINE, but actually works.

Haven't figured out how to save alpha transparencies to PNG's yet. But it's doing it.

Just save it as a PNG. Unless you index it first it will save the alpha transparencies by default.

Re:

[rts008]

NeverVotedBush is spot on.

My only addition to his reply to you is this:

hard drives are getting pretty cheap now days. Pick up a drive and add it as a slave and install Linux on this drive, leaving your primary Windows install as is...sort of.

During installing Linux to the slave drive, you will get boot-loader options. Different distro's of Linux handle this a little differently, but basically they all give you an option to 'see' the Windows install and give it a place in the boot menu. Don't let this scare

nLite

[Dr_Barnowl]

nLite [nliteos.com] will solve your problem. With it you can slipstream a full Windows installation disk, plus patches, plus any drivers that you would otherwise need to install. You can even remove chunks that you don't need.

I do take issue with some of your points though. Your knowledge of the DOS/Win32 operating environment is no doubt something that you have accumulated slowly over a number of years. I too found the unix command line unfamiliar and painful when I first used it. I'm still a novice, but I now find it more productive than cmd.exe by an order of magnitude.

I found installing and using Gentoo to be a great learning experience. The lack of a graphical installer (at the time) forces you to use the command line for everything. If you follow the install manual "blind" you pick up a few things. If you go through it reading the manuals for every command you use, you pick up a lot of things. I didn't get along with the graphical distributions at the time, I couldn't find any of the options I wanted. They have improved, but my TV server still runs Gentoo since it was the only distribution that supported my hardware at the time.

Your old hardware is much more likely to be supported than newer hardware.

As for games? I'm not going to chime in with the rest of the people in this thread and claim you can use Linux to run them all. I like to play games. I intend to keep running Windows until I give them up (which may well happen, they innovate less every year), or until Linux versions are commonplace.

As a software developer, I also can't do without Windows. I depend on Windows, because it's where most of my code lives. But I love open-source. I'm lucky enough to be doing a job where I don't have to avoid it - I can use what I like. And if I have to pick and choose, using OSS tools are just overall much less hassle. I don't have to requisition them, justify purchase costs, fill in forms, wait thirteen weeks for approval. If they have bugs, I don't have to contact the supplier and engage in complex political games about who's fault it is, I just fix them. OSS for me is just far more agile and productive.

So how does this work?

[goombah99]

So when a user's windows system that was say 5 years old gets corrupted these days and a total re-install is required, how does this play out? I assume it must work like my mac: namely you get your original disk out and you do an "archive-and-install" which puts a fresh copy of the system on the disk and moves all the important bits of the old one into a folder so you can recover stuff like application-keys and special fonts. Then you click "software update" and apple offers a "rolled up" updater that me

Re:

[thethibs]

You re-install the operating system from the original media, configure your network connection, run Windows Update, and let MS do the work for you.

Re:

[corychristison]

Instead of starting a flamewar like the other comment to your post, I will actually try to include some information.

I maintain a custom XP Pro disc. I use nLite [nliteos.com] to apply these custom changes. I purchased XP Pro w/SP2 at one point for a friends computer that I built. The only options that are not pre-set on the custom disc is the serial number that I force new computer users to buy because I'm not a large advocate of piracy (I, personally, use Gentoo Linux in my home). I update the disc every so often (us

Re:

[goombah99]

Okay thanks for the coherent reply. You explained how you manage a progressively updated system to maintain a recovery disk with all the accumulated updates. But my question was different. If one is not so pro-active as you are (basically 99% of the planet--and I include myself) then one probably only has the original Install disk that came with the machine. When a system needs a re-install is there a rolled up update one can get from MS? or is it still like the dark days of win98?

Re:

[corychristison]

I'm not entirely sure what you mean there... Do you mean a disc that is basically an image of an install? (Like I know that Sony offers with it's Vaio line) What I described was an official Windows XP Pro install CD that I had "slipstreamed."

