Microsoft Updates Windows Without User Permission, Apologizes
Over the last few weeks, without user approval, Windows Update has updated nine small executable files in both Windows XP and Windows Vista.
Microsoft has been quietly updating Windows even when users have turned off automatic updates and without notifying users, according to reports and posts on Microsoft discussion boards.
Even though the updates ended up being benign and vital to the function of Windows Updates, such a breach of trust could end up harming Microsoft's reputation.
Over the last few weeks, without user approval, Windows Update has updated nine small executable files in both Windows XP and Windows Vista. "I did not download this and my Windows Update is still not set to automatic," a poster named Engle wrote on a Microsoft discussion board. "This has got me really puzzled." Both eWeek Labs and Windows Secrets report that they have confirmed cases of Windows Update downloading and installing an update without permission.
The updates in question actually updated Windows Update's own software. If Windows Update doesn't update itself, it stops functioning properly and is not able to recognize when new updates are available, according to Microsoft.
"That result would not only fail to meet customer expectations but even worse, would lead users to believe that they were secure even though there was no installation and/or notification of upgrades," Nate Clinton, Windows Update program manger, wrote on the Windows Update team blog in response to concern about the covert file revisions.
That said, Microsoft is still offering a bit of a semi-apology. "We do recognize that we should have been clearer in our explanation of this process earlier in the game," Microsoft Windows programmer Nick White writes on the Windows Vista Team Blog.
Windows Update does not automatically update itself if automatic updates are turned off, according to Microsoft's Clinton. However, Windows Secrets reports that it found the updates downloaded and installed even under those circumstances. Even Microsoft's own reports appear to be inconsistent: Windows program manager Nick White writes on his blog that "self-updating is done regardless of whether the user has enabled automatic checking, download and/or installation of updates."
The issue only affects computers that use Windows Update. Though consumers and some small businesses use Windows Update, most large businesses do not. That means businesses who use Windows Server Update Services or a feature in Systems Management Server to update their copies of Windows won't find files on their computers suddenly altered.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.