Readers state concerns over Windows Update

Virginia culler By Virginia Culler

The Sept. 13 issue of Windows Secrets reported that Windows Update sometimes installs files without notice, even if auto-install has supposedly been disabled.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



Many readers are dismayed to learn that their control over their computers is compromised and are asking how they can prevent this in the future.

Stability issues raised in update’s wake

The Sept. 13 issue of Windows Secrets revealed that Windows Update has been installing some files silently, despite the fact that users have selected a “do not install” option in the Automatic Updates control panel. Many readers wondered why their firewalls did not bar Microsoft’s activity. The answer is that the Windows Update Agent initiated the contact to Microsoft’s servers. The resulting file download, therefore, appeared to be an expected response.

Other readers asked if they could — or should — configure their firewalls to reject Microsoft downloads. A reader named Scott W. writes:
  • “Would you be able to publish a list of DNS names and IP addresses that Microsoft uses for Windows Update? I want to block the IP addresses in my router firewall, and I want to disable the DNS names (just in case they change the IP addresses of Windows Update) in my DNS server.”
While it’s possible to block all Microsoft IPs, it’s not an action anyone here would recommend as appropriate for readers.

First, there would always be new IP servers that would need to be added to the blockade. An extensive list of entries recently provided in the KezNews forum can give you an idea of how long your table might become — unless you want to use wildcards to block anything originating from the Microsoft domain.

Second, the burden would fall squarely on the end user to determine what needed to be blocked and what didn’t. This is far too labor-intensive a solution for most companies, and it may cause unforeseen problems.

If you’re really concerned, an easier workaround that simply involves clicking Turn off Automatic Updates is provided in this issue’s Top Story.

Microsoft disregards its own definitions

Rob Harmer pointed out that Windows Update’s stealthy behavior was in breach of Microsoft’s own Aero User Experience Guidelines for Privacy and Security (produced by the Microsoft User Experience Group in October 2003). The policy states:
  • Be secure by default. Application settings that could compromise user security should be switched off by default. Make users aware of the implications of changing these settings within the context of using the application and before the changes are committed.”
Reader Ernie Kitt writes that Microsoft’s own definition of a Trojan Horse could easily apply to the silent patches applied by Windows Update. According to Microsoft:
  • “A Trojan Horse meets the definition of virus that most people use, in the sense that it attempts to infiltrate a computer without the user’s knowledge or consent.”
Thanks for your diligence, Rob and Ernie!

The EULA does not confer carte blanche

Some readers believe that the Windows EULA (End User License Agreement) allows Microsoft to apply updates at will. An anonymous reader writes:
  • “It states in the EULA that Microsoft has every right to do whatever it wants to its operating system. You have limited rights and only those rights that Microsoft gives you, and Microsoft may add, change, or delete them as it pleases. When you buy a computer with the Microsoft operating system, you agree to these terms.”
Unfortunately, none of the readers who made this claim actually quoted the EULA. However, eWeek journalist Joe Wilcox published an analysis of the Vista EULA, and found no passage that gives Microsoft the right to update your computer without your consent.

The EULA for Windows XP Pro states:
  • “The Software features described below are enabled by default to connect via the Internet to Microsoft computer systems automatically, without separate notice to you. You consent to the operation of these features, unless you choose to switch them off or not use them.”
Given that last sentence, it’s hard to see what part of “don’t automatically download or install” Microsoft doesn’t understand.

Furthermore, regardless of what the EULA may theoretically allow, this is a matter of trust. If a majority of users believe they have set their permissions in the Automatic Updates control panel to prevent certain actions, then Microsoft should respect those preferences. At the very least, Microsoft should notify users in clear, unambiguous language of any changes that may be needed. The notification should also include a link to a Knowledge Base article so users can make informed decisions. The silent installs by Windows Update have no KB article explaining them.

Use Firefox but report IE 7 as your browser

In the Sept. 13 Known Issues column, a reader suggested installing IE Tab, an add-on that lets you run Windows Update from within Firefox. (WU normally requires IE.) But other readers said this approach is no different from running IE 7, including all of its vulnerabilities.

Reader Richard Carter recommends what he considers a better alternative to IE Tab:
  • “It is not necessary to change rendering engines; simply reporting that you are using IE appears sufficient for the Windows updates I have tried.

    “The Firefox add-on User Agent Switcher lets you select what browser you wish to report to the world. Select IE 7, and Windows Update seems to work fine.”
Thanks, Richard! User Agent Switcher adds a menu and a toolbar button that let you switch the way the browser identifies itself to Web sites. According to Mozilla’s Web site, User Agent Switcher is designed for Firefox, Flock, Mozilla, and Seamonkey. The add-on will run on any platform that these browsers support, including Windows, Mac OS X, and Linux. It supports Firefox versions 1.0 through 2.0.0.x.

Various people in our office tested User Agent Switcher with Windows Update and its sibling, Microsoft Update (which also upgrades MS Office apps). It worked just fine with both Firefox 2.0.0.6 and the recently released 2.0.0.7.

To install User Agent Switcher, go to the Firefox add-ons site. Click Install Now. The installer will restart Firefox when finished or prompt you to do so before the changes will take effect.

To add the User Agent Switcher button to your Firefox toolbar, right-click the toolbar and choose Customize. Drag the User Agent icon to where you want it. When selected, it offers a drop-down menu from which you can choose the browser you want to report.

Readers Harmer, Kitt, Scott W., and Carter will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

The Known Issues column brings you readers’ comments on our recent articles. Virginia Culler is managing editor of WindowsSecrets.com. Editorial assistant Diane Korngiebel contributed to this article.
= Paid content

All Windows Secrets articles posted on 2007-09-20: