| By Virginia Culler |
The Sept. 13 issue of Windows Secrets reported that Windows Update sometimes installs files without notice, even if auto-install has supposedly been disabled.
Subscribe and get our monthly bonuses - free!
Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!
Many readers are dismayed to learn that their control over their computers is compromised and are asking how they can prevent this in the future.
Stability issues raised in update’s wake
The Sept. 13 issue of Windows Secrets revealed that Windows Update has been installing some files silently, despite the fact that users have selected a “do not install” option in the Automatic Updates control panel. Many readers wondered why their firewalls did not bar Microsoft’s activity. The answer is that the Windows Update Agent initiated the contact to Microsoft’s servers. The resulting file download, therefore, appeared to be an expected response.
Other readers asked if they could — or should — configure their firewalls to reject Microsoft downloads. A reader named Scott W. writes:
- “Would you be able to publish a list of DNS names and IP addresses that Microsoft uses for Windows Update? I want to block the IP addresses in my router firewall, and I want to disable the DNS names (just in case they change the IP addresses of Windows Update) in my DNS server.”
First, there would always be new IP servers that would need to be added to the blockade. An extensive list of entries recently provided in the KezNews forum can give you an idea of how long your table might become — unless you want to use wildcards to block anything originating from the Microsoft domain.
Second, the burden would fall squarely on the end user to determine what needed to be blocked and what didn’t. This is far too labor-intensive a solution for most companies, and it may cause unforeseen problems.
If you’re really concerned, an easier workaround that simply involves clicking Turn off Automatic Updates is provided in this issue’s Top Story.
Microsoft disregards its own definitions
Rob Harmer pointed out that Windows Update’s stealthy behavior was in breach of Microsoft’s own Aero User Experience Guidelines for Privacy and Security (produced by the Microsoft User Experience Group in October 2003). The policy states:
- “Be secure by default. Application settings that could compromise user security should be switched off by default. Make users aware of the implications of changing these settings within the context of using the application and before the changes are committed.”
- “A Trojan Horse meets the definition of virus that most people use, in the sense that it attempts to infiltrate a computer without the user’s knowledge or consent.”
The EULA does not confer carte blanche
Some readers believe that the Windows EULA (End User License Agreement) allows Microsoft to apply updates at will. An anonymous reader writes:
- “It states in the EULA that Microsoft has every right to do whatever it wants to its operating system. You have limited rights and only those rights that Microsoft gives you, and Microsoft may add, change, or delete them as it pleases. When you buy a computer with the Microsoft operating system, you agree to these terms.”
The EULA for Windows XP Pro states:
- “The Software features described below are enabled by default to connect via the Internet to Microsoft computer systems automatically, without separate notice to you. You consent to the operation of these features, unless you choose to switch them off or not use them.”
Furthermore, regardless of what the EULA may theoretically allow, this is a matter of trust. If a majority of users believe they have set their permissions in the Automatic Updates control panel to prevent certain actions, then Microsoft should respect those preferences. At the very least, Microsoft should notify users in clear, unambiguous language of any changes that may be needed. The notification should also include a link to a Knowledge Base article so users can make informed decisions. The silent installs by Windows Update have no KB article explaining them.
Use Firefox but report IE 7 as your browser
In the Sept. 13 Known Issues column, a reader suggested installing IE Tab, an add-on that lets you run Windows Update from within Firefox. (WU normally requires IE.) But other readers said this approach is no different from running IE 7, including all of its vulnerabilities.
Reader Richard Carter recommends what he considers a better alternative to IE Tab:
- “It is not necessary to change rendering engines; simply reporting that you are using IE appears sufficient for the Windows updates I have tried.
“The Firefox add-on User Agent Switcher lets you select what browser you wish to report to the world. Select IE 7, and Windows Update seems to work fine.”
Various people in our office tested User Agent Switcher with Windows Update and its sibling, Microsoft Update (which also upgrades MS Office apps). It worked just fine with both Firefox 126.96.36.199 and the recently released 188.8.131.52.
To install User Agent Switcher, go to the Firefox add-ons site. Click Install Now. The installer will restart Firefox when finished or prompt you to do so before the changes will take effect.
To add the User Agent Switcher button to your Firefox toolbar, right-click the toolbar and choose Customize. Drag the User Agent icon to where you want it. When selected, it offers a drop-down menu from which you can choose the browser you want to report.
Readers Harmer, Kitt, Scott W., and Carter will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.
The Known Issues column brings you readers’ comments on our recent articles. Virginia Culler is managing editor of WindowsSecrets.com. Editorial assistant Diane Korngiebel contributed to this article.