Microsoft wants to infect your computer?!?

There’s an article over at New Scientist about a “new” technique Microsoft is looking at for delivering patches.  Researchers are looking into distributing patches through a network similar to that of a worm.  These ‘friendly’ worms would use advanced strategies to identify and ‘infect’ computers on a network, and then install the appropriate patches into that system.

On one hand, this looks like it may be a good idea.  In theory, it reduces load on update servers, and it may help to patch computers that would otherwise go un-patched.  Microsoft claims that this technique would spread patches faster and reduce overall network load.

Back in 2003, the now infamous Blaster worm was released.  Blaster took advantage of a buffer overflow in Microsoft’s implementation of RPC.  Once infected, the computer was set to perform a SYN flood attack against Microsoft’s update site,

Shortly after the release of Blaster, a different sort of worm was released, Welchia.  Welchia, like Blaster, took advantage of the RPC bug.  Unlike blaster, however, Welchia attempted to patch the host computer with a series of Microsoft patches.  It would also attempt to remove the Blaster work, if it existed.  Finally, the worm removed itself after 120 days, or January 1, 2004.

Unfortunately, the overall effect of Welchia was negative.  It created a large amount of network traffic by spreading to other machines, and downloading the patches from Microsoft.

The Welchia worm is a good example of what can happen, even when the creator has good intentions.  So, will Microsoft’s attempts be more successful?  Can Microsoft build a bullet-proof worm-like mechanism for spreading patches?  And what about the legality aspect?

In order to spread patches this way, there needs to be some entry point into the remote computer system.  This means a server of some sort must be running on the remote computer.  Is this something we want every Windows machine on the planet running?  A single exploit puts us back into the same boat we’ve been in for a long time.  And Microsoft doesn’t have the best security track record.

Assuming for a moment, however, that Microsoft can develop some sort of secure server, how are the patches delivered?  Obviously a patch-worm is released, likely from Microsoft’s own servers, and spreads to other machines on the Internet.  But, many users have firewalls or NAT devices between themselves and the Internet.  Unless those devices are specifically configured to allow the traffic, the patch-worm will be stopped in it’s tracks.  Corporate firewalls would block this as well.  And what about the bandwidth required to download these patches?  Especially when we’re talking about big patches like service packs.

If the patch-worm somehow makes it to a remote computer, what validation is done to ensure it’s authenticity?  Certificates are useful, but they have been taken advantage of in the past.  If someone with malicious intent can hijack a valid session, there’s no telling what kind of damage can be done.

How will the user be notified about the patch?  Are we talking about auto-install?  Will warning boxes pop up?  What happens when the system needs to be rebooted?

And finally, what about the legal aspects of this?  Releasing worms on the Internet is illegal, and punishable with jail time.  But if that worm is “helpful”, then do the same rules apply?  Network traffic still increases, computer resources are used, and interruptions in service may occur as a result.


All I can say is this: This is *my* computer, keep your grubby mitts off it.


Imagine this. You turn on your computer and, unbeknownst to you, someone starts changing your files. Ok, so maybe it’s not so tough to imagine these days with all of the viruses, trojans, and hackers out there. But what if the files were being changed by someone you trusted? Well, maybe not someone you trust, but someone that should know better.

On August 24th, this exact scenario played out. All across the globe, files in Windows XP and Vista installations were modified with no notice, and no permission. But, this can easily be explained by the Windows Automatic Update mechanism, right? Wrong. The problem here, is that these updates were installed, regardless of the Automatic Update setting. Yep, you heard that right. These files were updated, even if you did not have automatic updates set to download or install updates.

This story was first broken by Windows Secrets on September 13th. The update seems to center around the Automatic Update feature itself. Nate Clinton, Program Manager for Microsoft’s Windows Update group wrote a blog entry about how and why Windows Update updates itself. Basically, the claim is that these updates are installed automatically because without them, Automatic Updates would cease to work, leaving the user with a false sense of security. He goes on to say that this type of stealth updating has been occurring since Automatic Updates was introduced. Finally, he mentions that these files are not updated if Automatic Updates are disabled.

This type of stealth updating is very disconcerting as it means that Microsoft is willing to update files without notifying the user. And while they state that Windows Update is the only thing being updated in this fashion, how can we believe them? What’s to prevent them from updating other files? Are we going to find in the future that our computers are automatically updated with new forms of DRM?

While I applaud Microsoft for wanting to keep our computers safe, and trying to ensure that the user doesn’t have a false sense of security, I disagree strongly with the way they are going about it. This is a very slippery slope, and can lead quickly into questionably legal territory. Should Microsoft have the right to change files on my computer without permission? Have they received permission already because I am using the update software? Unfortunately, there are no clear cut answers to these questions.

It’ll be interesting to see what happens from here as this has become somewhat of a public issue. Will Microsoft become more forthcoming with these updates, or will they proceed with stealth installations? Regardless, I don’t expect to see much of a reprisal because of this issue. It’s unfortunate, but for the most part, I don’t think most users actually care about issues such as this. In fact, most of them probably aren’t aware. Thankfully for those of us that do care, there are people out there keeping an eye out for issues like this.