EUIST

EUIST

Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

Is Microsoft fiddling with system files without permission? Survey says ….

September 14th, 2007 · No Comments ·

Our sister blog recently published:

CyTRAP Labs quicktip – making Windows event logs reveal their secrets

You may have also read reports and newsboards regarding Microsoft having begun patching files on Windows XP and Vista without users’ knowledge. Apparently users had turned off Automatic Windows Update, hence, on your behalf we started checking into this.

After some checking on our own and discussing it with other experts we found the following files under C:

Better security – Windows – stealth patch check

C:\WINDOWS\system32
Windows XP Windows Vista
1. cdm.dll A. wuapi.dll
2. wuapi.dll B. wuapp.exe
3. wuauclt.exe C. wuauclt.exe
4. wuaucpl.cpl D. wuaueng.dll
5. wuaueng.dll E. wucltux.dll
6. wucltui.dll F. wudriver.dll
7. wups.dll G. wups.dll
8. wups2.dll H. wups2.dll
9. wuweb.dll I. wuwebv.dll

The nine executables in c:\Windows\System32 will either show:A) an earlier version number 7.0.6000.374, orB) the stealth patch number 7.0.6000.381.Incidentally, as you know the version numbers can be seen by right-clicking a file and choosing Properties.

In XP, click the Version tab and then select File Version. In Vista, click the Details tab.

All our systems had B meaning the stealth patch number – this shows that Microsoft had fiddled with our systems without getting our prior consent to do so

COMPLIANCE AND Microsoft

When doing an audit (Please click on the link, Login as guest – click on this link again and voila free access) and coming across these stealth patch numbers, however, some serious questions must be addressed:

1) how does this affect the compliance process because when doing the metrics audit, check – system administrators will no longer be able to attest that they have full controll of all changes being made on the organizations systems and PCs

[for enterprise customers who use Windows Server Update Services (WSUS) or Systems Management Server (SMS), all updating (including the WU client) is controlled by the network administrator – in turn, this issue affects all SMEs that have chosen not to use these services, their systems are affected]

2) Because users have agreed to the EULA absolving Microsoft from any wrong doing in any situation, can Microsoft make changes to the operating system with neither the user’s expclicit consent or knowledge? If the EULA permits this, what about issues regarding legal compliance? (Please click on the link, Login as guest – click on this link again and voila free access)
Will the court accept a defence claiming that the procedures used meet best practice?

3) Will the court then based on point 2 also accept that because best practice was followed, sufficient prevention efforts were undertaken to make it difficult if not impractical for a malicious user from making unauthorized use of our system for attacking another victim’s computer (see Swiss law)?

Microsoft has tried to address these concerns in a blog posting:

    One question we have been asked is why do we update the client code for Windows Update automatically if the customer did not opt into automatically installing updates without further notice? The answer is simple: any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available. Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications. That result would not only fail to meet customer expectations but even worse, that result would lead users to believe that they were secure even though there was no installation and/or notification of upgrades. To avoid creating such a false impression, the Windows Update client is configured to automatically check for updates anytime a system uses the WU service, independent of the selected settings for handling updates (for example, “check for updates but let me choose whether to download or install them”). This has been the case since we introduced the automatic update feature in Windows XP. In fact, WU has auto-updated itself many times in the past.

(get the full test of this posting on a Microsoft blog here – How Windows Update Keeps Itself Up-to-Date)

    One question we have been asked is why do we update the client code for Windows Update automatically if the customer did not opt into automatically installing updates without further notice? The answer is simple: any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available.

Using Microsoft’s own wording, the user asked to be notified about updates. Accordingly, this must include updates to the Windows Update Services. A simple solution for Microsoft while, most importantly, protecting the user’s rights and responsibilities is accomplished if Microsoft chooses to have the updater notify the user that it needs updating itself, before it can go ahead and update the rest of the system.

HAVE YOU FORGOTTEN?

Sony BMG rootkit – ooops – we forgot to ask you first before installing it on your PC

SURVEY SAYS

Confirmed – Microsoft is fiddling with your system files without getting your prior consent. What is worst is that this is even the case if you asked to be notified about updates and authorizing them before it is being done.

CyTRAP Labs suggests that Microsoft should do as follows:

1) no software should be installed without asking the user. This applies even if the machine is part of a botnet, or not up to date.

2) no software should be remotely disabled for any reason. No exceptions. This must apply even in cases where the software appears to be ‘pirated’ because Microsoft has repeatedly misidentified genuine software.

Just because the percentage of cases where this mis-identification may have occurred is small does not justify violating this rule.

ALSO OF INTEREST
SAS risk management – after 2 crashes we get damage control

CyTRAP Labs legislative watch – European Court of First Instance rules on Microsoft vs. European Commission


SUBSCRIPTION

To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.



|

→ No CommentsTags: automatic · crashes · event · logs · newsboards · quicktip · reveal · secrets