09.17.07
The problem with Microsoft stealth updates
I blogged earlier how Microsoft updates its OS on your computer, even if you’ve turned “automatic updates” off. Bruce Schneier points out the serious problem:
Note that Microsoft can do this; that’s just stupid company stuff. But what’s to stop anyone else from using Microsoft’s stealth remote install capability to put anything onto anyone’s computer? How long before some smart hacker exploits this, and then writes a program that will allow all the dumb hackers to do it?
When you build a capability like this into your system, you decrease your overall security.
Some comments at the link contest his analysis.
Zach said,
18 September 2007 at 11:39 am
http://blogs.technet.com/mu/archive/2007/09/13/how-windows-update-keeps-itself-up-to-date.aspx
The Microsoft Team stated this does not happen when auto updates are turned off. Also, in response to Bruce Schneier’s comments, any program you install can call home and check for an update. You’ve seen Java, Acrobat, Flash, etc, all tell you there’s an update. Your antivirus software does this as well. The windows update service is not a ‘back door’ per se, it’s a front door. To prevent this from happening, install a 2 way firewall like Zone Alarm or PC-Cillin and it won’t let anything call home unless you say it’s OK to do so.