Examining Microsoft Update

eggsovereasy writes "The Inquirer is reporting that a group in Germany has deciphered the information sent to Microsoft during an update using Windows Update and says that information on all software installed on your computer is sent, even that which is not Microsoft's own software." The original article is, unfortunately, pay-per-view. Update: 02/26 18:19 GMT by T : ionyka points to this "related article from ITWorld that deals with Microsoft's transferring of information through Windows Media Player. When you open up Media Player it sends information back to Microsoft like what movies you play, what songs you listen to and where they come from."

Pay per view?

[mikeage]

No it's not. Michael, please do a little thinking before you post... just try it, perhaps? Hint: Weiter means Next (or continue)... I'm reading the story quite well now...

Check out the rest

[joshmathis]

Here is the rest of the article, in PDF format. I'd suggest grabbing it and mirroring as soon as possible... this one won't hold up too long.

http://home.byu.net/~btc25/WindowsUpdate.pdf [byu.net]

One of the more interesting parts deals with how Microsoft can tell the difference between product keys they generated and those done with a keygen.

Re:Pay per view?

[Call Me Black Cloud]

I made the same mistake...it is ppv...you can read freely until the heart of the article, then it's 1.99 (euro) for the rest.

Re:Pay per view?

[illtud]

No it's not. Michael, please do a little thinking before you post... just try it, perhaps?

Yes, it is pay-per-view beyond a certain point, but the meat of the story is in the stuff sent back to MicroSoft, which they've updated to be free at this link here: http://www.tecchannel.de/betriebssysteme/1126/14.h tml [tecchannel.de]. It seems to be information on hardware in the machine. I'd like to see MicroSoft's response to this.

Re:EULA says they can take what they want

[Ezrem]

And where did you find that piece of info?

Direct from About Windows Update :

Windows Update Privacy Statement (Last Updated 10/15/2002)
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:

* Operating-system version number
* Internet Explorer version number
* Version numbers of other software for which Windows Update provides updates
* Plug and Play ID numbers of hardware devices
* Region and Language setting
The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.

Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session.

To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.

Hardly "We can scan your computer for any information we want, and there's not a damned thing you can do about it!" as you've implied.

big deal - they've confirmed the M$ privacy stmt.

[erik1474]

below from the M$ site... they tell you outright that they are collecting this info. What's the big deal?

Windows Update Privacy Statement (Last Updated 10/15/2002)

Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:

Operating-system version number
Internet Explorer version number
Version numbers of other software for which Windows Update provides updates
Plug and Play ID numbers of hardware devices
Region and Language setting

The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.

YES IT DOES! Full example of sent data here:

[illtud]

They've updated the story to give the full info on what gets sent back here: http://www.tecchannel.de/betriebssysteme/1126/14.h tml [tecchannel.de]

Re:Check out the rest

[Com2Kid]

The correct link is:

http://home.byu.net/~btc25/windowsupdate.pdf [byu.net]

Aren't caps great? Heh.

XML Schemas available here

[cobyrne]

Client Info Schema [windowsupdate.com] and System Info Schema [windowsupdate.com].

They appear to get a copy of your registry, as well as information like processor architecture, manufacturer, printer(s?) etc

Re:EULA says they can take what they want

[leviramsey]

Read the parent comment.

This isn't Windows Update he's talking about, it's the EULA for recent versions (XP, IIRC) of Windows.

Yes

[Anonymous Coward]

The rest of the article (available in a link in a earlier comment) reveals that it sends:
- a list of hardware devices
- it can detect what software you're running by listing it as a "product category" - ie. the server sends down a list of available products and the client says "give me the updates for Windows XP, Windows XP Home, IE6" Potentially this could be used to see what you've got installed by setting up a "product category" for any product they want (ie. "Mozilla").

Of course, the easy explanation is that sending down a list of *all* available Microsoft updates (especially if they expand Windows Update to include all server products, office products, developer products, etc etc etc) to anyone who runs Windows Update (or Automatic Update) would get a bit prohibitive. Or it's a insidious plot to find out what software people are running.