If you are thinking in terms of an image, you can indeed create a similar disc(usually on a DVD) using off-the-shelf software. I'm not sure of any free software, but there is a lot of commercial software. Just try a Google search for "Windows Restore Disc" [google.com]

Or are y

Re:

[ozmanjusri]

When a system needs a re-install is there a rolled up update one can get from MS? or is it still like the dark days of win98?

Dark days.

There used to be a utility [autopatcher.com] which did what you want, but Microsoft killed it off a fortnight ago. Now if you install from a pre-SP2 cd, you have to get online to patch, and take your chances with the viruses.

Re:

[NMerriam]

When a system needs a re-install is there a rolled up update one can get from MS? or is it still like the dark days of win98?

No, once you have SP2 (and most install disks of course are SP2), that's it for prepackaged updates. Everything else has to come in one at a time, either by Windows update or other means. I think last time I did it was about 4-6 reboots worth, spread over a couple dozen individual updates, to reinstall XP SP2.

Re:

[goombah99]

You mean the mac updates that I had to install immediately after buying a macbook, that took over four reboots, a dozen update "files", and downloaded almost 20 GB of data? Thank goodness it's nothing like XP out of the box! :)

Wow that is a lot. It's very strange they would make you get a new hard drive just to update (I note that 20GB of compressed downloaded files would expand to larger than macbook's installed harddrive.) I can see why you were upset.

Re:

[__aagmrb7289]

My macbook has a 80 GB hard drive. What's with the BS factor in all these responses, aye fanboys?

Re:

[__aagmrb7289]

Oh shit! I'm being called a liar by an anonymous coward, who doesn't have any proof whatsoever on "it's" side. I bought the laptop around April. Does that help? I have witnesses. Does that help? I have proof, which you haven't bothered to supply. Does that help? I actually posted under my own account, instead of hiding behind the mask of a coward. Does that help?

Re:

[tsa]

I have, multiple times. When you install and old version of OSX (and you can consider OS 10.1 old nowadays) it takes a while to upgrade.

The following doesn't apply to you clang_jangle but I have to get it off my chest:
It's a pity that /. is infested with clueless Apple fanboys these days. I lost a lot of karma just for pointing out flaws in Apple's hard- and software.

Re:

[Martin Blank]

Install the latest Ubuntu or Fedora only a few months after release, or especially something like CentOS 4.5 or Ubuntu 6.06, in either case even with a minimum installation, and you're going to have a large list of downloads ranging from a few dozen to possibly over a hundred patches. There are some different mechanisms that can be used to download the archives for a Linux or BSD distribution and install them from local sources, but it's still a large download and it still takes a fair amount of time.

This

Re:

[Deliveranc3]

So the fact that they've admitted that there's a backdoor doesn't bother you?

A backdoor that contacts the internet often enough for it to patch your system? But not often enough to have been known about before this?!

I guess it's tinfoil time, but a keylogger would have to send what... 500k a month?

Sure windows is huge and bloated, what tipped you off the 4gig directory? But that's not too bad, I mean you get word and paint! What more could you need?

Re:So Windows Update Has Problems

[WhatAmIDoingHere]

The Linux updates tend to add functionality or features and are less "holy crap fix that huge bug we left in there" type updates. 99.998% of the Windows updates are "fix this problem while creating this other problem" type updates.

The last update....

[downix]

The last update they did was stealthy enough that I didn't realize it was happening, and my XP system lost power during the middle. End result, XP is now acting erratically, proclaiming update is invalid at bootup, sometimes not booting at all. Forced me to re-evaluate Linux for my 1 game machine, and trying out Cedega to get my last real Windows game (City of Heroes) to run.

Re:

[rbochan]

clicky clicky [sweetleafstudios.com]

Re:

[TechForensics]

Does anyone doubt that MS has engineered Vista with non-removable backdoors at least for their own use? I believe MS deems itself a "trusted site" even if you specifically tell Vista it isn't. If there is a single port open to the net on your machine, I'll bet MS will find a way in.

Also, did anyone besides me flinch when reading from MS that "we have turned on [reduced functionality mode] for pirated copies of Vista"..?? What else are they able to turn on and turn off with their new master control pa

Re:

[Rolgar]

Not yet on the video card. I managed to go from Etch to Lenny. The nVidia driver was the only difficulty. I think ATI's new drivers will be out in six months or so, then I'll be going from a 5300 to ATI.

Re:

[Sigma 7]

Does anyone doubt that MS has engineered Vista with non-removable backdoors at least for their own use?

Anyone want a tinfoil hat [cmu.edu]?

As you know, it's easy to compile a backdoor into the open-source "login" app for Linux. It's also easy to have compile GCC so that it automatically compiles in the backdoor, while still being possible to compile the backdoor generator into GCC - and you won't be able to avoid such backdoors unless you use an entirely purified work envrionment (i.e. don't use external binaries.)

Re:

[muridae]

I think what the GP meant was that adding a bug like Thompson detailed would infect that version of GCC and any further versions compiled by it. It would not magically infect all other versions. For Thompson's bug to escape into the wild, either the code for the bug would have to get adopted into the main stream for even one patch, or his binary version would have to be handed out.

Yes, any Linux distro could put a poisoned binary of GCC in their boot disks, which would then create further poisoned binaries

Re:

[EvilIdler]

Anyone know of a good 3D video card supported by Debian for 3-D out of the box?

Good or supported - which do you prefer? Can't have both. ATI's drivers are behind, but at least
they've promised source code. NVidia's drivers are necessary to download after the fact. Some don't
like them because they're closed, but I just want friggin' Beryl to work. Intel's are excellent,
but the cards aren't good..yet. Only onboard video for now, with PCIe cards in the works.

Debian is also a painful distro for NVidia users, due to licenses and such. I've been using Ubuntu
for a long time because it's easi

Re:

[Arctic Dragon]

Also, did anyone besides me flinch when reading from MS that "we have turned on [reduced functionality mode] for pirated copies of Vista"..??

That turned out to be a hoax [winbeta.org].

Re:

[goodie3shoes]

What does the EULA say? Perhaps Microsoft reserves the right to modify your *licensed* software as they see fit?

Re:

[mce]

I get your drift, but had the power failure occured while you were aware of the ongoing update, the effect would have been the same. You can't blame that on the stealthyness of the update.

Note: I'm also assuming that during a normal - i.e. intended - shutdown this kind of thing can't happen anyway, as anyone can always decide to shutdown a machine while an ongoing automatic update is in progress, especially as most users don't even seem to know what an OS update is in the first place. So it's a condition

Re:

[ChronosWS]

Wait a second, you are complaining because you had a power failure and it's the software's fault? Get a UPS man. The fact that you merely had some data corruption should be considered a blessing considering what faulty power can do to your hardware.

Yeesh.

Re:

[Ant P.]

Similar thing happened to me when I installed SP2. One forced reboot later and I was rewarded for my loyalty by a BSOD right after the splash screen. I gave it 3 tries and a safe mode before giving up and setting the partition type to 83.

Not a big deal

[ejdmoo]

Just a bunch of people bitching for no reason, trying to generate traffic to their blogs. Let's see...

The update only updated the Windows Update software itself, nothing in Windows.

It did not update if you have automatic updates turned off.

It did update if you had "Notify me" turned on. This is a point of contention, but MS says they needed to do the update to continue to notify users of actual updates.

Finally, this doesn't apply to any networks running a WSUS (or whatever it's called now) server.

Yes it is a big deal

[Anonymous Coward]

My understanding is that this update arived even if automatic update was turned off.

In this case Microsoft was illegaly entering the custumer owned computer, using the customer paid connection, hardware, in order to achive something that is beneficial for Microsoft.

