Microsoft officials are seeking to dispel rumors the company is performing stealth updates on Windows machines. They are also pledging to be more transparent in the future to prevent such misunderstandings from happening again. Reports of secret updates began circulating after at least two sites reported that Windows Update …
Regardless what its purpose is..
This is the same as buying a car, then the dealer still has access to modify the content of the vehicle, while you sleep in peace knowing your car is locked (you chose to lock to prevent the dealer or anyone getting in).
The point is simple here, if Windows are set to NOT to update, then NOTHING should be updated without you knowing, regardless what reasons or excuses Microsoft comes up with.
Looking it from a hackers point of view, this will translate to them able to inject modules into your PC even though Windows are set not to accept any updates, all without you knowing, this sounds dangerous for many users, if MS can inject the update code without the user knowing, hackers can do the same, this Windows so called security/registration is turning into a bad practice, very soon, Microsoft will be able to pop up on your screen to remind you to upgrade to Vista every 5 mins until you buy a copy, all this while your PC are set not to accept junk popups .
If I interpret the comments correctly, the quoted blogger is saying that MS is too stupid to correctly apply principles of backward compatibility in their development and maintenance processes so, so sorry, they'll have to muck around in the innards of your machine without your knowledge.
I knew they had contempt for their users, but this is a pretty pathetic excuse even for them.
Quote: "They are also pledging to be more transparent in the future to prevent such misunderstandings from happing again."
Read: "They are pledging to disable logging of stealth updates so as to evade detection by users."
Sorry, the genie is out of the box now.
These should have been flagged as critical updates if they are required for further updates and nothing more. Its simple and any excuse is just spin
This just highlights the big corporations rule of 'we rule the roost and you will do as we say.....as long as there is not too much fuss'
And people will still defend these bemoths of power in what ever form they appear.
Power corrupts absolutely, not a truer phrase was uttered.
In most countries isn't it against the law to access someone's computer without their consent? If Microsoft altered files on my computer without my knowledge or consent, regardless of their reason, then that is the same as someone hacking into my computer and accessing/altering my files. I think the relevant statute in the state of Washington is this one.
Computer trespass in the second degree.
(1) A person is guilty of computer trespass in the second degree if the person, without authorization, intentionally gains access to a computer system or electronic data base of another under circumstances not constituting the offense in the first degree.
(2) Computer trespass in the second degree is a gross misdemeanor.
I think... and I don't remember exactly... but you signed that right away in SP2 EULA when MS essentially said that they could enter your computer at their whim.
I realise that what a company demands is overridden by what a country demands (at the moment) but I think that's where the change in Microsofts policy first appeared, there was a kickup about it then too.
So, Microsoft admittedly wrote a virus?
The fact that it is possible to change critical system files that affect the behaviour of the remaining parts of the OS is very disturbing. Microsoft has admitted to exactly this; and worse the owner (also called used or consumer) of the PC is not informed beforehand; and no one from Microsoft spoke about this until it has been brought to light.
Will Mark Russinovich submit his detailed analysis of the bits of code that got changed with this update aka rootkit? He will not... after all this isn't Sony, and he is now an MS employee.
They've got you under their dispel <boo-hiss>
"Microsoft officials are seeking to dispel rumors the company is performing stealth updates on Windows machines. They are also pledging to be more transparent in the future to prevent such misunderstandings from happing again."
It appears that some code, that was stealthily injected, disabled the spell checker.
They own your computer
"files can be changed without the user's knowledge"
Sounds like a fair definition of malware to me... Now if what Mike said about the law in the state of Washington does really apply here (and I don't see why it wouldn't), can't somebody please start the proceedings? Sorry, I can't. They don't own my computers. :-)
Read the EULA before you click ok... or don't complain afterwards.
It is clearly stated in the EULA (or an addendum to the EULA) that Microsoft can and will make changes to Windows whenever they find necessary.
They are only acting in character...
I do not see why people are acting all surprised by this latest violation of personal privacy rights by Microsoft. Just off the top of my head, historically they have:
1) Shipped software to end users that is so poorly designed that over 10 years of constant patching is still unable to render it *secure* (cases in point, Windows 95, 98, 2000, Windows XP, MS Office, Internet Explorer...).
2) Instead of actually fixing the problems, they turned the insecurity of their software products into another *cash-cow* revenue stream with their $50USD/year *Windows OneCare* subscription service (the customers of which, being the cow)...
3) Knowingly hid their *Windows Genuine Advantage* datamining spyware in windows updates, which collected and sent your HD serial number, MAC address, BIOS checksum, computer make and model, MS product keys, locale, your language, and more back to Microsoft's servers without your permission. Then it passed automated judgment on all users (resulting in a 20% *false positive* rate, i.e., 20% of MS users who had legitimately purchased their products were treated as criminals via this fully-automated, rights-removing trial). The nice WGA tool then inserted a time-bomb, causing nag screens to pop up and disabling open access to all updates (which are constantly and urgently needed as discussed in the first 2 points). Many of those contacting MS by phone concerning validation problems were similarly treated as criminals, and many paid even more money using their credit cards to *re-validate* their legitimately purchased software, instead of continuing to be subjected to harassment.
4) Delayed distribution of many patches for glaring security holes which had been identified and published by security researchers, and which were known to be causing harm to their customers via viruses etc. designed to take advantages of said security holes. Instead, they rushed out patches to shore up comparatively harmless breaches of their "windows media format" DRM to satisfy their moneyed friends in the recording industry (proving that, at Micro$oft, it's *all about money*).
5) Greased the palms of hundreds of key people to get them to vote and sign MS-penned form letters advocating the wisdom of fast-tracking the adoption a 6000 page non-open *Open XML* document format as a proposed international ISO standard document format (a format which they could then control and alter at their whim, wiping out their competitors while continuing to bleed the world into their bank coffers). All the while coyly ignoring the possibility of supporting and contributing to the existing and truly open ISO standard ODF format. Luckily, sanity prevailed, and this harebrained idea was shot down, so far...gee, I wonder if there could be any more security issues in that 6000 + pages...
I could go on, but you (hopefully) get the drift. Complaining about these repeated violations of respect, your security, and your rights does nothing, at least according to this historical reckoning. The easiest (and only) way to protect yourself is to JUST STOP USING MICROSOFT PRODUCTS. PERIOD. Dell is doing it, HP, Lenovo are selling great Linux-powered PC's fully loaded with secure open-source software like OpenOffice, etc. Lots of people are starting by giving MS Office the boot off of their windows PC's and installing OpenOffice instead. Then they download and try Ubuntu or some other popular free version of Linux and never turn back. Myself: I got fed up with Microsoft's antics years ago, switched to Linux, no more virus problems, lots of great free software...like a (long-overdue) breath of fresh air...
Read the EULA before you click ok... or don't complain afterwards.
It is clearly stated in the EULA (or an addendum to the EULA depending of Windows version) that Microsoft can and will change files on the computer without the users knowledge whenever they find it necessary.
It is furthermore stated that the user do not own the operating system or any components of it.
Noone has ever tried the EULA in a court of law...
btw. I don't care... I got tired of Microsoft and changed to something better.
"Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications. ... That result would not only fail to meet customer expectations but even worse, that result would lead users to believe that they were secure even though there was no installation and/or notification of upgrades. ... [Windows Update] does not automatically update itself when Automatic Updates is turned off."
Ermm, so all those who turned it off are now permanently cut off from WU, but they will never actually discover this because the older version of the software just isn't compatible with even the most basic "you are out of date" notification.
Sorry, I don't believe it. At least one of the quoted statements must be false.
@Kent Rebman: re:Balderdash
Quoth Kent: "MS is too stupid to correctly apply principles of backward compatibility in their development and maintenance processes"
Ya think? :-)
This has been a complaint against MS for, literally, decades. Either they hobble their new systems by clumsily implementing backward-compatibility, or they break backward compatibility completely. They never get the balance right.
So yes, they *are* that stupid!
Of course, they are *also* that slimey that they will deliberately fiddle with your machine, without your knowledge, purely for their own ends.
Excerpt from XP SP2 Professional EULA
2. AUTOMATIC INTERNET-BASED SERVICES. The Software features described below are enabled by default to connect via the Internet to Microsoft computer systems automatically, without separate notice to you. You consent to the operation of these features, unless you choose to switch them off or not use them. Microsoft does not obtain personal information through any of these features. For more information about these features, please see your Software documentation, the Microsoft online support site, or the privacy statement at http://go.microsoft.com/fwlink/?LinkId=25243.
So m$ can update components of your machine without permission, silently, steathily. I would hazard a guess that the reading or transfer of data from any file on your PC to m$ is also possible silently and stealthily.
For those of you who still trust m$, or indeed any large multi-national corporation, . Wake the fugg up! You are a consumer, a source of income and nothing more.
Re:Regardless what its purpose is..
Do you really think the windows update system can be hacked?
This update does not open it up to hackers, you clearly have no clue how it works.
Just to be clear, "Hackers cannot use the Windows update system"
If they could it would have happened a long long time ago.
Is the placement of any files on your computer property without your knowledge breaking any UK law?
If so, then why has not any person taken them to court?
If so, then why have not any of our elected representatives taken action?
If not, then we must have a law that unambiguously requires that any commercial software must come with accessible documentation that describes any communication, and the reason for it, with any device external to the computer that the software is installed on and that the user has the option to stop said communication.
The EULA is not valid, they installed Malware
"It is clearly stated in the EULA (or an addendum to the EULA) that Microsoft can and will make changes to Windows whenever they find necessary."
The EULA is an after-sale contract. I do not accept that when I buy a computer I am buying a 'license' with terms to be disclosed at a future time constitutes a contract. The purchase is not the same as buying a service delivered in future, such as buying an airline ticket, or buying a cruise ticket. I am buying a product that I take home immediately, there is no future 'service' aspect and no reason for any additional terms to be disclosed at a future date.
If a court should ever decide that MS EULAs *are* contracts, then I do not accept that I agreed to the EULA. Clicking 'I Accept' does not indicate my acceptance of those terms, I am exercising my rights under the unfair contracts act, to ignore unfair terms in contracts that are not individually negotiated. Microsoft's EULA is not individually negotiated with their customers and hence subject to this law that permits people to ignore the unfair terms.
I told it not to auto update my machine, Microsoft has deliberately ignored my choice and installed software, no different to any other malware installer. It did not have my permission, there was a clear refusal there. How come I should accept such an action from them?
As for *requiring* it to be updated to permit future updates, that is false. Any future update could simply be provided as a download link to a web browser. That does not require auto update to be upgraded.
I think this is part of their 'black screen of death' story, where they plan on turning off machines that WGA thinks are not genuine Windows licensed machines. That is why I think they forced this malware on people.
They claimed after this received negative press, that it was a hoax and they had not rolled out any such upgrade. We now find that this is false and they have rolled out a forced upgrade.
In other words I think they installed malware intended to attack your machine at their discretion at a future time.
To me the first machine they turn off that is falsely disabled should result in a criminal prosecution, no different than if any other malware company had installed software to attack your machine. It is no different.
less of the senseless MS bashing please
If the Automatic Updates service is switched off, or configured never to check for updates then it won't. The issue here is the paranoid crowd flying off the handle because the Automatic Updates service silently updates itself (and nothing else) without user interaction. Am I the only one who thinks that people are grossly overreacting? Let's be honest, if the auto-update service prompted you that it needed to be updated before you could check for other updates it'd just serve as another barrier to people keeping their computers updated, and consequently we'd have even more vulnerable computers ready to start accepting commands from botnet controllers.
I'm hardly a big fan of their business practices but they're damned if they do and damned if they don't here. Either the generic home user turns off "all those annoying update options" because they don't understand what it's doing, or the DON'T TOUCH MY COMPUTER!!!!11111 crowd go mental.
EULA - worthless?
I've often wondered if the EULA is actually enforceable in a company. Its the case that very few people in a company, particularly large organisations, have the right to sign a contract on behalf of that company.
Therefore it can't be enforceable?
Has this ever been tested?
Not a push mechanism
Just a minor point, but I don't think that these updates are 'injected' onto your PC. I thought that Windows Update made a request to an MS server, which would then supply the updates. So it doesn't provide a loophole to hackers.
Well, assuming that it's not riddled with bugs anyway.
Perhaps the EULA should be tried in court, it would be interesting, as on the one hand you have what a country defines as virus creation and hacking, and then you have on the other a company saying we reserve teh right to hack your system.
It would be interesting to see how the EULA stands up in many countries. My major concern with EULA is that they "never" get read, they are in a language your average user dsont understand, and you dont get a chance to negotiate the contract.
Take it to court, see what happens.
Now do I chose a nice iMac or do i go linux.....hmmmm
@ Ken Hagan
>>so all those who turned it off are now permanently cut off from WU, but they will never actually discover this because the older version of the software just isn't compatible with even the most basic "you are out of date" notification.<<
You're not the only calling BS here Ken. If the above case were true then anything sat on a shelf in your local PC vendor would be cut off from WU. That's not the case however.
MS == BS on this one.
The forth option updates as well...
I have a Vista installation with Windows Update switch off completely and I've just checked it... WU has updated itself.
If I could get (when I can get?) certain software running under my other OS installation (the superior one) I'd dump M$ and their 'get-out clauses', sorry I mean their EULA.
Explains those unexplained delays on dial-up
Due to geographical constraints, I access the Internet via 33kbps dial-up.
Because of this limitation, I have set everything to not access the Internet automatically because it is annoying to click on something and then have to wait 3 minutes because (for example) Norton decides that now would be a good time to automatically check for updates.
Honestly, it is almost a full time job to make sure that all these STUPID programs remain set to stay off my connection until I manually tell them to. Every time a Norton software update comes along, it tries to default back to being annoying.
Now those dim-witted twits at Microsoft have been outed. They're plugging up my Internet connection just when THEY think it is a good opportunity; instead of waiting for me to click the button just before I wander off to have supper. This in spite of the settings.
Listen here you stupid-programmers-of-the-world - not everyone has a high speed connection. Even some high speed connections are not very fast. You must keep your programs off my Internet connection NO MATTER WHAT unless I click on the damn button if I have set up your stupid program that way.
In fact, it would be nice if your stupid little software could distinguish the speed of the connection (hint: dial-up is not fast) and automatically configure itself to stay off dial-up connections unless explicitly clicked.
Privacy and all that is important, but a more practical issue is to stay the hell of my thin and slow dial-up Internet connection until *I* decide it is the right time.
Programmers that fail to take this into account are STUPID STUPID STUPID.
I'm talking about *YOU* Norton and Microsoft.
Not to mention MS-Vista software on my new laptop (like IE) crashing (!) because the Internet connection went open circuit somewhere along the line. STUPID.
From what your article said, these "stealth" updates only occur if Automatic Updates is turned on in some form.
Even though AU may be set only to notify you of available updates, it is still turned on - and it is updating itself to work better. If AU is off and you visit Windows Update, this process is far more obvious - you have to install an update to WU before you can check for Windows Updates.
Microsoft's only fault here IS lack of transparency. When you turn on AU, it should be made clear to you that AU may update itself regardless of whether other updates run automatically. Either that, or it should ask the user explicitly before updating itself. They've created enough trouble already with things like WGAN - they REALLY should know better by now!
Nowadays, few people can be unaware of Automatic Updates. You KNOW it connects to Microsoft and downloads data. Far from complaining that this is virus-like activity, you should be grateful - if hackers found a way to compromise AU, this automatic updating is excatly the way Microsoft would try to close the hole.
Nobody is "cut off" from WU. If you turn on AU, it will update itself to the latest version, then you can get updates. If you visit the Windows/Microsoft update site, you will be asked to update the software, then you can scan for updates.
Agree with John Doe
It's not like a car manufacturer tinkering with your car when you've locked it, it's like the salesman saying "You don't actually own the car, you are licensed to use it. We can come to your house and tinker with your car when we want. We don't have to notify you beforehand, or ask permission." before you buy it, and then whinging impotently, toys-out-of-pram style, when they do just that.
If you don't like it, get another OS.
"ensure that Windows Update will behave in dependable manner in the future"
Read : "ensure that we will retain access to your PC whatever you do".
Nothing new under the sun, folks. As has been exhaustively pointed out above, MS has a perfect (ahem) track record as far as respecting the consumer is concerned.
What is more insidious is that this "you are now mine" mentality has been taken up across the board.
Once upon a time, when you installed a new application, it would quietly go to its own little folder and sit there innocently, not bothering anything else. Nowadays, there is no longer any application from any street vendor that does that. No, these days they impose upon you to let them write whatever they want in the Windows directory (and they write, by God do they write !), they muck up that joke of a database called the Registry six ways from Sunday, and then they have to gall to make you click on a pseudo-legal agreement that they can change whenever they want without your consent, agreement by which you acknowledge that whatever they did to muck up your computer, you cannot hold them responsible.
A hundred years ago, if a vendor had tried to do that, the people would have taken him to the nearest tree with a length of rope and left him hanging.
Nowadays ? Well, we can't let the terrorists win, can we ? Bend over then, have some more. And don't forget to pay on your way out.
Only yourself to blame
Anyone who lets their Windowbox connect to the net gets what they deserve.
firewall, not an MS one, blocking the connections?
seems basic common sense with a windows machine
It didn't happen and we promise never to do it again...
CHANGING SYSTEM PROPERTIES
I have Win XP SP2 installed on my system. I was perplexed for i remembered clearly having switched off remote desktop and the updates as well. However, i notice one fine day that my system was operating rather slow. Ran an antivirus scan(use Avira as of now, if you know any better AV soft please advice at email@example.com), checked for rootkits. I almost gave up but then i thought of checking for remote desktop and the updates option, cos i had read an earlier report of updates slowing down XP systems. What do i find? Yes, you guessed it... It was set for automatic updates, plus the remote desktop was on. This is not o whine about what MS is on to but to serve as a warning and what can you expect from them.
I think the sooner vendors go to open source the better - I also wish Apple would relax a little to allow users to adopt their OS as there are a lot of clause all aimed at invalidating the warranty which to be quite frank put me off it.
For the past few years Microsoft have blatantly been marketing orientated and for some strange reason the powers that be overlook Microsofts data collection policies.
I installed Veritas onto a server once in which part of the server install was the .Net 2.0 framework - the router crashed during the install (which I didn't think was required anyway for a local install) - an error message flagged advising the connection to a URL had been dropped (something like - http://s.microsoft.com/register)
On querying this with Symantec (Who were seemingly as shocked as myself) it turned out Microsoft had taken the liberty of allowing each install to register itself. I did query the contents of data which was logged but alas I am still awaiting the information Microsoft said they would supply.
I must how ever point out another 'Big Guy' for who this is common practice is Sky TV - they also routinely collect personal data on viewing - although they advise they do not track where they get viewing stats from which to me defeats the purpose if you don't track where it comes from to allow corelation.
Please explain to my CEO why the company is going down
So Mr MS you have deliberatly installed stuff without my consent, so when my main business critical servers go belly up and the apps start failing, please can you explain to my CEO why we are crapping out money at a rate that would rival a Posh Spice shopping spree!
I think the portion of the EULA that applies here is this one.
2. AUTOMATIC INTERNET-BASED SERVICES. The Software features described below are enabled by default to connect via the Internet to Microsoft computer systems automatically, without separate notice to you. You consent to the operation of these features, UNLESS YOU CHOOSE TO SWITCH THEM OFF OR NOT USE THEM (my caps). Microsoft does not obtain personal information through any of these features.
Seems to me that by selecting "let me choose when to install them" or "notify me but don't automatically download or install them" in automatic updates you are effectively telling Microsoft not to automatically install software and if they go ahead and do it anyway then they committed a trespass.
"It is clearly stated in the EULA (or an addendum to the EULA) that Microsoft can and will make changes to Windows whenever they find necessary."
Laws over ride EULAs. Besides, just because the EULA says they're allowed to modify Windows at any time doesn't mean it allows them to break Local Law to do it. It's like buying a clock off a clock maker and you agreeing to allow him to add stuff to it later on. One night he breaks your window with a brick and does some updates, then leaves. ;)
You know what to do...
