MS to Users: You Can't Handle the Truth

Users of Microsoft's (Nasdaq: MSFT) Windows operating system may be surprised to learn that Microsoft has been secretly updating their PCs even after they've activated a feature that seemingly prevents automatic updates.

So far, discovery that Microsoft is changing code on users' PCs without their knowledge is limited to a single program -- the Windows Update program that goes online to check for, and initiate the download of, other Windows updates.

"The upshot is that a longstanding procedure in Windows Update requires it to self-update before it is able to recognize that new updates are available," noted Nick White, a Microsoft product manager, on the Microsoft Windows Vista Blog.

"This self-updating is done regardless of whether the user has enabled automatic checking, download and/or installation of updates. It does so in an effort to avoid WU misleading the user to think s/he is up-to-date simply because s/he was not receiving notification that updates are available," he wrote.

For more detail, White pointed to a post from the Microsoft Update Product Team Blog, where Nate Clinton, Microsoft's Windows Update program manager, failed to offer any true technical reason Microsoft couldn't let end users manually start a Windows Update process on their own, at their own discretion.

"Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications," he wrote.

For tech professionals, Microsoft's explanation may ring hollow. It may be easier for Microsoft to automatically update Windows Update, but it is by no means the only technical way to get the job done.

Truth and Consequences

While the practice of secret automatic updates may seem relatively benign, it can have severe consequences.

"The most concerning part of this is the potential for instability within in your environment. Historically, we've had problems with patches from Microsoft in the past where they would break things," Paul Henry, vice president of technology evangelism for Secure Computing, told TechNewsWorld.

"Within the enterprise space, most customers don't automatically update -- they prefer to user a lab environment to test the updates to make certain they don't break anything. That's been taken away from us with Microsoft treading down this path of automatic updates. Personally, I find it rather frightening," he explained.

Potential for Havoc

Even if a Microsoft update doesn't break an application, it can have far-reaching ramifications outside of the PC's plastic case.

"I know a great many people are concerned -- I have friends in the forensic community that are very concerned that an update could make a change to a platform that is being used in a forensic investigation that could potentially alter the outcome of that investigation," Henry said. PCs used in forensic investigations must be very tightly controlled so that no evidence can be altered, and even a possible opening for such alterations could compromise the use of the evidence in a criminal case.

"Some people in law enforcement are now considering blocking access to Microsoft's update servers to prevent this in the future," Henry noted.

Public Awareness

The biggest issue with the update seems to be that Microsoft didn't provide a clear public notice of how the update process works, leading to uncertainty about how it may be used in the future.

"I think what people are fearing is that, if you read Microsoft's license agreement very carefully, Microsoft retains the right to automatically update their code," Henry explained. "Today, Microsoft is updating the update program itself -- tomorrow are they going to be updating my operating system?"

More Faux Pas Than Tech Problem?

"Personally, I don't think it's inappropriate for Microsoft to keep Windows Update updated so that it continues function," Stephen O'Grady, an industry analyst for Redmonk, told TechNewsWorld.

"What is inappropriate is to not be overly transparent in logistical terms, because customers that have chosen non-automatic updating should not be surprised in this fashion," he said.

Most distributions of Linux, O'Grady said, automatically update themselves too. "My Ubuntu [installation], for example, keeps itself updated," he said.

Could a user turn it off entirely?

"Certainly," O'Grady said. "Like most things in Linux, updating is configurable. But out of the box, it keeps itself updated. The difference is that most users are inclined to trust Linux distributions further than Microsoft because there are no licensing or DRM issues involved."