Just try to do the same for a Microsoft owned computer: the full power of legal prosecusion will fall on your neck for countless charges, with likely jail term panishment if convicted.

Who is going to press charges for the same act against Microso

Re:

[eebra82]

Just a bunch of people bitching for no reason, trying to generate traffic to their blogs. Let's see...

True to some point. Still, it raises an interesting question. Shouldn't we be able to choose this for ourselves? In the end, security problems that I force on myself by refusing updates is my own responsibility, not Microsoft. They have the responsibility to deliver fixes. We have the responsibility to care for installing them, but we still must have the choice to do so.

Re:

[Hymer]

The update only updated the Windows Update software itself, nothing in Windows.
The Windows Update software is at least as much a part of Windows as Internet Explorer.

It did not update if you have automatic updates turned off.
...and why didn't it just tell you that it needed an update ?

It did update if you had "Notify me" turned on. This is a point of contention, but MS says they needed to do the update to continue to notify users of actual updates.
So basically what I do know now is that Microsoft is unab

Re:

[Sigma 7]

The Windows Update software is at least as much a part of Windows as Internet Explorer.

Correct. If Windows Update gets waxed, it has the same effect on your operating system if Interent Explorer gets waxed. You can still play around with the computer that's relatively "stable", in the same way you can browse the internet using Firefox.

If windows update gets damaged, you can run system restore to try and recover it. Alternativly, use the Windows Vista CD and run a repair installation to restore damaged files (although you'll need to redownload some updates.)

...and why didn't it just tell you that it needed an update ?

It doesn't do that if it is tu

Re:Not a big deal

[sabinm]

"Just a bunch of people bitching for no reason"

It's called a neighborhood watch. Neighborhood watches are effective if 1. people watch for suspicious activity 2. when suspicious activity is noted, authorities are called to take care of business.

My computer, my property. I give you limited permission to put your platform on it. That's my choice. I can limit as much or as little as I want on my own property. That's it. No argument. I can even like Windows and still limit it as much as I want. Mine. Mine. Mine. Possession is 9/10 of the law. The more we give other entities the right to walk on our property, the more they'll call it theirs by custom.

Re:Not a big deal... so now that hackers know...

[Fallen Kell]

So now that hackers know there exists a backdoor to the windows update which will let them update a stealth patch to anything they want in the system because it runs with admin rights, this isn't a big deal to you?

Re:

[Joe U]

So now that hackers know there exists a backdoor to the windows update which will let them update a stealth patch to anything they want in the system because it runs with admin rights, this isn't a big deal to you?


Sure, all they need to do is forge all of Microsoft's digital certificates first. Patches are signed or else they don't install without warnings.

Re:

[cbiltcliffe]

Sure, all they need to do is forge all of Microsoft's digital certificates first.

Actually, they'd only need to forge one. In fact, they wouldn't even need to forge it. Just do a little social engineering with a certificate company. And it's not like that hasn't happened before....
http://www.informationweek.com/830/hacker.htm [informationweek.com]

Re:Not a big deal... so now that hackers know...

[TheNetAvenger]

So now that hackers know there exists a backdoor to the windows update which will let them update a stealth patch to anything they want in the system because it runs with admin rights, this isn't a big deal to you?

So explain to everyone how a hacker without prior access will get the machine to go to their server instead of the MS server, present the correct authenication, which still has not been broken, and then forge security certificates for every file they want to download?

A system would already have to be compromised to even attempt to use or subvert this system and would be a lot harder than just taking control of other areas of the OS...

Are people really this stupid?

Re:

[RzUpAnmsCwrds]

So now that hackers know there exists a backdoor to the windows update which will let them update a stealth patch to anything they want in the system because it runs with admin rights, this isn't a big deal to you?

Since the updates are signed (and have been for years), no, I'm not particularly worried.

Big Deal...

[nutrock69]

It did not update if you have automatic updates turned off.

Really? Last I read, the claim that it does update when the feature is turned off was supported by several reputable computer trades, each of which (supposedly) verified this independently on PC's they own and test with. Has anybody besides Microsoft claimed otherwise? Remember, having a computer that didn't update on its own is not proof that it won't, only that it might not have been in the list to receive the patch. The lack of evidence does not prove a contrary opinion in this case.

The biggest problem I have with this update, is that it proves beyond any doubt that Microsoft deliberately placed a "hole" in the security of their OS for their own purposes. It is nothing less than something on the internet contacting the OS, opening a hole, then running software with root/admin permissions to change something in the OS itself. Something many people have suspected because of the so-called security patches that move holes around instead of actually closing them, has now been proven to be true.

This must be a holy grail for a Windows hacker. This hole was put in the OS specifically to take over a computer, and Microsoft's reaction to its discovery shows they obviously have no intention of closing it - just continuing to use it when desired. You can bet that finding this hole and ways to exploit it are now the top priority of hackers around the world.

Re:

[ejdmoo]

The biggest problem I have with this update, is that it proves beyond any doubt that Microsoft deliberately placed a "hole" in the security of their OS for their own purposes.

Yawn...

You have to fake a digital signature from MS to install any patch for Windows. It's always been this way.

If a hacker figures out how to defeat the PKI infrastructure and fake the signature, then everyone has problems (ssh, encrypted email, https, etc), not just Microsoft.

Re:

[Sfing_ter]

It's now called WUSS since Balmer took over.

Re:

[SeaFox]

The update only updated the Windows Update software itself, nothing in Windows.

Windows Update has an elevated level of access to the system. What if Windows Update were "updated" to allow things to be installed from someone other than Microsoft? Or so it would install software even if you told it not to.

If the software has the ability to change Windows, there really is no difference between modifying the software than can modify Windows and modifying Windows itself security-wise. That's like saying there's

Re:

[NMerriam]

MS says they needed to do the update to continue to notify users of actual updates.

That's the craziest circular logic I've heard in a while. Is there some reason it can't "Notify Me" of the need to update windows updates? That's what happens when you reinstall an SP2 box -- first time it boots it says it needs to update windows update.

Bitching for no reason? -- someone is installing new executables to the system directory without even telling the administrator of the box!? You're right, nothing could POSS

Re:

[rudy_wayne]

"It actually updated no matter if you had the auto-updates on or off."

That's what some people are claiming but I'm suspicious.

My 2 computers are on 24/7 and I have auto updates turned off. Neither one has received the "stealth" update.

Re:

[ozmanjusri]

That's what some people are claiming but I'm suspicious.

It's been confirmed.
http://blogs.zdnet.com/hardware/?p=779 [zdnet.com]

I don't see why you'd be suspicious. Microsoft has a history of ignoring user preferences when it comes to privacy choices.
http://www.theregister.co.uk/2007/03/09/ms_wga_phones_home/ [theregister.co.uk]

Re:

[ozmanjusri]

Any other setting and it did.

If I set my computer to "Download and notify", that's what I want it to do.

If it installs updates while it is set to "Download and notify", it is doing something I explicitly told it not to do. That means I do not have control of my own computer.

Re:Not a big deal

[This_Is_My_Happening]

It actually updated no matter if you had the auto-updates on or off.

Incorrect. Automatic Updates has several settings:

- Automatic (downloads and installs updates automatically)
- Download but not install (downloads automatically, but you choose when to install)
- Notify but not download (notifies you of updates, but doesnt download)
- Turn off Automatic Updates

If the 4th setting above is selected, there are no updates at all, stealth or otherwise. The service is off, and no communication is done with the WU servers.

This stealth update was a surprise for the people who had the 2nd or 3rd setting above selected. Under these settings you expect the update to be downloaded (or you expect to be notified of it) but you do not expect it to be installed without your input. Under these settings your computer still communicates with the Update servers on a regular basis to check whether new updates are available.