This is just one of the many reason why 98SE was my last Windows. It's been said often enough and I fail to see why everyone is surprised when MS screws them, again.
Get Linux. Be in control of your own destiny.
..that'll be the day.
Third party firewall
Time to configure a third party firewall to block all traffic to/from MS, and to alert you when an attempt is made.
Read the inital blog
Geez you MS haters love jumping on the band wagon.
it says in the blog that Windows update updates its self and he had updates on "Download and dont install" nothing was updated appart from windows update files. it cant download new files with out knowing whats out there.
its like trying to get a file off a server you have no idea where it is and you cant list it.
A few points about the EULA argument.
1. You mean the "agreement" that pops up when you install Windows? The one I never saw or agreed to because I bought the box with Windows on it? Not sure if XP/Vista require you to agree on your first login but my install certainly didn't.
2. The fact that Kazaas EULA told everyone that installed it that it contained spyware didn;t do them much good.
3. As has been pointed out EULAs are of dubious value in law - you can't read it until you've removed the shrink wrap, at which point you can't return the item for a refund unless it is faulty. I don't think the courts will look too kindly at that catch-22 if you don't agree with the contents of the EULA.
4. Giving permission for someone to access your computer involves *knowing* you gave permission. For example, if I open a public FTP server with a directory that people can download some of my files from I give permission for *everyone* to access that bit pf my computer. If however I buy a PC with Windows installed and it already has open shares and some nerfarious type accesses my PC using them I *haven't* given permission as I am oblivious to it and so a crime takes place.
Given the complexity of the EULA and the fact that some users may never have even been given the opportunity to see it (see #1) it isn't a given that the courts will accept that you *should* reasonably be expected to know what permission you have allegedly given.
5. The EULA isn't a contract. To be a legally binding contract you need 3 things - offer, acceptance and consideration (basically something of value that passes between the 2 parties). MS can argue that the EULA is an offer and clicking accept, yes, agree, whatever consitutes acceptance, but as you never give anything to MS (you pay the shop for your copy of Windows not MS) there is no consideration so no contract.
Bringing it all back to the article, MS are on extremely fragile ground here by not giving you the opportunity to refuse the changes. Of course nothing will be done about it other than them being told not to do it again, but they have committed a prima facie criminal offence in many countries. In the USA I presume it would be a Federal offence given that they "crossed state lines" (wow, I feel like a gangsta rapper saying that)
If you're running Windows, always have Automatic Updates completely off, and use a good (i.e. third party) firewall and AV to protect you in the absence of patches that might be applied by Windows Update.
Been doing it for years, haven't been hit yet. Among my machines are one running Win2KProSP4 with no updates applied, and another running WinXPProSP1, again never updated.
Of course this could prevent you running IE7 or the latest WMP, but who wants those when Firefox and DivX Player are available?
Why should we care
we don't even own the copy Windows on our PeeCees
Re: EULA comments
Correct me if I'm wrong, but doesn't the law of the land override any contractual obligations, regardless of whether that contract claims you've signed away certain rights.
And anyway, stealth injections without your knowledge are still an unauthorised access - you haven't given your express permission for those files to be installed or executed on your machine.
Very nicely put, my friend.
@Read the EULA before you click....
I'm curious. In order to update Windows MS has to go through my hardware (modem, NIC card, CPU, Etc). Could turning off automatic updates be used as implied denial of access to my hardware? In short MS trespassed on my property without my knowledge to get to their software.
If I manually start the update process I could see them doing a hidden update and getting away with it legally as it can be implied that I gave them permission. If they had put up a window that requires me to agree to an update is also permission to access my hardware. Doing it behind the users back cannot be legal no matter what rights they may have to 'their' software.
So, does the EULA say that they also own my hardware?
Careful everyone, one of these days they are going to stick a line in there that says 'By agreeing to the EULA all property that you own is hereby transferred to our ownership. Please vacate the premises within 30 days.'
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'
- Product round-up Ten Mac freeware apps for your new Apple baby
- Review Tough Banana Pi: a Raspberry Pi for colour-blind diehards