Protect yourself from silent Windows updates

Home

WinFind

Reviews

Polls

Contact

Past issues

Upgrade

Prefs

Unsubscribe

Windows Secrets Newsletter • Issue 123 • 2007-09-20 • Circulation: over 270,000

Contents
INTRODUCTION: New faces bring you more Windows info
TOP STORY: Protect yourself from silent Windows updates
KNOWN ISSUES: Readers state concerns over Windows Update
WACKY WEB WEEK: Vista developers invent wild user interface
WOODY'S WINDOWS: Improve on Windows Explorer with Xplorer²
PERIMETER SCAN: The best way to scan for rootkits
YOUR SUBSCRIPTION: How to change your address or unsubscribe

For links to every topic in this issue, scroll down to the Index

ADS

Free Scan: Increase Your PC Speed Now

Free scan: increase your PC speed now
PC Pitstop's Free Optimize Scan will automatically diagnose problems with your PC and give you a custom report detailing issues that are hurting your PC's performance. Scan your PC for free today!
www.pcpitstop.com

Be more productive in Microsoft Outlook

Be more productive in Microsoft Outlook
Save time in Outlook with these powerful utilities: Attachment Save — automatically save attachments when e-mail arrives, Schedule Recurring E-mail — send regularly occurring e-mails, and more. See our entire list of 36 powerful add-ins on our Web site.
www.SperrySoftware.com

Backup your data with ZipBackup

Backup your data with ZipBackup
Finally, a backup program that is easy to use. ZipBackup's Wizard makes backups a snap for beginners. Filtering, scheduling, and disk spanning make it a powerful tool for experts. For a limited time, Windows Secrets readers receive 25% off.
www.zipbackup.com

See your ad here

INTRODUCTION

New faces bring you more Windows info

Brian Livingston

By Brian Livingston

You're starting to see some new bylines in the newsletter, and I'm happy as a bug in a rug to be getting some help around this place.

Our new managing editor is Virginia Culler. She was previously employed by Aditi Technologies of Redmond, Wash., where she worked as a contractor for large high-tech firms. Prior to that, Virginia was a technical writer in Seattle for Milliman Global. She graduated with a degree in linguistics from Bryn Mawr College.

Recently added to our team is editorial assistant Diane Korngiebel. She studied at the Medill School of Journalism at Northwestern University and has been an adjunct professor of history at the University of Arizona, Wabash College, and the University of Central Arkansas. Diane wrote the Known Issues column on Sept. 13 and helped put together this week's as well.

Keep watching, and we'll have even more changes in the newsletter in the next few weeks!

Brian Livingston is editorial director of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books.

ADS

Do-it-yourself home renovations

Do-it-yourself home renovations
Highly recommended site for anyone who wants to build a set of stairs, construct a backyard shed, deck, picnic table, gazebo, dog house, etc., or even build a house. Get e-mailed answers to your questions about your own project from an expert.
www.daveosborne.com

Get your product seen by 270,000 readers

Get your product seen by 270,000 readers
Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 270,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement.
www.WindowsSecrets.com

See your ad here

TOP STORY

Protect yourself from silent Windows updates

Scott Dunn

By Scott Dunn

Microsoft has confirmed Windows Secrets' Sept. 13 story that Windows Update periodically installs certain files even if you've selected a "do not install" option.

Many companies and individuals require prior notification before any files are changed, so I explain today how you can completely prevent silent installs, if you wish.

Microsoft acknowledges the lack of notice

In my Sept. 13 article, I reported that Windows Update (WU) has been silently installing nine small executable files on Windows XP and Vista, despite the fact that users had disabled auto-installation. The files that WU has overwritten to date consist of benign support files — but many Windows users expressed outrage that any process was installing files without notification.

Reaction from Microsoft to the article was almost immediate. In a post the same day on the Microsoft Update Product Team Blog, program manager Nate Clinton confirmed that updates to Windows Update itself are performed without notifying users. This is true even if users specify Let me choose when to install them or Notify me but don't automatically download or install (two of the four options available to users).

