Nerves Rattled By Highly Suspicious Windows Update Delivered Worldwide 217
An anonymous reader writes: If you're using Windows 7 you might want to be careful about which updates you install. Users on Windows forums are worried about a new "important" update that looks a little suspect. Ars reports: "'Clearly there's something that's delivered into the [Windows Update] queue that's trusted,' Kenneth White, a Washington DC-based security researcher, told Ars after contacting some of the Windows users who received the suspicious update. 'For someone to compromise the Windows Update server, that's a pretty serious vector. I don't raise the alarm very often but this has just enough characteristics of something pretty serious that I think it's worth looking at.'" UPDATE: Microsoft says there's nothing to worry about, the company "incorrectly published a test update."
I told you so. (Score:1)
This is exactly why I disabled updates. With all of the crap MS has been trying to forcefully push out after Malware 10 was released, you're safer without them.
Re: (Score:2, Interesting)
I told you so.
Somehow I don't believe you. Care to provide a link to the post in which you said that Microsoft would accidentally post a test package to the production Windows Update service?
Re: (Score:2, Insightful)
I told you so.
Somehow I don't believe you. Care to provide a link to the post in which you said that Microsoft would accidentally post a test package to the production Windows Update service?
Well, I don't know that the individual expressly posted that a suspicious update would happen, but unless Microsoft does something it has never ever done before, one of these days, an update that few have any option to do than let it happen, will create a huge mess.
Because unless you only use office, Microsoft updates constantly break things.
Re: (Score:2)
Because unless you only use office, Microsoft updates constantly break things.
Why would only using Office help? Office updates break things plenty often in my experience.
Re: (Score:2)
Because unless you only use office, Microsoft updates constantly break things.
Why would only using Office help? Office updates break things plenty often in my experience.
I probably should have said "simple stuff" as I haven't touched MS Office since the ribbon, except for PowerPoint. My bad.
Re: (Score:2)
I've had the opposite sort of "suspicious update" on a couple of machines - one that suspects it's not a real copy of windows so that you have to repeat product activation, then roll back updates and do a whole lot of new updates.
How many times do you want to reboot today?
Re: (Score:2)
I've had the opposite sort of "suspicious update" on a couple of machines - one that suspects it's not a real copy of windows so that you have to repeat product activation, then roll back updates and do a whole lot of new updates. How many times do you want to reboot today?
From what I've been told, it was an update that started that mess.
Re: (Score:3, Insightful)
As far as I am concerned from now on, every statement from M$ is potentially a lie, and ANY OS or program from M$ is potentially full of NSA backdoors and spyware, as well as the ever-present bugs. As far as anyone knows every M$ product all the way back to the first version of DOS was/is infested the same way!
M$, you are forever wiped from my computers and out of my life!!!
Re: (Score:2)
What do you mean by "from now on"? Were you ever under the impression that Microsoft was completely truthful, or completely free of government spyware? Microsoft is a large publicly held corporation, and as such can't be completely trusted.
As far as the first Microsoft OS goes, I'd be astonished to find there was government spyware. Personal computers then were almost never hooked up to any sort of network, and they weren't considered really important.
Re: (Score:2)
Don't those have signature checking?
Re: (Score:2)
The updates are signed, but the metadata is not.
But shit from the metadata can be executed.
http://www.contextis.com/media... [contextis.com]
Configuring SSL for WSUS (NOT the default, and NOT as simple as it should be) mitigates this by protecting the metadata from simple MITM attacks.
Re: (Score:2)
What do you have against cows? Was your mother a cow?
Re: (Score:2)
Mooo says the cow, MOOO
It was a test update (Score:4, Informative)
http://www.zdnet.com/article/microsoft-accidentally-issued-a-test-windows-update-patch/
Re: (Score:1)
You trust ZDNet? Aren't they the ones who tried to justify and cover for Windows 10 spyware and built-in advertising?