Another PDF mirror

[wilstephens]

http://clients.fbagroup.co.uk/slashdot/WindowsUpda te.pdf [fbagroup.co.uk]

An iteresting NTBugtraq post

[Anonymous Coward]

Windows Update Issues [ntadvice.com]

Re:Haha

[Gunzour]

You cow-orker was right. When Microsoft Update said "No information is being sent to Microsoft", no information -- at all -- was being sent to Microsoft. The update server sent your computer a list of available updates, and code ran on your computer which determined which ones were necessary.

Microsoft Update no longer says "No information is being sent...", which is what this article is about.

Having read the article...

[cperciva]

I have to say that it's not nearly as scary as advertised. There are two complaints:
1. The Windows Update tool sends to Microsoft a complete list of what hardware you have.
2. If the Windows Update server claims to have an update available for product X, the Windows Update tool will check to see if you have product X installed, and report back to Microsoft.

Well, *duh*. The only way to avoid doing this would involve downloading a complete list of all the updates available for every supported piece of hardware or software. Based on the size of the windows HCL, I'd guess that this would require tens of megabytes of bandwidth -- all so that Windows Update could pick out the half dozen entries which are relevant.

Re:Surprise, surprise...

[Anonymous Coward]

So you have to remember who manufactured all of your hardware, then individually trawl through their sites and hope they keep old drivers on there? Sounds like Linux-style usability to me. I much prefer Microsoft's style of doing it: fast and easy, because I like being lazy.

Re:Haha

[skinfitz]

Remember the little "No information is being sent to Microsoft at this time...."

The more astute amongst you may have noticed that the "No information" message has not been there since Win2kSP3 came out.

Now it says this:

Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you.

Which essentially means that so long as they don't take an email address or phone number they can take what they want.

EULA could still be illegal in spite of agreement

[Beetjebrak]

Here in Holland (I don't know the laws in the rest of the world too well) any contract that you sign which contains clauses that are illegal, is null and void. Any statement of MS having the right to download anything off MY computer would seem to me totally illegal and would probably void the whole EULA.
I did read the EULA of the Dutch version of Win2K SP3 completely and never found any clause that would allow them to download anything off my PC without my consent.
Sadly I'm stuck with Windows since I cant (yet) afford a mac to run Adobe apps on. When oh when will Linux/FreeBSD/X get decent colour management and ports of proper graphics apps like Illustrator, Photoshop and InDesign??? The GIMP is a nice toy, but it's hardly of any use for print production work. And KIllustrator and the like are simply a laugh too for any real work.. The Linux/BSD vs. Windows ratio is now 4:1 in the favor of the free, but I'd like to get rid of Windows altogether. Give me my killer graphics apps!! I'll even pay for them! ;-)
Saving up for that Mac in the mean time..

NOT PAY PER VIEW

[Anonymous Coward]

Keep clicking on the "Weiter" link and you can read the rest of the article.

Story is incorrect

[doug363]

According to the (full) article, Windows Update sends a list of hardware installed on your system, but not a list of software. Version numbers for Windows stuff, like IE, are sent, but not any info about other software on your compouter.

From the Windows Update website privacy statement

[greygent]

To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.

Yes, we don't not track you.

Tell that to the Melissa author, and some number of other people who's GUID was used to identify them. Even if you aren't a criminal, this could be misused in so many ways.

Despite loving many Microsoft products and the line of NT OS'es, I wouldn't trust Microsoft as far as I could throw them.

Re:Tell MS What you think, apparently...

[Mikey-San]

Yeah ... Can you say "spammer troll"?

Bleh. Just contact Microsoft directly at:

http://support.microsoft.com/default.aspx?scid=fh; EN-US;FEEDBACK [microsoft.com]

-/-
Mikey-San

The article says MS tells you this beforehand

[Yankovic]

"The details that we have documented in this article match the vague information provided by Microsoft."

Sounds like they already told you what they were going to do.

Basically, I completely back this. Much in the way that Redhat scans my computer to tell me what packages I have installed and then tells me what I need to download for updates, this scans the HW and SW I have installed and tells me about updates.

Re:Complete Breach of Trust

[Tim Macinta]

Give me a break. Your acting like windows users should be living with a constant fear that Microsoft "agents" will suddenly appear at their front door to give them a beating.