MS claims that the stealth update to the Windows Update system itself was required so that it could still check for new updates. Im not sure if I buy that myself, but as long as the limit this behaviour to Windows Update updates only, I can live with it. If they try it for any other updates (like WGA or the like) you can bet I'll be disabling the service entirely right quick.

Re:Not a big deal

[Kjella]

MS claims that the stealth update to the Windows Update system itself was required so that it could still check for new updates.

Even if that was true, that's not proper behavior. Under the circumstances, I might see a level 3 being upgraded to a level 2 (download), and after download it should simply prompt and notify that further update checks may fail and that additional patches may be available after this update. That's the whole point of those settings, to not having anything installed without permission. If you know that that upgrade *is* pending and that others *may* be pending, it should be sufficient for everyone and without secretly installing anything. That said, not exactly a big issue IMO.

Re:

[ejdmoo]

The only thing you could do with a compromised WSUS server is approve patches without the consent of the admin running it (not the worst thing in the world).

What you can't do is install arbitrary patches. Like has been said before, you need to be able to fake digital signatures from MS to install patches, and that's (currently) impossible.

Dangerous prescedent

[gravos]

I wonder why this capability doesn't this kind of thing cause more of an outrage or show up in the "real" media. Microsoft may not be doing anything blatantly wrong _in this case_, but what about when they start auto-installing updates that nuke installs suspected to be pirated? You know it's coming...

Re:

[ceoyoyo]

While neither is cool, at least with Apple updates you have to specifically go download and install them. They don't get magically stealth downloaded and installed without asking.

The first is sneaky and underhanded. The second is, or should be, a crime.

Re:

[Macthorpe]

When I first used Firefox it downloaded updates automatically and without informing me. The only message I got was "You have downloaded and installed an update. Please restart Firefox to apply the update".

I immediately went into the options and eventually found the off-switch, but I'm just informing you that it's not just Microsoft who does this.

Re:

[ceoyoyo]

I noticed that with Firefox. I rarely use it. At least there IS an off switch.

Re:

[RobertM1968]

Here's a big difference... in Firefox, the "OFF" switch works. The "ASK ME FIRST" switch works. The "ON" switch works.

And the thing you missed, the installer asks you to choose how you want it handled during the install. If you installed this under Linux or some other OS that may not have an installer (or downloaded an archive instead of an installer), then you should have read the accompanying readme and manually set the option after "install" as instructed.

World of difference from MS

Resistance is Futile

[Tablizer]

Give in to the Dark Lord and life will be predictable and simple. Freedom is for babies.

Take what you get

[pembo13]

People have been warning about such things for years. I know this sounds terrible, but no one on Slashdot should be surprised by that this. Take what Microsoft has chosen to give you.

Oh man, this one again?

[Anonymous Brave Guy]

We already did this one just two days ago [slashdot.org].

The anti-Microsoft FUD was thoroughly debunked by numerous Slashdot posters. It was also thoroughly debunked by numerous comments in reply to the various external sources cited in the older Slashdot article.

They updated Windows Update, when people explicitly visited the Windows Update site. That is all. They are not pushing out updates to critical system files without any user intervention.

Last time, several posters asked whether Slashdot would at least have the decency to correct the blatantly Microsoft-bashing headline/article. They didn't, they posted it again. <sigh> Go Zonk!

Re:Oh man, this one again?

[betterunixthanunix]

The problem with the update, from what I've read, is that it happened regardless of whether or not you set WU to ask before installing updates. It isn't a question of what they updated, it is a question of how they are able to simply bypass that configuration option. I used to think that no company would use that kind of capability to do something evil, but given the Sony rootkit fiasco, I am beginning to doubt that sentiment.

Of course, I don't use Windows, so this doesn't really affect me. Still, I think this should be a heads up that it is time to consider other systems.

