Get the latest Windows updates securely

Diane korngiebel By Diane Korngiebel

Reports of Microsoft’s silent updates published on Sept. 13 and 20 by Windows Secrets raised security questions for many readers.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



But with a little bit of know-how, you can keep risks to a minimum when getting updates using Internet Explorer or Mozilla Firefox.

Add extra security to your update strategy

Following our stories about Microsoft’s silent updating of Windows Update, a large number of readers wrote in asking whether hackers might be able to use a similar mechanism to access their PCs.

Although there is no evidence that anyone has yet compromised the Windows Update service itself, the unfortunate answer is that hackers have already been using components of Windows Update to bypass firewalls, as reported by Symantec, Computerworld, and elsewhere last May. The method involves calling on the Background Intelligent Transfer Service (BITS), which is part of Windows XP, Windows Server 2003, and Windows Vista.

The good news is that reader Paul Jackson has come up with a tip that may reduce the risks posed by this service:
  • “I completely turn off Windows Update by disabling the Automatic Updates service and setting the BITS service to manual. I have an older machine so every little thing I can to help performance is welcomed.

    “When I decide to do a Windows or Microsoft update, I run a batch file that changes the Automatic Update service type to Automatic, starts it and also starts the BITS service.

    “I then run Microsoft update. When that’s done, I run another batch file to turn everything off and disable the service.”
Just to clarify, I have taken the liberty of moving the commands in Paul’s batch files to the steps below. The process is almost the same for XP and Vista, although Vista’s User Account Control will give you some confirmation prompts.

Step 1: Choose Start, Run (XP) or Start (Vista). Type services.msc and press Enter.

Step 2: Double-click Automatic Updates (XP) or Windows Updates (Vista). For Startup type, choose Disabled and click OK.

Step 3: Double-click Background Intelligent Transfer Service. If the Startup type is not already set to Manual, choose that option and click OK. Close the Services window.

Step 4: Open Notepad and copy and paste these lines into its window:

sc config wuauserv start= auto
sc start wuauserv
sc start BITS

Step 5: Save the file with a name like Before_Update.bat. Be sure to include the .bat or .cmd extension.

Step 6: In Notepad, choose File, New. Then copy and paste these lines into its window:

sc stop BITS
sc stop wuauserv
sc config wuauserv start= disabled

Step 7: Save the file with a name like After_Update.bat. Be sure to include the .bat or .cmd extension.

Step 8: Vista only: Create shortcuts for each batch file by using the right-mouse button to drag and drop the file icons; choose Create Shortcuts Here. Right-click one shortcut and choose Properties. On the Shortcut tab, click Advanced. Check Run as administrator and click OK twice. Repeat for the other shortcut.

Step 9: When you want to get updates, double-click the Before_Update batch file (XP) or shortcut (Vista). Then use Windows Update to download the patches you need. Finally, double-click the After_Updates batch file (XP) or shortcut (Vista).

Firefox add-ons are workarounds, not panaceas

Regarding the tips published in our Sept. 13 and 20 issues for accessing the Windows Update Web site using the Mozilla Firefox browser, reader Leland Whitlock writes:
  • “I tried your method of using User Agent Switcher in order to run Windows Update, but it only works if you have the IE Tab installed. Then it automatically uses an IE Tab when you go to Microsoft Update. I think the problem is Windows Update uses ActiveX controls for access and Firefox, as far as I know, can’t run ActiveX.”
You are absolutely correct, Leland. Several readers reported similar frustrations. It appears that if you want to access Windows Update using Firefox, you have to accept the risk of using ActiveX.

You can, however, take steps to reduce your risks when using the IE Tab. It turns out that many of the security settings that you designate on your copy of IE are retained by the version embedded in Firefox. For example, I tested cookies, scripting of Java applets, ActiveX settings, and active scripting. For all of them, the embedded IE Tab followed the settings I had in IE.

Therefore, customizing IE 7’s security settings can also make Firefox safer when using the IE Tab. These tweaks were described in the Oct. 26, 2006, issue. In exception to the settings described there, you’ll need to use the following three options to access Windows Update in Firefox:
  • ActiveX controls and plug-ins:
    Run ActiveX controls and plug-ins: enable
    Script ActiveX controls marked safe for scripting: enable

  • Scripting:
    Active scripting: enable
So while you can use the IE Tab extension to access Windows Update without ever leaving the comfort of your Firefox browser window, you will still be exposed to the risks of running Internet Explorer. Consequently, I call this a workaround rather than a solution. Just remember to click the tab to display the Firefox logo when you’re done using Windows Update.

Bonus tip: If you really want to get patches and updates securely while using Firefox, you can do without the IE tab entirely. Instead, manually download and install each patch you need from the Microsoft Download Center. The star-like WGA (Windows Genuine Advantage) logo by a patch lets you know which ones to avoid if you don’t want to install that component.

Secunia posts FAQ to answer reader questions

Several readers had problems with the Online Software Inspector at Secunia.com (not to be confused with the company’s Personal Software Inspector and Network Software Inspector). Some users weren’t finding the answers they needed on Secunia’s site or by e-mail. For example, Richard Bellin writes that he hasn’t received replies to messages he’d sent.

I contacted Secunia and received a response in one day. Here are the company’s answers to some of the most common questions readers submitted:

Q: Is Vista supported?
A: As the Online Software Inspector is browser-based, Vista should be supported.

Q: Which versions of Java are needed to run the Online Software Inspector?
A: The Software Inspector requires version 1.5.0_12 or later.

Q: Why does the Online Software Inspector keep finding nonsecure software when I’ve uninstalled it manually? And why are there so many versions of Flash on my computer?
A: The answers to these questions depend on the specifics of your system. However, Secunia has recently posted a FAQ that should help answer these and other questions.

Readers Bellin, Jackson, and Whitlock will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

The Known Issues column brings you readers’ comments on our recent articles. Diane Korngiebel is Windows Secrets’ editorial assistant.
= Paid content

All Windows Secrets articles posted on 2007-09-27: