Experts Astonished to Learn Windows Update Updates Itself
A Microsoft program manager found himself conducting a tricky bit of PR yesterday, providing for his team's blog a lengthy explanation of a documented feature in Windows that independent researchers discovered only this week: the ability for the Windows Update service to update itself, even when the user's setting for Automatic Updates is "off." Researchers had charged the company with updating software on users' systems without their consent.
"Windows Update is a service that primarily delivers updates to Windows," the Update service's program manager Nate Clinton wrote yesterday. "To ensure on-going service reliability and operation, we must also update and enhance the Windows Update service itself, including its client side software. These upgrades are important if we are to maintain the quality of the service."
The discovery, which came as news to many, is that the Windows Update service (known internally as WSUS) updates itself through a separate channel, managed through Internet Information Services. While turning off Automatic Updates makes certain Windows doesn't receive any general update downloads without the user's consent or knowledge, WSUS still checks for updates, including those meant for itself. It can then - and typically will - update itself anyway.
"It's surprising that these files can be changed without the user's knowledge," wrote Scott Dunn for WindowsSecrets.com earlier this week. "The Automatic Updates dialog box in the Control Panel can be set to prevent updates from being installed automatically. However, with Microsoft's latest stealth move, updates to the WU executables seem to be installed regardless of the settings - without notifying users."
As it turns out, Dunn may have been looking in the wrong place. A brief check of the table of contents on Microsoft's TechNet reveals a page entitled, "Automatic Updates Must Be Updated." Though there is no explicit sentence here that says, "By the way, the IIS-marshaled update channel still functions even when the option in this dialog box is set to 'Turn off Automatic Updates,"' a fairly knowledgeable person reading this page should be able to deduce that this self-update channel is separate and operative.
But should it be? Shouldn't there be a way for the user to say, "I don't want updates, and I mean I don't want updates!" As it turns out, there is. Using the Services panel in Computer Management, a user can very easily switch the active state of Automatic Updates from "Automatic" to "Stopped." A moderately skilled administrator - or certainly any administrator who legitimately received his or her certification - should also be able to disengage WSUS by stopping its service host from the command line.
An administrative guide to deploying and administering WSUS in networks appears on Microsoft TechNet. Although this may not be the most often accessed online documentation by general users, one will find there a page that existed well prior to this latest controversy. Under "Automatic Updates client self-update feature," there is the following: "Each time Automatic Updates checks the public Web site or internal server for updates, it also checks for updates to itself."
For larger configurations using Active Directory, there's also a group policy object for disengaging the self-updating feature. The use of GPOs for managing self-updating is fully documented in this white paper from TechNet.
The apparent abundance of information on the subject seemed to go unnoticed this week. As Scott Dunn wrote, "A search on Microsoft's Web site reveals no information at all on the stealth updates." Dunn went on to say that the files he discovered on his own system to have been updated without his knowledge - files which, incidentally, turn out to be the Windows Update service files themselves - were not listed on Windows Update and could not be downloaded manually by users.
As the TechNet documentation explains, this is because those files are updated via a separate channel. It would probably be as impossible for WSUS to update and replace itself as an automobile to tune itself, or the hero in "Terminator II" to self-terminate.
"The point of this explanation is not to suggest that we were as transparent as we could have been," wrote Microsoft's Nate Clinton yesterday. "To the contrary, people have told us that we should have been clearer on how Windows Update behaves when it updates itself. This is helpful and important feedback, and we are now looking at the best way to clarify WU's behavior to customers so that they can more clearly understand how WU works. At the same time, however, we wanted to explain the rationale for the product's behavior so our customers know what the service is doing: WU updates itself to make sure it continues to work properly."
Clinton went on to point out that the time in which WSUS updates itself is while the user is using Automatic Updates directly, whether it's set to automatic or manual. It does not pick some time out of the blue. That fact does appear to be missing from documentation we've seen.
One prominent blogger yesterday, in presenting what he described as evidence of stealth updates, inadvertently proved Clinton's point. He showed screenshots of his event logs, which recorded WSUS updating itself. Those logs show the WSUS service was started at 4:52:43 pm, and the self-update process recorded as complete at 4:52:48 pm. (Good connection.) Of course, as some have noted, if the event was clearly recorded in the logs...it isn't exactly stealth.
Microsoft security engineer Mark Russinovich offered no comment on the affair to BetaNews yesterday, except to confirm our assessments and to add, "There's nothing nefarious going on."