Even though the updates ended up being benign and vital to the function of Windows Updates, such a breach of trust could end up harming Microsoft's reputation.
Over the last few weeks, without user approval, Windows Update has updated nine small executable files in both Windows XP and Windows Vista. "I did not download this and my Windows Update is still not set to automatic," a poster named Engle wrote on a Microsoft discussion board. "This has got me really puzzled." Both eWeek Labs and Windows Secrets report that they have confirmed cases of Windows Update downloading and installing an update without permission.
The updates in question actually updated Windows Update's own software. If Windows Update doesn't update itself, it stops functioning properly and is not able to recognize when new updates are available, according to Microsoft.
"That result would not only fail to meet customer expectations but even worse, would lead users to believe that they were secure even though there was no installation and/or notification of upgrades," Nate Clinton, Windows Update program manger, wrote on the Windows Update team blog in response to concern about the covert file revisions.
That said, Microsoft is still offering a bit of a semi-apology. "We do recognize that we should have been clearer in our explanation of this process earlier in the game," Microsoft Windows programmer Nick White writes on the Windows Vista Team Blog.
Windows Update does not automatically update itself if automatic updates are turned off, according to Microsoft's Clinton. However, Windows Secrets reports that it found the updates downloaded and installed even under those circumstances. Even Microsoft's own reports appear to be inconsistent: Windows program manager Nick White writes on his blog that "self-updating is done regardless of whether the user has enabled automatic checking, download and/or installation of updates."
The issue only affects computers that use Windows Update. Though consumers and some small businesses use Windows Update, most large businesses do not. That means businesses who use Windows Server Update Services or a feature in Systems Management Server to update their copies of Windows won't find files on their computers suddenly altered.