In a concession that isn’t going to earn Microsoft any trust in the larger computing community, Microsoft has publicly admited its will issue and install “silent” updates to its Windows Update software on end-users computers, even in some cases where users have specifically chosen not to have Microsoft software updates downloaded and installed automatically. The updates in question are revisions to Microsoft’s Windows Update feature, rather than patches or changes to any other component of the Windows operating system; Microsoft claims these silent updates are necessary if Windows Update is to continue functioning as users expect.
Although Microsoft is not explicitly apologizing for updating software on users’ computers without their explicit permission, Microsoft’s Nick White writes in the Windows Vista team blog: “We do recognize that we should have been clearer in our explanation of this process earlier in the game.”
According to Microsoft, Windows Update does not automatically update itself if users have selected not check for automatic updates. However, if users have configured Windows Update to either check for updates and prompt the user to download and install them, or automatically download updates and prompt the user for permission to install them, Windows Update may automatically download and install updates to itself. According to Microsoft, this self-update is necessary to enable Windows Update to continue to poll for updated software; thus, the self-update is necessary to carry out the users’ configured wishes to poll for other updated Windows software.
However, some information contradicts Microsoft’s description of the self-update procedure. Windows Secrets says it has seen Windows Update update its own software even when users have Windows Update disabled, and Microsoft’s Nick White wrote the self-updates happen “regardless of whether the user has enabled automatic checking, download and/or installation of updates.”
Windows Update is widely used by consumers and small businesses as a mechanism to make sure they have the most recent Windows software components; however, it is not widely used in large organizations or enterprises, which use centralized software management tools to control software installed on enterprise computers.
The concern over Windows Update’s self-upgrading feature is two-fold: one concern is that it presents yet another possible vector for attack: if worm writers or other malware authors can find a way to take advantage of this automatic behavior, they may be able to compromise users’ PCs. The second concern is perhaps more troubling to Microsoft: despite the company’s much publicized dedication to resolving security issues within Microsoft Windows over the last several years, and their commitment to publicly document Windows features and enable users to control their own computers, the company never disclosed this self-updating functionality. At the very least, it’s egg on the software giant’s face.