Re:It was a test update (Score:5, Interesting)
What is that you say? Never ascribe to malice that which can be explained by incompetence? Oh, I totally agree, with the exception that I would say "as a rule" rather than never. The problem is it doesn't matter if you can't trust them because they are malicious, or you can't trust them because they have proved their incompetence. Either way, they have now proved beyond a shadow of a doubt that they must not be trusted, because they are definitely and provably not trustworthy. We can all speculate as to why nobody should trust them, but no reasonable person would assert, as of today, that they should be trusted.
Re: (Score:2)
For people who use their computers to do email, web surfing, light word processing, and casual games, a friendly Linux distro (Mint?) is the best option. There's a lot of those, but hardly 99% of the market. Lots of people have more specific software they use, which doesn't run on Linux, doesn't easily run under WINE, and doesn't have a drop-in Linux equivalent. For them, Linux is not an option.
Re: (Score:2)
Re: (Score:2)
I'm an occasional writer who's not good enough to go pro, but I have looked at some authoring tools, and haven't found any I like better than several terminal windows running vim. (Then again, don't take my word on such tools unless and until I do publish something good.) The kicker is that, if you are expected to send .docx files to Microsoft Word users, you're better off using Microsoft Word itself. Not only is it more likely to be compatible (you'd think it would be a given, but nooooo), but you've g
Re: (Score:2)
I'm an occasional writer who's not good enough to go pro, but I have looked at some authoring tools, and haven't found any I like better than several terminal windows running vim.
This book [fao.org] is quite beautiful - produced completely in emacs org mode.
It was even written collaboratively. Export to docx works well enough in emacs org mode using pandoc. There is a discussion here [gmane.org]
Re: (Score:2)
Is it your point that every grandma with a computer needs to learn Emacs? It's a very nice system, but I don't think my mother-in-law would do well with it.
Re: (Score:2)
Since I didn't mention grandma, especially every grandma with a computer, my point is not about every grandma with a computer. Every grandma with a computer doesn't claim to be a writer or an author.
You said YOU have not found a better system than X, I pointed out a system which many people have found "better".
You are welcome.
Re: (Score:2)
Re: (Score:2)
Real tools? LibreOffice is, in some respects, inferior to Microsoft Office (particularly with spreadsheets). What do you recommend as replacements for Quicken and TurboTax, bearing in mind that ease of use is an essential feature? Heck, what do you recommend to replace a certain program that interfaces a Windows computer with model railroad controls? (That's tricky stuff, by the way, since the standard's too vague.) There's lots of other programs that somebody's written for Windows and not Linux that
Re: (Score:2)
If I left you with the impression that I wasn't better at this than the vast majority of the population then I apologize. I chose one example at random to address. Actually it wasn't really a random choice. I chose it because I had no idea what I would find, because I could really want nothing to do with model trains, and had no idea for sure what was out there. Of cou
only a test (Score:5, Interesting)
Microsoft said a highly suspicious Windows update that was delivered to customers around the world was the result of a test that wasn't correctly implemented.
They were just checking to see if you really wanted to upgrade to Windows 10
I want to upgrade to OS/X (Score:3)
MonsterSlop, however, is not listing that in the descriptions.
Probably just some fuckery (Score:5, Informative)
Re: (Score:3)
That really only applies when the split between malice and stupidity could land at the same place.
Re:Probably just some fuckery (Score:5, Funny)
Never attribute to malice that which is adequately explained by stupidity.
You mean that Windows 10 wasn't intended to be patently evil, it's just that Microsoft are idiots?
Re: (Score:3)
Never attribute to malice that which is adequately explained by stupidity.
You mean that Windows 10 wasn't intended to be patently evil, it's just that Microsoft are idiots?
The sad part, is that after trying out W10, I was pretty excited. Stuff worked, I could do what I needed to do, and find what I needed to find.
But they really screwed the pooch with the telemetry and the no choice updates on everything but Enterprise. My W10 Pro sacrificial computer running Pro only allows me to put them off for a little while, and constantly nags me.
So since I have one last piece of software that requires Windows, my sacrificial computer will run that program and only that program, an
Re: (Score:2)
Why don't you just stick with Windows 7 for that one app? Security updates will keep coming for 5 more years.
For my main computer, which is running W7 via bootcamp, I'll do just that. That sacrificial computer was just a hopeful experiment
Re: (Score:2)
Never attribute to malice that which is adequately explained by stupidity. Could be that some Microsoft engineer accidentally published a test update.
What's more reasonable, that some MS drone fucked up, or that the NSA compromised their update servers to illegally wiretap every system on the planet, Batman style, just sort of hoping no one would notice? Where's Morgan Freeman when you need him?
Re: (Score:2)
What's more reasonable, that some MS drone fucked up, or that the NSA compromised their update servers to illegally wiretap every system on the planet, Batman style, just sort of hoping no one would notice? Where's Morgan Freeman when you need him?
Why would the NSA need to compromise the update servers? They just send a National Security Letter [wikipedia.org] to Microsoft and their backdoor gets put into the OS when it ships, they don't need to slip it into an update.
Re: (Score:2)
An NSL doesn't require them to change code, only to hand over information they've already got or can easily get. The NSA would use other means to pressure Microsoft.
Re: (Score:3)
What's more reasonable, that some MS drone fucked up, or that the NSA compromised their update servers to illegally wiretap every system on the planet
Have you not been paying attention for the past decade or what? Both of those scenarios are equally plausible. Or it could be MS's latest attempt to push everyone into Spyware 10.
I'll grant you they're both plausible, but equally plausible? Nope.
Re: (Score:3, Insightful)
Never attribute to malice that which is adequately explained by stupidity. Could be that some Microsoft engineer accidentally published a test update.
Does it really matter if it was a mistake or not? If a guy burns down my house accidentally, or he does it on purpose, my house is still burnt down.
That's why mandatory no choice updates and the cloud are really bad ideas. The results of little mistakes can be indistinguishable from criminal intent. Either way, you lose.
I haven't seen the update yet, but people should consider this a close shot across the bow.
Re: (Score:2)
The problem is, from the perspective of trying to cram Windows 10 up our asses ... there's been an awful lot of what is best called malice.
Microsoft plans on applying this upgrade whether you like it or not, and in a lot of cases, is going to remove your control over subsequent updates ... your computer apparently belongs to them.
So, are you suggesting we have stupid malicious assholes who are incompetently pushing out test updates in a fucking sea of unwanted updates they're intentionally obfuscating as to
Yeah, a test update... (Score:5, Informative)
"We incorrectly published a test update and are in the process of removing it," a Microsoft spokesperson wrote in an e-mail to Ars. The message included no other information.
The explanation came more than 12 hours after people around the world began receiving the software bulletin through the official Windows Update, raising widespread speculation that Microsoft's automatic patching mechanism was broken or, worse, had been compromised to attack end users. Fortunately, now that Microsoft has finally weighed in, that worst-case scenario can be ruled out.
I'm a little leery of the Microsoft claim. Admittedly I am perhaps a bit biased against Microsoft for their having integrated a web browser into their OS kernel such that the OS can be irrevocably compromised through a simple web page, but even without that history, that company is large enough that anyone in public relations to make the, "our bad," announcement might not have any idea what actually happened from a technical point of view. On top of that the formatting of the update doesn't give any clue that it's a test update either, as it appears to make no origin claims (at least by the article's included screen shot) and is simply strange.
Whenever I've done something as a test, I actually note in the comments that it's a damn test. I also note that I put it there. Microsoft might not want to publicly attribute something to a particular developer to intentionally obfuscate the development process from the user, but they still should have used something that identifies it as a test to the average person, and used something to make it clear to them that it's attributed to a specific person.
Re: (Score:1)
On top of that the formatting of the update doesn't give any clue that it's a test update either, as it appears to make no origin claims (at least by the article's included screen shot) and is simply strange.
Well, from the examples given on the forum link, one thing does stand out:
https://hckSLpGtvi.PguhWDz.fuVOl.gov
https://jNt.JFnFA.Jigf.xnzMQAFnZ.edu
https://IIKaR.ktBDARxd.plepVV.PGetGeG.lfIYQIHCN.mil
.gov, .edu and .mil addresses are very restricted TLD's. This makes them great for use as 'test' URL because you can be sure they don't exist. After all, TLD's that may be fictional now (.web) might not be in the future (.site [nic.site]).
Re: (Score:2)
Then why not use hosts on some Microsoft-owned (test) domain?
Re: (Score:3)
Re:Yeah, a test update... (Score:4, Informative)
".test" is a reserved test domain [faqs.org]. There are others, including ".example", and ".invalid". I remember there being a two-letter one (".xy" I think), and a 63-letter one, but I can't find rhe RFC for those.
I've used ".test" for years, both for test URLs and test servers.
Re: (Score:2)
Whenever I've done something as a test, I actually note in the comments that it's a damn test. I also note that I put it there.
There's a real possibility that you are a better programmer than the average Microsoft programmer. Really.
Re: (Score:3)
Or more like he's a better programmer than the average programmer. Far too many do stuff like push to production, or edit in production, or just check in a quick "it should work" straight into source control without even compiling it.
Re: (Score:2)
Or more like he's a better programmer than the average programmer. Far too many do stuff like push to production, or edit in production, or just check in a quick "it should work" straight into source control without even compiling it.
That is a really scary thought, given how I've evaluated my programming knowledge and experience.
testtesttest enter your credit card here testtest (Score:2)
they're still fscking weasels, whether it's Microsoft or malicious. uh, wait, it's too hard to tell them apart, now.
Microsoft looking for new ways to fail (Score:5, Insightful)
Re: (Score:1)
'Test update' (Score:5, Funny)
Perhaps it's just me, but on days like this it almost looks like sacking thousands of QA employees might not have been the smartest idea ever.
Re: (Score:2)
It does rather sound like that's Microsoft's new model. Ship a new version of Windows 10 every day via mandatory updates, and fix the new problems tomorrow.
Don't panic (Score:2)
"Microsoft confirmed Wednesday that a suspicious-looking update pushed out to Windows machines globally in the early hours was nothing more than a test gone errant."
http://www.zdnet.com/article/m... [zdnet.com]
Bad Summary - Sensationalist (Score:4, Interesting)
The summary makes it sound like this is all a mystery and insinuates that Microsoft's update servers may have been compromised, however, the linked articles state that it was simple a mistakenly pushed test patch and nothing nefarious at all.
Re:Bad Summary - Sensationalist (Score:5, Insightful)
Re: Sure you will. (Score:5, Interesting)
Bullshit. No OS is "well made" enough that it will never need security updates. Not Windows, not MacOS, not Linux, not *BSD.
This is why it's really, really important for OS providers to maintain a trustworthy update service. If they use it for advertising purposes, or sell it out to various government agencies, or allow incompetent personnel to push "test" updates to the entire planet, it's no longer trustworthy. That means their OS itself is no longer trustworthy, if in fact it ever was.
Nobody at Microsoft seems to have the first clue how important Windows Update actually is, and how important it is not to screw with it. Windows Update is Windows, not just in a de-facto sense but as a vital corporate strategy. It's time they started acting like it.
Re: (Score:2)
Microsoft update causes Brain Damage! (Score:2)
Nerves rattled? Scanning the title I thought a Microsoft update literally caused Brain Damage that caused users' pointer fingers to shake uncontrollably on top of their mouse.
Non-issue - back to work (Score:3)
yeah - turns out to be a mistake. We can delete this post and all conversation after it.
Re: (Score:2, Insightful)
Re: (Score:1)
Or Microsoft covering for a government install that was caught.
