Stealth Windows Update auto-installed w/o consent
Submitted
by
AngusSF
AngusSF writes "I'm running a little program called Tiny Watcher (http://www.donationcoders.com/kubicle/watcher/) that is a sort of poor-mans freeware HIDS (XP Pro SP2, IE6). Once a night I run it on a test system looking for stuff that has changed in critical areas, and recently it notified me that two files, wups.dll and wups2.dll, in the system32 directory had changed. I finally got around to investigating this and I found that even though I have Automatic Updates set to "Notify", this update was installed stealthily at 3:30 one morning.
I found a thread on the Microsoft Community groups which sort-of discusses this:
Critical Update slipped in through the back door — in Announcements
http://preview.tinyurl.com/39gsrr — the full URL is a 281-character
monster:
http://www.microsoft.com/communities/newsgroups/en -us/default.aspx?dg=microsoft.private.security.spy ware.announcements&tid=26e8ce20-718f-44aa-bfcf-06c c172998da&cat=en_US_35183423-7a58-4c2c-881c-928711 0c8cfb&lang=en&cr=US&sloc=en-us&m=1&p=1&mid=d4954b 09-f430-47c2-9a69-f7eb81d9a960
Here's an excerpt:
e rviceStartup\wups.dll\7.
0.600 0.381\ for the curious) is 8/24/07. When I check "Installed Updates" on the WU site I see that I ran WU on 8/15 (for August's Black Tuesday) and again on 8/29 (for KB933360). I checked all of the updates that occurred after the 7/30 date-time stamp of wups.dll and wups2.dll, and none of them list either file in the "File Information" section for Windows XP.
Interestingly a search at microsoft.com for "wups.dll 7.0.6000.381" turns up NOTHING while a search for "wups.dll 7.0.6000.374" turns up a couple of hits, one of which is this KB article "When you use Automatic Updates to scan for updates or to apply updates to applications that use Windows Installer, you experience issues that involve the Svchost.exe process" http://support.microsoft.com/default.aspx/kb/93249 4 ...
I checked my Event Viewer log for anything interesting on 8/24 and I found an entry at 3:34 AM where the Windows Update Agent installed _something_:
>> Installation Successful: Windows successfully installed the following update: Automatic Updates
All of the other "Windows Update Agent" Event-19 entries in the System Log include a KB number in the event listing:
>> Installation Successful: Windows successfully installed the following update: Update for Windows XP (KB933360)
I checked on other XP desktops I have handy, all of which are also set to "Notify" _AND_ all of which have non-Admin users and I see date-time stamps from 8/21 through 8/24 for the wups.dll install-directories %SYS32%\SoftwareDistribution\Setup\ServiceStartup\ wups.dll\7.0.6000.381\.
This update is particularly disturbing. I find it both curious and very annoying that Microsoft still hasn't learned not to sneak around behind people's backs.
I'm curious, does anyone running a WSUS server on their network also have this stealth update on any of their systems? Is this something that was also distributed through WSUS or is this just something that was installed by folks running WU directly from Microsoft?
TIA
Angus"
Well, it certainly appears that Microsoft is installing updates without permission or consent. I have Windows Update set to "Notify" (XP Pro SP2, IE6), and I run WU manually. The date-time stamp of the directory where wups.dll v7.0.6000.381 is loaded (C:\WINDOWS\system32\SoftwareDistribution\Setup\S"dean-dean" wrote: > Windows Update Software 7.0.6000.381 is an update to Windows Update > itself. It is an update for both Windows XP and Windows Vista. Unless > the update is installed, Windows Update won't work, at least in terms of > searching for further updates. Normal use of Windows Update, in other > words, is blocked until this update is installed..... > In XP, it updates the following system32 files to version 7.0.6000.381: > > wuweb.dll > wuaueng.dll > wuapi.dll > wucltui.dll > wuaucpl.cpl > cdm.dll > wuauclt.exe > wups2.dll > wups.dll