Actually, that's not too far from the truth. It happened in Virginia Beach [vt.edu] and is happening more and more frequently elsewhere.

What, did you miss this?

[sammy baby]

And I quote:

Warby -- who is the chief information officer at Seattle Metropolitan Credit Union -- believes that the terms for the end user license agreement (EULA) for Microsoft's Windows 2000 Service Pack 3 (SP3) and XP Service Pack 1, might well put the credit union in violation of new federal privacy laws... To use the "auto update" feature, according to the Microsoft Windows 2000 SP3 license, "it is necessary to use certain computer system, hardware, and software information..." By using these features, users authorize Microsoft or its designated agent to access and utilize the necessary information for updating purposes."

Full article can be found here [internet.com].

Re:Inquirer?

[Queuetue]

It's not not THAT [nationalenquirer.com] enquirer.

Re:The article says MS tells you this beforehand

[Junta]

No, most other platforms do everything client side. The updater says 'give me a list of all available updates', and then the updater does the filtering client side. Only the release number overall of the OS is known.

Sure, updates downloaded from MS sites could be tracked easily anyway, each download request could be associated with IP and such. But if non-MS programs are being probed, then they are wrongly exploiting the updater.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:YES IT DOES! Full example of sent data here:

[Anonymous Coward]

that is just the content of the systeminfo - as they said in the beginning of the article, they'd provide that part (and only that part) as a bonus. the rest of the info comes in the regKeys tag.

Don't panic, here's a summary

[unfortunateson]

First of all, the example data [tecchannel.de] sent is available free, as one poster above already listed. There's no software described there other than Windows itself.

Second, the System Info Schema [windowsupdate.com], as posted by another above, is pretty explicit about what registry keys are available to be sent, and it's pretty tame.

Frankly, I have no problem letting them know exactly what hardware I've got running. How can they harm me there? Perhaps a malicious hacker could grab this data and find ways to abuse my network card? Pretty slim.

Call me too open, if you will, but I'd be happy if it would let me know about other MS updates, such as Office, without having to also visit MS' office site. Update those automatically? Never. But it's much less convenient than the Windows Update site.

I greatly doubted that it would be sending large quantities of personal data, because it just doesn't take that long. The ones to worry about are the virus scanners, that take the time to examine every freakin' file.

In summary:

• They're not sending your entire hard drive
• They're not sending your entire registry
• They're not sending a full software inventory
• They're probably gathering a little more than they need
• They're probably not doing anything with it (yet)

Re:Easy Solution

[wizarddc]

Apple!!!! Bring OSX to X86 and we will make it worth your while!


The point you are forgetting is that Apple makes and sells hardware, and only makes software so that they can sell that hardware. They'll give you the OS for free, as long as you pony up for the box. They have no interest, financially, to port or sell OS 10 to X86.

Re:Haha

[Anonymous Coward]

a list of all possible patches for all possible applications and all possible hardware configurations (pretty big list), it also has to download some sort of ruleset

Microsoft's hfnetchk tool does this, and it's currently a 1465KB XML file. (~185KB compressed)

That covers NT4, all W2000 SP levels, WinXP, all IE releases, and SQL Server 7/2000 and some other things not covered by Windows Update.

If the client sent the the OS, the service pack level, and the IE version, the file wouldn't be that large.

Re:pay-per-view

[AngusSF]

Actually you can only read the first 2-3 pgs of the article. On the third page [tecchannel.de] you see

The following pages are restricted to users of our Premium service. If you are not member you can buy the externer Linkcomplete article as a PDF-file for Euro 1.99. Included you will find a complementary copy of the tools we used to find out what is going on with Windows Update.

Re:Easy Solution

[Zendar]

They'll give you the OS for free, as long as you pony up for the box.

Then why do they charge $120 for existing users (owners) to upgrade to each new point release for OSX?

Re:Easy Solution

[nachoboy]

Because the value of Windows Update doesn't lie in the fact that it gives you the patches. Its value to consumers is that it will automagically detect what kind of system you have and provide a list of the necessary patches. Yes, it also conveniently lets you install all of them with just one more click, but Microsoft already offers all their patches in downloadable .exe form. The problem is that every time a patch comes out, a user must read the accompanying documentation, determine whether their system is vulnerable, and apply the patch. And this is no easy task. There are patches for Windows (no brainer), Office (mostly a no-brainer) [these are usually obtained at Windows Update's little sister site, Office Update], Internet Explorer (easy enough), IIS (do you know whether it's installed?), the Java Virtual Machine (getting a little tricky now), the HTML Help subsystem (woah), the MDAC components that probably got installed when you installed Windows (what luser knows what MDAC is?), and the FrontPage Server Extensions (sounds like Office, no? don't worry, it's conveniently included in Windows). Oh and if that wasn't hard enough, there are patches that supercede patches, late, missing, or broken patches, patches you think you have to apply twice, the list just doesn't end. Windows Update in its current incarnation can get rid of the user hassle for most of that by moving all of the guesswork out of the luser's hands and into Microsoft's engineers' hands.

Personally, I find the whole patch thing ridiculous. I tried to stay abreast of the current security patches by subscribing to the security mailing list and making my own decision about whether a patch applies. It's impossible. Every time you think you've gotten it right, there's another patch to figure into the situation. I use Windows Update to find out what updates I need, but since the home connection is ridiculously slow, I just make a list and download the .exe's from http://download.microsoft.com. (Search by the KB article #). As long as you save them, the syntax for installing them quietly is mostly uniform, and you can apply them with little hassle next time you install.

Who cares ? I run WinUpdate right after I install

[VaXXi]

Really. Run Windows Update right after a new Windows installation, without other programs installed; therefore, no interesting information for Microsoft (other than Notepad and Paint being installed).

After that, subscribe to one or two good security mailing lists and never use Windows Update again (you will probably find out faster about new vulnerabilities anyway), and download the appropriate patches directly from Microsoft's web site, by following the security advisories.

Agreed, it's a little extra work, but as far as I care, it's worth it.

This is the link

[Wee]

Here's the page which doesn't care about your browser:

http://www.microsoft.com/downloads/search.aspx?dis playlang=en [microsoft.com]

-B

How the well would it be able to see the Mac?

[Inoshiro]

This is a Virtualized PC -- all it sees are the hardware components emulated by the host operating system.

This is akin to saying that VMWare can somehow tell my that I have an SB Live! -- it can't. All it knows is that it has SB16 emulation inside, and that it writes the output of that to /dev/dsp.

This is pure paranoia talking. Perhaps you should invest in more aluminium for your head.

Windows Update is crap

[McSpew]

As explained by Russ Cooper of NTBugTraq in a lengthy rant [ntbugtraq.com] on Tax Day of 2002, Windows Update is a horrible piece of crap. He followed it with another lengthy rant about what he thinks Microsoft should be doing [ntbugtraq.com] instead of Windows Update.

In the meantime, while downloads are large (~1.5MB), the XML package you get for HFNETCHK searches your system for proper file versions and remains the most reliable way to ensure your system is properly patched. Unfortunately, the best tool for checking your patch state (HFNETCHK) doesn't help you download the patches you need. It does identify the MS security alert addressed and even the KB article, but it's not painless. MBSA gets you one step closer by actually having the URL of the KB article, but it's not as painless as downloading updates via Windows Update (when WU properly identifies your patches).

Anybody who's used the atrociously-bad Automatic Update Service will know that it doesn't cover many important software updates and neither does Windows Update. In fact, if you use all three products, you'll frequently find that each product identifies a different set of patches that are required, and usually, none of them list all the patches identified by the others.

What I've found is that HFNETCHK actually identifies truly critical patches, while Windows Update improperly identifies non-critical updates as being critical. For instance, it tells you that installing Internet Explorer 6.0 SP1 is critical (even when you're running a fully-patched IE 5.5SP2) or even worse, it tells you that a patch meant to improve functionality of using a non-IE default browser is critical.

Sorry, but as much as I hate MS and as much as I prefer Mozilla to IE for my own browsing needs (and even though it works better), I don't make it my default browser anywhere, especially on servers, so this update is hardly critical.

In short, while sysadmins at least have a chance to stay fully-patched these days--unlike the days before Code Red--MS still has incredibly shoddy patch management tools, incredibly inconsistent patch installation mechanisms and still takes liberties with customer data it shouldn't need to take.

If Microsoft ever gets serious about patch management, they'll have a common tool that sysadmins can use to patch any and all of their MS software with a common interface and no unnecessary transmission of system-specific data to MS. Is that too much to ask? Apparently.

Re:How the well would it be able to see the Mac?

[Dephex Twin]

It (XP in VPC on a Mac) could EASILY see software on the other partitions.

How would it do this? The "partition" that the Windows OS runs in is a virtual partition, and is really just a disk image. The virtual OS only has knowledge of this partition and up to two other virtual partitions that you set in the preferences of that virtual machine. When you copy something between the Mac side and the Windows side on VPC, a temporary share is created for the duration of the copy.

It is possible to set up VPC to see your entire Mac partition by setting up folder sharing from the Mac's root directory. You'd have to go out of your way to do this, there'd be little to no point, and it would be in no way something MS could count on to happen.

Re:How does this differ from RH Update?

[Anonymous Coward]

When you sign up for RHN, you're given the option of uploading information about which packages you have installed. You can decline [1]. You won't get email about particular packages you have which need updating, but you can still use the update agent.

The update agent will still work because it polls the servers for which packages are current for your release [2] and compares that list to what you have installed, and the comparison is done locally.

[1] https://rhn.redhat.com/help/basic/register-system- profile.html [redhat.com]
[2] https://rhn.redhat.com/help/basic/up2date-setup.ht ml#PACKAGES-TO-UPDATE [redhat.com]

Re:Haha

[ArsonSmith]

my debian system does it everyday, sometimes twice a day if I feel like getting something new to play with.

A list is a lot of bandwidth?

[siskbc]

So, in addition to downloading a list of all possible patches for all possible applications and all possible hardware configurations (pretty big list), it also has to download some sort of ruleset that goes around all of those to actually figure out locally what udpates are available and necessary. That's a lot of bandwidth.

First, the client would be a one-time install. No biggie there. Next, text is pretty small. I mean, you have to review the patches yourself anyway (please tell me you don't allow MS to decide what gets "updated"...). I can read pretty fast, but not as fast as my modem can d/l text. So I don't think the bandwidth is a problem.

And I would still rather have this client-side. They can deduce all they want, but they won't have things like reg codes, CD keys, etc, which I bet they collect. And I bet they also collect PCI serials. So, if they ever decided to bust you, they'll have all your hardware ID's and software codes. Yay!

The original article that started it all

[PhunkySchtuff]

The original "discovery" was made by Louis Solomon of SteelBytes Software [steelbytes.com]
He posted it to ntbugtraq on Monday Feb 24th
Here [ntbugtraq.com] is the original post, where it describes the issue in a clear fashion, and does point out that Microsoft do tell you exactly what information they gather, however most people are unaware of this as they don't read the EULA - like me

kai

Windows Update Privacy Statement

[Anonymous Coward]

Taken from XP Pro Automatic Updater, Settings, "Learn more about automatic updating" (help screen), "Windows Update Privacy Statement":

Windows Update Privacy Statement

Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. This information includes:

Operating-system version number and Product Identification number

Internet Explorer version number

Version numbers of other software

Plug and Play ID numbers of hardware devices

The Product Identification number is collected to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information. The configuration information collected is used only for the period of time that you are visiting the site, and is not saved.

To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, Windows generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and information about your operating system version and Internet Explorer version.

Because Windows Update does not collect personally identifiable information, the configuration information and GUID cannot be used to identify you.

Please visit http://windowsupdate.microsoft.com to review any updates to this privacy statement.

Related Topics

Re:Linkee no workee

[xombo]

The reason it requires IE is because windowsupdate.microsoft.com has to use ActiveX to see what packages/updates you have installed, and which ones you don't have installed. Since Mozilla/Opera/etc believe in privacy (and they CANT do activex), they are not going to support activex and let microsoft see all your installed packages.

Re:pay-per-view

[Anonymous Coward]

Question to moderators : Why was the parent modded +5 funny? I've never seen a more clear-cut case of redundancy.
Oh, this post is redundant too, but since I don't expect the other reply to be modded up, I thought I'd post anyway (yeah, throw an Offtopic in there as well...)