Monday, September 17, 2007

Microsoft updates Windows XP and Vista without user permission or notification

Microsoft has admitted that it has updated nine executable files in XP and Windows on users' machines even when they have turned off automatic updates. These files are part of the Windows update feature itself. Corporate users who use SMS rather than Windows update for OS patches are not affected.

Bruce Schneier raises the question of whether this ability to force updates could be exploited by a third party. I would hope that such updates are digitally signed, so that they can only come from Microsoft, but a commenter at Schneier's blog notes that even if that is the case there is a potential vulnerability created:
There may be an attack vector, even if the updates are signed by Microsoft. The signed updates would always be silently accepted. If Microsoft ever signs an update which later turns out to be vulnerable to some attack (this has happened before with signed activeX components), an attacker could re-push this vulnerable update and introduce a known vulnerability into the target system.
Another commenter notes that this feature could be used by law enforcement to install a keylogger on a machine, if Microsoft agreed to do it.

No comments: