Skip to content

Microsoft Patches without Permission

I’ve been trying to lay off the ‘Windows bad news’ posts here, but this one is just too important to ignore.

There’s an article called “Windows is Spyware”
over at ZDNet talking about a newly discovered (and confirmed) behavior whereby Microsoft patches Windows XP (and apparently Vista) machines without the knowledge or consent of the machine’s owner. I’m pretty sure this means you can’t use Windows in an environment where you’re governed by HIPAA, PCI, or federal security regs, at least without some serious egress filtering to the Microsoft sites at the firewall.

The most amusing point from the article is this:

They seem to think that they own Windows and you and I are just renting our copies. Maybe we should read the lease.

Duh. It says right in the EULA that’s exactly what you’re doing, and in fact the new EULA with Windows XP SP1 stated that Microsoft could do this kind of updating (though they weren’t at the time). Anybody who has requirements incompatible with these kinds of EULA’s needs to find a vendor for their OS that doesn’t impose such clauses. Even at that you’re at the mercy of the new vendor’s benevolence, so open source operating systems are the only real choice if real control and security are the criteria.

Does anybody have a source for accurate IP ranges of the Windows update servers?

[hat tip -> Glen]

3 thoughts on “Microsoft Patches without Permission”

  1. I can’t speak to HIPPA or PCI, but using Windows in federal installations is quite common and not prohibited by any “regs”. Windows is commonly used even on systems which process CLASSIFIED information. Granted, such commonly are not connected to the Internet at all, but that’s nothing new, and nothing unique to Windows, either. Same rules apply to Linux. So please stop with the FUD. Microsoft’s tactics are evil; that should be enough. Trying to embellish the evil to be even worse is counter-productive. Employing own Microsoft’s tactics just diminishes your credibility.

    — Ben

  2. BTW, based on the file names of the updated files, I suspect what people are seeing is a “self-update” to the Windows Update client. I’m not positive, but based on what I generally see in Windows Update logs, the first thing WU does is check to see if it should update itself. If so, it does. Only once WU itself is current does it process the list of available updates and check to see if any are needed. That is where the auto-update user preferences get used.

    Note that I’m not suggesting that’s “right” or “proper” behavior, just that it’s known behavior.

    Or it may be something else entirely, and I’m way off. We use a WSUS server at work, so things are “different” for us.

  3. Bill McGonigle

    Ben, there are certain federal regs where you have to have complete control over your change procedures. Certainly not all systems that handle classified data fall into this category, but others do, especially with higher designations.

    If you have those criteria in your branch, disabling automatic updates from the Internet might be one way you can satisfy your regs. If you disable this and Windows Update still updates itself you’re out of compliance. Medical and financial industry requirements (government and bank imposed, respectively) read the same way.

    It’s not enough to say that you can’t bring a laptop with sensitive information out of the building – there are people who needs to both be on the Internet and have secret material on their machines, so we typically have checklists, settings, etc. to make sure that they can be on the Internet and also be in compliance (n.b., I didn’t say ‘secure’).

    As to the point of equality with Linux, it’s simply not true. If you tell your update mechanism (yum/apt) to not do any updates, it won’t. It won’t go update just yum, just in case, next time you run yum. It respects that you have a reason to make the choice you did. And, perhaps more importantly, there’s no ability for, say, Duke, to install stuff on your computer without your consent. Just because Microsoft only updated Windows Update doesn’t mean that it’s the only thing they can update. Linux does not have this problem, and we have the source to prove it.

Comments are closed.