In his statement, Clinton acknowledged that the silent file writes are not what users expect after they disable automatic installs:

"The point of this explanation is not to suggest that we were as transparent as we could have been; to the contrary, people have told us that we should have been clearer on how Windows Update behaves when it updates itself. This is helpful and important feedback, and we are now looking at the best way to clarify WU's behavior to customers so that they can more clearly understand how WU works."

Soon after Clinton's post, Vista product manager Nick White wrote his own response to the reactions pouring in from angry Windows users:

"Your comments are completely understandable and I'm making sure the WU team is well aware of how the community feels on this issue. You'll note in Nate's post (the one I linked to) that we freely admit to having fallen down on this issue and that we can, and should, do better when it comes to behaviors of this type and the necessary disclosure of same. Please know that we hear what you have to say and are taking your feedback seriously. (I, for one, want to avoid similar events in the future, as reactive posts such as this one are not what I want to spend my time blogging about.)"

Clinton's initial explanation, which suggested that Windows Update had no choice but to install support files silently, drew a large number of critical remarks from Microsoft's normally supportive developer community. For example, a commenter identified as TheDave wrote that WU could easily notify users that updates were needed:

"The situation I am describing is *exactly* the same thing as happens with a out of the box XP SP2 install, you see a WU update available and nothing more. Once you install WU, you see the dozens of other updates available. Works great in theory, and in practice.

"There is absolutely no excuse for updating executable code on a customer's machine when the customer has selected a choice of 'but let me choose whether to install them.' Period. Full stop. No exceptions."

Independent test labs confirm the behavior

One of the first test centers to independently confirm WU's silent installs was eWeek Labs. An eWeek analyst, Andrew Garcia, published a blog entry on Sept. 13 documenting the logs of two test machines that had been set to Notify but do not install updates. According to Garcia, even though one of the PCs hadn't been touched in months, both machines showed evidence that version 7.0.6000.381 of the files had been installed in August.

The lab had acted at the request of eWeek's Microsoft Watch columnist Joe Wilcox, one of several journalists who picked up on a press release issued by Windows Secrets publicist Revell-Pechar Inc.

In a series of three blog posts, Wilcox wrote that nothing in the Windows Update Privacy Statement gives Microsoft "permission to update without user consent" (Sept. 12); that "the silent downloads also raise questions about ownership" of users' PCs (Sept. 13); and that Microsoft was using the existence of its employees' blog posts "to avoid answering tough questions the news media might ask about privacy and Windows Update" (Sept. 14).

One blog, Nynaeve, recounted yet another downside to the silent updates. The patching process had awakened the blogger's portable computer from standby mode at 3:00 a.m. while stored in an insulated laptop bag. Because the update process failed to put the computer back into standby after the installation, the laptop's battery was exhausted by the time the writer discovered the problem later that day. Furthermore, the fact that the computer was running in a bag for so long could damage the machine and might even pose a fire hazard.

To say this story has sparked controversy would be an understatement. The comments flying around the Web vary from outrage to the exact opposite position: that Microsoft is completely right to install WU support files, regardless of the user's Automatic Updates preferences.

One account, in the Handler's Diary blog, said there was no cause for concern since the Turn off Automatic Updates setting in the Automatic Updates control panel prevents the silent updates from occurring. (This is true, although it generates repeated boot-up warnings, as described below. Some readers incorrectly inferred from my article that even this setting allows stealthy updates; it does not.)

Perhaps the situation is best summed up by reporter Todd Bishop, who wrote in a Seattle Post-Intelligencer article:

"But all of those details shouldn't obscure the bottom line: According to the evidence assembled by Windows Secrets, these updates were silently downloaded and installed, without notifying end users, even in cases where those end users had specifically told Microsoft, through their PC settings, not to install updates without letting them choose to do so."

How to put an end to silent updates

It's important to note that there is no reason to remove or roll back the updated support files that Windows Update may have installed on a PC. There's no evidence that these files are harmful or cause any software conflicts.

Furthermore, if you use a corporate patch management solution, such as Microsoft's WSUS (Windows Server Update Services), you circumvent Windows Update and no files will be installed by WU.

But if you're an individual or a small business using Windows Update (or its enhanced sibling, Microsoft Update), you may be concerned about Microsoft installing patches before you've had a chance to research their reliability. In that case, you can completely turn off the Automatic Updates Agent, thereby preventing updates or even notifications from occurring.

If you take this step, you'll become solely responsible for learning about new Microsoft patches yourself. I'll explain below how to adapt to this situation. In the meantime, here's how to turn off Automatic Updates and prevent stealth installs:

In Windows XP, take these steps:

Step 1. Open Control Panel and launch Automatic Updates (in the Security Center category).

Step 2. Select Turn off Automatic Updates. Click OK.

In Windows Vista, take these steps:

Step 1. Open Control Panel and launch Windows Update (in the System and Maintenance category).

Step 2. In the left pane, click Change settings.

Step 3. Click Never check for updates (not recommended). Click OK.

Step 4. Click Continue, if prompted by User Account Control.

With Automatic Updates turned off, Windows Update will still update itself (and notify you of patches), but only when you manually launch Windows Update and give your consent.

What to do about repeated boot-up warnings

Turning off Automatic Updates can cause Windows Security Alert pop-up balloons to appear in the taskbar tray every time you log on. (See Figure 1.)

Automatic Updates off

Automatic Updates off

Figure 1. Turning off Automatic Updates causes scary error balloons featuring a red shield.

If this bothers you, Windows XP allows you to suppress any warnings that relate to Automatic Updates. You can also do this in Vista but, unfortunately, the newer OS forces you to turn off all security alerts just to suppress the Automatic Updates warnings.

To eliminate the warning balloons about Automatic Updates in both XP and Vista, take these steps:

Step 1. Double-click the red shield icon in the taskbar, or open the Control Panel and launch the Security Center.

Step 2. In the left pane or box, click Change the way Security Center alerts me.

Step 3. In XP, uncheck Automatic Updates and click OK. In Vista, select the second or third option.

Use Secunia's Software Inspector to check for updates

With the Windows Update Agent turned off, how will you know if you have the latest security patches and updates you need?

First, read the Windows Secrets Newsletter that comes out two days after Patch Tuesday. Look in our paid section for descriptions of any patches that are reported to have negative side-effects, and use our recommended workarounds if any problems might affect you. (How to get the paid version.)

Then, to check for needed updates to Windows and dozens of other programs, use the Secunia Software Inspector. This free service was described in the Aug. 16 and Sept. 6 issues of Windows Secrets.

Once you know what updates you need, you can visit the Microsoft Update Web site, which offers updates for both Windows and Microsoft Office. The Secunia report includes a link to Microsoft's site and other update sites so you don't even have to bookmark them.

Users don't expect Microsoft to be perfect. But because of the company's very human mistakes with some previous updates, many customers understandably want to do their homework before installing every patch Microsoft offers. If the company's own software settings can't be trusted to provide that level of control, users will continue to seek alternatives.

Have a tip about Windows? Readers receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the magazine's Here's How section.

KNOWN ISSUES

Readers state concerns over Windows Update

Virginia Culler

By Virginia Culler

The Sept. 13 issue of Windows Secrets reported that Windows Update sometimes installs files without notice, even if auto-install has supposedly been disabled.

Many readers are dismayed to learn that their control over their computers is compromised and are asking how they can prevent this in the future.

Stability issues raised in update's wake

The Sept. 13 issue of Windows Secrets revealed that Windows Update has been installing some files silently, despite the fact that users have selected a "do not install" option in the Automatic Updates control panel. Many readers wondered why their firewalls did not bar Microsoft's activity. The answer is that the Windows Update Agent initiated the contact to Microsoft's servers. The resulting file download, therefore, appeared to be an expected response.

Other readers asked if they could — or should — configure their firewalls to reject Microsoft downloads. A reader named Scott W. writes:

"Would you be able to publish a list of DNS names and IP addresses that Microsoft uses for Windows Update? I want to block the IP addresses in my router firewall, and I want to disable the DNS names (just in case they change the IP addresses of Windows Update) in my DNS server."

While it's possible to block all Microsoft IPs, it's not an action anyone here would recommend as appropriate for readers.

First, there would always be new IP servers that would need to be added to the blockade. An extensive list of entries recently provided in the KezNews forum can give you an idea of how long your table might become — unless you want to use wildcards to block anything originating from the Microsoft domain.

Second, the burden would fall squarely on the end user to determine what needed to be blocked and what didn't. This is far too labor-intensive a solution for most companies, and it may cause unforeseen problems.

If you're really concerned, an easier workaround that simply involves clicking Turn off Automatic Updates is provided in this issue's Top Story.

Microsoft disregards its own definitions

Rob Harmer pointed out that Windows Update's stealthy behavior was in breach of Microsoft's own Aero User Experience Guidelines for Privacy and Security (produced by the Microsoft User Experience Group in October 2003). The policy states:

"Be secure by default. Application settings that could compromise user security should be switched off by default. Make users aware of the implications of changing these settings within the context of using the application and before the changes are committed."

Reader Ernie Kitt writes that Microsoft's own definition of a Trojan Horse could easily apply to the silent patches applied by Windows Update. According to Microsoft:

"A Trojan Horse meets the definition of virus that most people use, in the sense that it attempts to infiltrate a computer without the user's knowledge or consent."

Thanks for your diligence, Rob and Ernie!

The EULA does not confer carte blanche

Some readers believe that the Windows EULA (End User License Agreement) allows Microsoft to apply updates at will. An anonymous reader writes:

"It states in the EULA that Microsoft has every right to do whatever it wants to its operating system. You have limited rights and only those rights that Microsoft gives you, and Microsoft may add, change, or delete them as it pleases. When you buy a computer with the Microsoft operating system, you agree to these terms."

Unfortunately, none of the readers who made this claim actually quoted the EULA. However, eWeek journalist Joe Wilcox published an analysis of the Vista EULA, and found no passage that gives Microsoft the right to update your computer without your consent.

The EULA for Windows XP Pro states:

"The Software features described below are enabled by default to connect via the Internet to Microsoft computer systems automatically, without separate notice to you. You consent to the operation of these features, unless you choose to switch them off or not use them."

Given that last sentence, it's hard to see what part of "don't automatically download or install" Microsoft doesn't understand.

Furthermore, regardless of what the EULA may theoretically allow, this is a matter of trust. If a majority of users believe they have set their permissions in the Automatic Updates control panel to prevent certain actions, then Microsoft should respect those preferences. At the very least, Microsoft should notify users in clear, unambiguous language of any changes that may be needed. The notification should also include a link to a Knowledge Base article so users can make informed decisions. The silent installs by Windows Update have no KB article explaining them.

Use Firefox but report IE 7 as your browser

In the Sept. 13 Known Issues column, a reader suggested installing IE Tab, an add-on that lets you run Windows Update from within Firefox. (WU normally requires IE.) But other readers said this approach is no different from running IE 7, including all of its vulnerabilities.

Reader Richard Carter recommends what he considers a better alternative to IE Tab:

"It is not necessary to change rendering engines; simply reporting that you are using IE appears sufficient for the Windows updates I have tried.

"The Firefox add-on User Agent Switcher lets you select what browser you wish to report to the world. Select IE 7, and Windows Update seems to work fine."

Thanks, Richard! User Agent Switcher adds a menu and a toolbar button that let you switch the way the browser identifies itself to Web sites. According to Mozilla's Web site, User Agent Switcher is designed for Firefox, Flock, Mozilla, and Seamonkey. The add-on will run on any platform that these browsers support, including Windows, Mac OS X, and Linux. It supports Firefox versions 1.0 through 2.0.0.x.

Various people in our office tested User Agent Switcher with Windows Update and its sibling, Microsoft Update (which also upgrades MS Office apps). It worked just fine with both Firefox 2.0.0.6 and the recently released 2.0.0.7.

To install User Agent Switcher, go to the Firefox add-ons site. Click Install Now. The installer will restart Firefox when finished or prompt you to do so before the changes will take effect.

To add the User Agent Switcher button to your Firefox toolbar, right-click the toolbar and choose Customize. Drag the User Agent icon to where you want it. When selected, it offers a drop-down menu from which you can choose the browser you want to report.

Readers Harmer, Kitt, Scott W., and Carter will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

The Known Issues column brings you readers' comments on our recent articles. Virginia Culler is managing editor of WindowsSecrets.com. Editorial assistant Diane Korngiebel contributed to this article.

TELL A FRIEND

How you can share this information

We love it when you send your friends links to our articles. But please don't forward your copy of our e-mail newsletter to people, which subjects us to spam complaints. Instead, simply suggest that your friends visit this issue's permanent Web address, shown below. A complete index at the bottom of the Web page provides you with hyperlinks to any article you'd like to recommend.

The address of this issue is http://WindowsSecrets.com/comp/070920

EDITOR'S BOOKSHELF

Windows Vista Secrets

Get the tips you need about Windows Vista
The all-new Windows Vista Secrets helps novices and experts alike understand Microsoft's latest operating system. "To really appreciate what is in Vista, you almost need to read through the leading book on the product, Windows Vista Secrets, by Brian Livingston and Paul Thurrott," writes Rob Enderle, principal analyst of the Enderle Group, in TechNewsWorld. "It's 595 pages of things you can do with this product — most of which you probably wouldn't have discovered for some time, let alone right at first." Check the book out now for tips you can use.
More information: United States (B&N) / Canada / Elsewhere

Spam-Proof Your E-Mail Address, 2nd Ed.

Spam-Proof Your E-Mail Address, 2nd Ed.
This 32-page e-book by Brian Livingston gives you step-by-step instructions that can prevent 97% of the spam that would otherwise clog an e-mail account. You could call it "Livingston's Spam Secrets." The PDF e-book is the result of months of experiments and tests we conducted. We now receive little or no spam to the addresses we used as guinea pigs. These tests show that you can make your e-mail addresses invisible to spammers, not just battle an ever-growing flood. The methods we describe work with Windows, Apple, and Linux and don't require any filters or block lists — but you can use those in addition to the book's techniques, if you wish. More info

WACKY WEB WEEK

Vista developers invent wild user interface

Windows Vista design team

In this video spoof from the Codename Longhorn era, the former Windows Vista design team traces the steps consumers might take in customizing the user interface. (Everyone loves dogs, right? Right???)

Recently posted on the istartedsomething blog, this video's hilarious ending will speak to those of us who have experienced a user interface as more of a nightmare than a dream. Play the video

INDEX

The following topics appear in the free version

INTRODUCTION	New faces bring you more Windows info

TOP STORY	Protect yourself from silent Windows updates
	Microsoft acknowledges the lack of notice
	Independent test labs confirm the behavior
	How to put an end to silent updates

KNOWN ISSUES	Readers state concerns over Windows Update
	Stability issues raised in update's wake
	Microsoft disregards its own definitions
	The EULA does not confer carte blanche
	Use Firefox but report IE 7 as your browser

WACKY WEB WEEK	Vista developers invent wild user interface

You get all of the following in the paid version
WOODY'S WINDOWS	Improve on Windows Explorer with Xplorer²
	A history of Windows file management
	Xplorer² gives you multi-pane goodness
	A clear winner emerges among 18 alternatives
	How to get Xplorer², both free and pro

PERIMETER SCAN	The best way to scan for rootkits
	RootkitRevealer shows possible malware evidence
	Free version of F-Secure BlackLight ends soon
	McAfee's Rootkit Detective is not for novices
	Best results achieved using multiple detectors

Paid subscribers can access all old and new paid newsletter content Make a contribution to support our research into Windows and you'll immediately be able to read and search through scores of valuable articles. In addition, paid subscribers are entitled to download valuable content that we license for you at least once every calendar quarter. To upgrade, simply make a contribution of any amount you choose. If you do this by Sept. 26, 2007, you'll instantly be sent the full, paid version of today's newsletter. To upgrade to the paid version of the Windows Secrets Newsletter, please visit our upgrade page. Thanks in advance.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, plus the week of Thanksgiving and the last two weeks of August and December.

Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editorial Director: Brian Livingston. Editor-at-Large: Fred Langa. Associate Editor: Scott Dunn. Contributing Editors: Susan Bradley, Mark Edwards, Woody Leonhard, Ryan Russell. Research Director: Vickie Stevens. Program Director: Brent Scheffler. Managing Editor: Virginia Culler. Editorial Assistant: Diane Korngiebel.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period. Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,

Visit our Unsubscribe page.

Copyright © 2007 by WindowsSecrets.com LLC. All rights reserved.