Re:

[Anonymous Brave Guy]

The problem with the update, from what I've read, is that it happened regardless of whether or not you set WU to ask before installing updates. It isn't a question of what they updated, it is a question of how they are able to simply bypass that configuration option.

Visiting the Windows Update site manually and using the corresponding control in a web browser, is nothing to do with the automatic updating system within the last few versions of Windows. There is no bypassing involved: we're talking about two fundamentally separate mechanisms, which happen to have the same end result.

As far as I'm aware, it has always been the case that when you visit the Windows Update site — a conscious, active decision by the user — and load up the corresponding control

Re:

[betterunixthanunix]

I'm sorry, but Microsoft appears to disagree with you:

" "The Windows Update client is configured to automatically check for updates anytime a system uses the WU service, independent of the selected settings for handling updates. This has been the case since we introduced the Automatic Update feature in Windows XP. In fact, WU has autoupdated itself many times in the past," he (Nate Clinton) said." -- TFA

If you weren't following, Nate Clinton is the leader of the Windows Update team. So the guy who is b

Re:

[NMerriam]

They are not pushing out updates to critical system files without any user intervention.

If you read the post from Microsoft, you'll see that they admit, and justify, doing precisely that. I don't see any FUD happening, the Windows Update manager clearly stated that Windows Update will (and apparently has already multiple times in the past) install new system files without any user intervention, even if you've told it to notify you first, because the Windows Update group decided this was a better behavior

Re:

[Anonymous Brave Guy]

They DID NOT manually visit the WU site.

Can you cite a source for that? None of the sources I found that claimed to reproduce this seemed to specify either way, and both articles mentioned before were overflowing with comments from people saying the same thing about what actually happens.

And yet still

[ArchieBunker]

Someone has not run a diff with the new files versus the old. Hell I'd be satisfied with a simple "strings".

Sabotaging certified systems.

[OgGreeb]

Some systems and applications are so mission-critical sensitive that the systems have to be certified in their configurations -- medical systems, traffic control, pharmaceutical manufacturing, banking and financial systems -- too many to be subject to this outrageous behavior.

The most secure setting provided (that I am aware of) is "do not install updates". If a system's certification can be sabotaged by Microsoft covert behavior, who's going to pay when a system fails and the system is demonstrated to have been subverted with tripwire-like checksum failures? Microsoft? The applications vendor?

Re:Sabotaging certified systems.

[Ant P.]

If you're using an internet-facing Windows XP to run mission-critical systems, let us know which ones - so I can make a mental note never to use your services.

Wishful thinking.

[argent]

There are many good reasons why people who build mission critical systems steer clear of Microsoft OSes

Oh, were that only true.

My solution

[Kazymyr]

I have disabled, then removed completely the windows update service from all my computers. I will manually install updates from now on, when and if I want them.

Bug fixes please, not promises

[SL Baur]

"What is the single biggest issue that bothers open source advocates about proprietary software? It is probably the ability of the vendor to pull stunts like Microsoft's recent stealth software update and subsequent downplaying of any concerns.

Nope, not even on the radar.

My biggest gripe is getting stuck with a bug (like the strip(1) which deleted already stripped binaries on the end-of-life'd AT&T 3B1) that I cannot get fixed or fix myself.

Updating update

[mccalli]

Wouldn't the correct thing have been to have the next manual update show that Windows Update needed updating, and then proceed to show the newer patches only after the new Update was installed? Better still would be to show all, but grey some out saying "Requires Windows Update v1.2.3.4" next to the ones that aren't yet accessible.

Oh, and wild-speculation-with-no-evidence time: this seems awfully soon after the WGA failure debacle, I'll bet the changes are to do with preventing a rerun of that.

Cheers,

What append if ...

[denisbergeron]

If I suppose this sentence true :

Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications.

What append when someone install XP (OR Vista) from zero and get the OldAndBad Windows Update ? He will never be able to get update ?

Someone have feet in his mouth.

It boggles my mind

[JustNiz]

Microsoft clearly have a backdoor because even computers with users settings that disabled updating still got this.

Microsoft decided years ago that users were stupid and their choices to be ignored, and they haven't looked back ever since as people just keep spending good money on whatever rights-eroding crap they put out. It boggles my mind how much most people just quietly put up with this shit.

My Head Hurts

[thethibs]

"Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications."

I read this three or four times trying to make some sense of it and got a screaming headache for my effort.

Fortunately, I keep the AU and BITS services disabled until and unless I need them. This hasn't happened since last February and that's the date on the WU files. Every so ofte

Reminds me the latin proverb...

[prxp]

"Who will update the updaters?"

In obligitory SOVIET RUSSIA...

[AragornSonOfArathorn]

In SOVIET RUSSIA, Windows update YOU!! ... sorry.

Re:

[rudy_wayne]

What's actually happening here is some mis-understanding combined with some slightly inconsistant behavior (by Microsoft). Normally, checking for updates is entirely separate from downloading and installing them. If you have Windows set to only "check for updates" then no updates are automatically installed -- you're just notified that updates are available. But in this case, the update was for the Windows Update program itself, so Microsoft decided that it was important to push this update out to every

RTFA

[FullCircle]

"I have never heard of anything this evil before. An OS that updates it Update Notification system if it is turned on."

Read it again (the first time?), it wasn't on.

That's the problem, it updated even when disabled.

Re:

[TheNetAvenger]

Read it again (the first time?), it wasn't on.

That's the problem, it updated even when disabled.

Um, No...

Can't SlashDot trolls read now? It was set to notify me of updates, it was NOT disabled. So this means it HAD TO BE IN COMMUNICATION WITH MS SERVERS TO NOTIFY THE USER.

Since the notification 'services/system' changed, it HAD to update itself or the user wouldn't get their 'NOTIFICATIONS'...

Get it yet?

Re:

[Lord Bitman]

the service which updates every other component in the OS... I wonder what sort of permissions it has?

Open Source makes it easy to detect and fix.

[argent]

Hey, I like Linux too, but there's nothing about open source software that prevents a software distributor from being able to do this exact same thing.

Assuming an open source software project tried this. What would happen?

* The code to download the update is published. They would have to risk having the backdoor discovered by someone working on the download code. Microsoft doesn't have that problem.

* The first time the code is used, and the unexpected downloads are detected, the downloader will be fixed and

Re:

[BlueParrot]

If the source is open, it still doesn't matter if most people don't understand what the source code means. Once a Linux distribution has a large enough user base, people will stick with what they know. If the repository is manipulated by ne'er-do-wells to ill ends, even if the nerds catch it, the average user still has to know enough to switch to a better distribution. Will the average user ever care that much? Doubtful.

So... you are assuming the users are knowledgeable enough to install Ubuntu, but too i

Re:

[Atlantis-Rising]

I'm sure Microsoft would turn around and say "You bought it as-is, and knew that we told you we might do X, Y, and Z. The fact that X, Y, or Z broke something you were doing is not our fault- it's yours. You should have been more careful, since we told you we might have done X, Y, or Z."

If I sell you a car and inform you that when I service it, I may alter the sensitivity of the steering or brakes or accelerator and that you should keep an eye out for said, and you don't and kill somebody by accident, that'

Re:

[Cafe Alpha]

According to the article (did no one in the thread read the article), the issue is that if you use Updater to update other software, it will check to see if Updater itself needs updating and will install that update without telling you.

Only one program is affected, the updater itself. And the issue is that it downloads it's own updates differently than other updates, not asking you. But it only downloads it's own update if it is already downloading something else.

It seems very stealth, in that it'

Re:

[WED Fan]

Slashdot is to be renamed to Rehashdot, but some would call it "rehashdotadnauseum".

Marked troll because I pointed out that /. ran this story two days ago.