Is Microsoft Doing a Stealth Update?

Published: 2007-09-13
Last Updated: 2007-09-27 19:32:41 UTC
by Deborah Hale (Version: 2)
0 comment(s)

We have received several emails from reader’s today regarding concern over reports that Microsoft had begun patching files on Windows XP and Vista without users' knowledge.  It was reported that even though the user had turned off auto-updates some of the files were still being updated. 

 

windowssecrets.com/2007/09/13/01-Microsoft-updates-Windows-without-users-consent

blogs.zdnet.com/hardware/

blogs.zdnet.com/hardware/

There is a lot of concern about these updates and rightfully so.  One of our reader’s, Wade, posed some very interesting questions in regard to this issue.  Here is what he had to say:

 “In the case of compliance auditing, does this revelation mean that unless we completely block access to the Microsoft update servers at the firewall, we cannot attest that we have full knowledge and control of all changes to our systems?  Does this functionality classify as malware, in that changes to "your" system are occurring without your explicit knowledge or consent? (Ignoring the fact that you "signed" the EULA absolving Microsoft from any wrong doing in any situation).”

 As I thought about his questions, I have to admit that I agreed with him and that it does raise some issues in the area of compliance auditing and the ability to say without a doubt we have full control and knowledge of all changes made to our system. I was concerned about how I would answer this question on my next audit.

So I decided to check with Microsoft to see what this was all about.  I quickly received information that has helped to at least put my mind at ease.  From what I can tell from the Microsoft information this update is not taking place automatically, but rather takes place when you go to their update site. So if you never go to the update site or you never check for updates… you will not get the updates.

blogs.technet.com/mu/archive/2007/09/13/how-windows-update-keeps-itself-up-to-date.aspx

Microsoft’s article contains this:

 “Before closing, I would like to address another misconception that I have seen publically reported. WU does not automatically update itself when Automatic Updates is turned off, this only happens when the customer is using WU to automatically install upgrades or to be notified of updates.

So, I guess I feel a little better about this.  There is still the possibility, I suppose, Microsoft could install some other program via this process with out our knowledge. (Malware and virus authors having been silently installing these programs for years).   For this reason we have to remain vigilant, watchful, and not become complacent when it comes to our computers and our networks.   

Thanks to everyone that contributed links and information.

 Update:   (2007-09-27 19:15 UTC by jac) There was a followup story in Windows Secrets today about machines with this update being unable to reinstall patches if the "repair" option was used to reinstall the OS.  Our Microsoft sources have responded that they were only aware of one support call on the issue but stated

  • We are aware of reports about customers not being able to download some updates from Windows Update when using the latest version of the Windows Update client and after reinstalling Windows XP system files from CD.
  • We take this issue very seriously and are investigating the root cause of this behavior and what options are available to address it.
  • Customers that are experiencing this issue are urged to contact customer support at no charge at 1 (866) PCSAFETY (http://www.microsoft.com/protect/support/default.mspx).

 

 

Keywords:
0 comment(s)

Experimental Storm Worm DNS Blocklist

Published: 2007-09-13
Last Updated: 2007-09-13 12:49:58 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Threatstop is currently experimenting with a DNS based blocklist scheme to dynamically block storm worm infected hosts. Its a test list they offer for free to get some feedback on how well it works for people. The basic idea of their blocklist scheme is not like traditional DNS blocklists, which require a DNS lookup for each new IP address seen. Instead, you add a hostname to your blocklist, which will then resolve to multiple A records, each of which is an IP address to be blocked. It appears that most firewalls will refresh the list whenever the TTL for the record expires. Currently, the following hostnames can be used: basic.threatstop.com basic1.threatstop.com basic2.threatstop.com basic3.threatstop.com basic4.threatstop.com Each one resolves to a set of storm infected IPs. This is just a temporary service to test this distribution method with a larger set of users. For more details, see the threatstop.com website.
Keywords:
0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives