Microsoft Patches without Permission

I’ve been trying to lay off the ‘Windows bad news’ posts here, but this one is just too important to ignore.

There’s an article called “Windows is Spyware”
over at ZDNet talking about a newly discovered (and confirmed) behavior whereby Microsoft patches Windows XP (and apparently Vista) machines without the knowledge or consent of the machine’s owner. I’m pretty sure this means you can’t use Windows in an environment where you’re governed by HIPAA, PCI, or federal security regs, at least without some serious egress filtering to the Microsoft sites at the firewall.

The most amusing point from the article is this:

They seem to think that they own Windows and you and I are just renting our copies. Maybe we should read the lease.

Duh. It says right in the EULA that’s exactly what you’re doing, and in fact the new EULA with Windows XP SP1 stated that Microsoft could do this kind of updating (though they weren’t at the time). Anybody who has requirements incompatible with these kinds of EULA’s needs to find a vendor for their OS that doesn’t impose such clauses. Even at that you’re at the mercy of the new vendor’s benevolence, so open source operating systems are the only real choice if real control and security are the criteria.

Does anybody have a source for accurate IP ranges of the Windows update servers?

[hat tip -> Glen]