As its name suggests, Windows Update is a service that primarily delivers updates to Windows. To ensure ongoing service reliability and operation, Microsoft must update and enhance the Windows Update service itself, including its client-side software.

However, Microsoft discussion boards this week revealed that Redmond was updating Windows without permission. Specifically, Windows Update has updated nine files in both Windows XP and Windows Vista over the past few weeks, according to reports.

Disaster Waiting To Happen?

Paul Henry, Secure Computing's vice president of technology evangelism, verified the stealth updates on a Windows machine in his own lab. Henry said that what initially struck him as unusual is that Microsoft began the updates without any end-user notification. Beyond this, he said, there are larger security concerns.

"First, with no way of turning off Microsoft updates, it makes the use of a compromised update process a very attractive vehicle for a would-be hacker," he explained. "Second, this also raises concerns for law enforcement." Henry pointed out that a great deal of caution is exercised to maintain stability in certain environments. For example, documented Microsoft installs in computer forensics are necessary to assure that potential evidence isn't compromised.

Henry said that although the Windows process has not yet created any reported issues, the ramifications of Microsoft's stealth updates have the potential to be significant. He said he can easily imagine a patch being automatically deployed that causes things to break and go terribly wrong in a Windows environment.

"Just look what happened to Skype in the last month," he explained. "An update was released by Microsoft that caused so many PCs to reboot and reinitialize simultaneously that it impacted Skype's ability to reconnect its worldwide network ."

Microsoft Defends the Updates

For those who want to know why Microsoft updated the files automatically, even if users had not opted for automatically installing updates, Redmond offered an explanation.

"Any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available. Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications," said Nate Clinton, program manager for Windows Update, in a statement. (continued...)

1  |  2  |  Next Page >