Here, your tinfoil hat just fell off
Re: (Score:2)
Yeah - I had a similar thought later. Maybe MS is coding special features for gov't computers - maybe a honeypot monitoring service to catch hackers.
Or patching a known vulnerability for just Gov computers because the NSA asked it to be left open for the general public.
Then I turned on the TV and stopped thinking.
Re: (Score:2)
Slashdot didn't retract or even acknowledge a story that's an outright falsehood [slashdot.org], so why would they do anything about this?
The test was a success (Score:1)
Oh please (Score:2)
The same article also explains that it was a test update that they released by accident. Human error isn't exactly unbelievable when it comes to computer software. The tinfoil hat jobs are just doing what they always do around here - spreading FUD.
Re: (Score:3)
No. A different article pointed to be the same URL explains that. You should probably learn how the internet works some day if you are going to make snarky comments on Slashdot.
Re: (Score:2)
Okay, how much responsibility did they take? Any? The Ars claim is that Microsoft said it was a test update that accidentally made it out, no further information. That's not much of an explanation. Has Microsoft apologized? Maybe, but I'm not aware of it.
If Microsoft does something positive for people about this incident, tells us what went wrong, and actually apologizes, your comment may become relevant. It isn't now.
All your OS is belong to China hackers (Score:1)
Trust?
Silly rabbit, trust is for naive fools.
So it was just an error with no consequences (Score:2, Interesting)
Re: (Score:3)
You make a great point. It was a test update. There is no possibility at all that it would cause any problems. Wait ... why was it a test rather than a release update again?
Re: (Score:2)
You seem to mistakenly think that all PCs have the same software including versions on them. It is entirely plausible that the people who claim to have had their PCs broken had their PCs broken. Your belief that you have proof, even inferred proof, to the contary, is absurd.
Re: (Score:2)
There's dozens of versions of Windows 10, counting different languages. There's all sorts of applications, and an OS bug could affect only a few of them. It's easy to have a unique software configuration.
There's also hardware configurations. Many people buy low-end laptops, for example, and those tend to be assembled from the cheapest components on the last boat from Taiwan or somewhere that pass the tests. There are millions of laptop hardware configurations out there.
Re: (Score:2)
Missed that, sorry. There's dozens of versions of Windows 7 also.
Re: (Score:2)
Holy shit. You really are clueless, aren't you? Please, prey tell, what makes a laptop fundamentally different from a desktop? For bonus points, prove that you found all the people on the planet that had problems, or claim to have had problems, online. For extra bonus points, prove that most people who had their systems hosed have a second system with w
Re: (Score:2)
Re: (Score:2)
Kid. There is an old wise saying: "Tis better to remain silent and be thought a fool, than to open your mouth and remove all doubt"
That's a s
Re: (Score:2)
Re: (Score:2)
Holy shit you are fucking stupid. I didn't say M$ claimed it wasn't from them. I said M$ admitted it wasn't a legitimate update. It was an erroneous test update. You clearly don't know what the word legitimate [reference.com] means either. Holy fucking fuck. Your stupidity astounds.
Re: (Score:2)
Re: (Score:2)
--My friend's PC was nuked just like they are saying. You gonna call me a liar?
--She was called into work *after having had time off approved for the day* because her primary Win7 PC crashed and System Restore would not fix it. I suspected it was a bad Win update, and the repair tech confirmed it. Her office was taking orders manually all day because of this.
Re: (Score:2)
--My friend's PC was nuked just like they are saying. You gonna call me a liar?
--She was called into work *after having had time off approved for the day* because her primary Win7 PC crashed and System Restore would not fix it. I suspected it was a bad Win update, and the repair tech confirmed it. Her office was taking orders manually all day because of this.
No, i'm calling you random person from the internet which doesn't present evidence other that "the update broke my friend's PC". Later saying "I suspected it was a bad Win update" really doesn't help your case.
Re: (Score:2)
--Try reading what I wrote again, you moron. You're making yourself look bad (again.)
Re: (Score:2)
--Try reading what I wrote again, you moron. You're making yourself look bad (again.)
Nooo, am i making myself look bad?, Again?. Well, let's see, I guess that since you're Wolfrider, King of the Internet truth, and your friend got the day off because her PC just died and Help Desk said it was a win update (haha, which one?, did they told you?) i guess that Microsoft lied (and your friend and the other dude got owned in the whole world) and that random internet dude and you are telling the truth. Sophos Naked Security [sophos.com]
Because the update seems to have existed only as a test of the notification process, and not as an update package that could actually be installed, it seems to have been a fake update, too.
So, you can stand down from red alert.
It was a harmlessly incorrect genuine botched fake update.
But what?, the update is a dummy file?, it can't be installed you say?,
Re: (Score:2)
--What are you, twelve? Buh-bye, troll. *mic drop*
Re: (Score:2)
--What are you, twelve? Buh-bye, troll. *mic drop*
Haha, you trolls just keep getting better.
can anyone explain this? (Score:2)
glass houses (Score:1, Insightful)
It is so uplifting to find so many people who have never made a mistake in their professional careers.
I am sure those around you are giddy as they read your witty posts on Slashdot calling out "those idiots at Microsoft".
I applaud you and the personal perfection that arms you with such stones.
It was only... (Score:3)
The truth is not out there. (Score:4, Insightful)
Trust no one.
Black Hat holy grail. (Score:5, Insightful)
This right here would be what makes black hats drool. Get a payload in the Windows update server that is signed with keys that pass. you do that and you utterly own 60% of the internet in a span of 8 hours.
If you were smart about it, you would do a quick test that is benign. changing only 2 bytes in a MS patch and then look for it. If that works you get your best rootkit that you can conceive and get it out there. now WAIT for about 25-45 days and have it download and install the nasty that you want to unleash.
Luckily 99% of the black hats are so ADD that they shoot their load as soon as they can and brag all over the internet. It's that 1% that you never hear about and are never caught that are the truly dangerous ones.
Re: (Score:2)
It's that 1% that you never hear about and are never caught that are the truly dangerous ones.
. . . you mean, the NSA. . .
Terrible summary (Score:2)
At the very least, you could have briefly explained what was suspicious about it.
Yes, Microsoft Windows Update is compromised (Score:2)
By Microsoft.
Anyone who blindly installs updates deserves all the crap they get.
Nothing to worry about (Score:2)
It's just some untested code forcibly installed on your computer due to a flaw in the release process.
comment subjects are stupid (Score:2)
UPDATE: Microsoft says there's nothing to worry about, the company "incorrectly published a test update."
But what if someone compromised the Slashdot Update?
So the accidently pushed test code... (Score:2)
So Microsoft potentially pushed test code to everyone's production systems. That makes me feel so much better.
actually (Score:2)
you can't trust Windows Update any more. (Score:2)
whatever crap is lying around, evil, benign, or beneficial, rolls out the same way. there is nothing in the description. MS is using misdirection to trick you into installing Win10. these guys are getting as bad as botmasters. auto-updates are turned off on my home machines, and if I can't determine whether something is important, it doesn't get installed.
Re: (Score:3, Interesting)
If this continues, I wouldn't do real work on [windows] ever again.
So this time didn't do it for you? There has to be another time? Given Win7+'s mod to auto install fixes deemed by MS to be critical, I think that time was at least years ago. Even IBM jumped ship [macrumors.com].
Re: (Score:2)
> now
lol
Re: (Score:2)
Gaming on Linux is punishment. Sorta doable on OS X. Not really the fault of these OSes, but it is still true.
Windows 10 is so scary I'm considering running a PC for gaming and a Linux PC for all other things, including just web browsing. I have dual boot, but it ends up meaning I spend less time in Linux than I should.