- In 2005 USB drives became popular and malware started using them to propagate.
- Even three years after malware started actively using this method to infect customers, Microsoft refused to accept the reality of the problem and continued offering AutoRun enabled by default in the Windows OS’s. However in 2008 Microsoft added an option for disabling AutoRun via policies or manual registry entries. However the workaround provided did not work. Even when disabled users were still open to attack from the AutoRun infection vector.
- In July 2008 Microsoft published MS08-038 which “fixed the broken fix” but this was only available via Windows Update for Windows Vista and Windows 2008. Instead of patching XP users as well, it kept the problem unsolved in what some might consider a business strategy to sell more Vista licenses.
- Towards the end of 2008 Conficker showed up taking advantage of the AutoRun feature in a never seen before manner. It created an autorun.inf file whose content looked like garbage yet was fully functional. All the Microsoft recommended workarounds to date via NoDriveTypeAutorun policies continued to be useless against malware exploits.
- In early 2009 and due to Conficker’s success Microsoft corrected a bug (CVE-2009-0243) which fixed portions of the previous problem and which was pushed out automatically to all Windows XP users. Amazingly it wasn’t considered a “security patch” and does not have an associated Microsoft Bulletin. In addition the patch modified the behaviour of AutoRun and after applying it created a new registry entry which was required to be manually configured correctly. Effectively AutoRun continued being a problem for the vast majority of users.
- In mid 2009 there seems to be some light at the end of the tunnel and Microsoft decides to improve the security of AutoRun in writeable removable media by preventing the AutoPlay dialog window in USB drives. However this is only included by default under Windows 7. Windows XP users, still the most widely used platform by far, had to manually download and install KB971029. This move was effectively useless from the point of protecting XP users from malware infection. Again some might consider this move a business-driven decision to “keep security low in XP in order to drive sales of the more secure Windows 7″.
- In July 2010 Stuxnet shocks the world. It is able to propagate via USB drives without requiring an autorun.inf file and using a zero-day vulnerability in .LNK files which allows for code execution even with AutoRun and AutoPlay disabled, which Microsoft promptly patches.
- Finally in February 2011 Microsoft decided to push an update to fix the problem for Operating Systems prior to Windows 7.
One of my home machines is Windows 7 Enterprise x64. A few days ago an interesting thing started happening. Windows Update (WU) traybar is notifying that there is a new “Important Update” that needs to be installed. I have it configured for manual update because I want to decide what gets installed and what doesn’t. So I open the WU console and look at the details of the “Important Update” and to my surprise its not an update at all but rather a bunch of new software which I don’t really want in the first place nor have already installed on my machine, so it doesn’t need updating.
It seems Microsoft is reverting to using WU to push unwanted software, kinda like what adware, spyware and rogue software does. I guess if you can’t convince users to download and install your software the next best thing is to push it down their throats whether they like it or not. Nice move MSFT!
I decide to un-check the “Important Update” and forget about it. But to my (second) surprise, the WU notification from the traybar does not disappear as it normally does when you decide not to install an update. I open the WU console again and, surprise surprise, the “Important Update” is still there checked by default (even though I already told it I don’t want it), ready to be installed as soon as a user hits the “Install Updates” button.
The “important” software bundle is named Windows Live Essentials 2011 and at a 160MB size includes the following:
– Photo Gallery
– Movie Maker
– Family Safety
– Windows Live Mesh
– Messenger Companion
– Microsoft Outlook Hotmail Connector
– MS Outlook Social Connector Provider for Messenger
– Microsoft Silverlight
Searching around a bit I found a couple of interesting blog posts by Microsoft. One here saying that the install will only be shown as “Recommended Update” or even “Optional Update”, which is not true as it is showing as an “Important Update”. But more interestingly, here and here there’s hundreds of users complaining not only about the tactics of the installation but also about the buggy software and how this “update” has changed their preferences, lost their business contacts, lost functionality previsouly used in other software, etc.
This is wrong is so many levels that I’m still amazed that such a respectable company can get away with it.
a) Microsoft is conveniently confusing “updating” with “installing” and using WU for their own business benefit. WU should only be used for updating software and drivers already on the machine, not for installing completely new software which the user didn’t ask for and which in some cases replaces non-Microsoft software chosen by the user and already installed on the machine.
b) The tactics for installing this software bundle are less than ethical. Microsoft has configured it so that it tries to install again and again, even if WU is configured as allowing the user to choose which updates s/he wants and even if the user already chose not to install it. Even if you’re part of the lucky ones that has WU set to manual, chances are the next time Microsoft releases some real security updates, Windows Live Essentials 2011 will be installed along with it as it is checked by default. This is suspiciously close to how adware and spyware behaves.
c) Is this the type of behaviour we are to expect from Microsft’s WU in the future? What’s to stop them from changing your browser, your Office, your settings, your search engine provider, your preference for other software, etc. and replacing it with their own? What if I don’t want Silverlight, Bing toolbar, Writer or any of that other software? I already have chosen other software or services to perform those tasks. Is Microsoft ignoring user decisions and imposing their own software without anybody stopping them from doing so? What if we did the same and started installing Chrome and disabling Internet Explorer in all our users’ machines citing “security reasons” for the change?