On the back of the recent WGA fiasco, further research has revealed yet another citation of what I already knew to be true: Windows updates itself without explicit permission, even if you turn off automatic updates.

NEW! ... Further proof, confirmation, and details of this has been provided by Scott Dunn of Windows Secrets, and Adrian Kingsley-Hughes of ZDNet.

The procedure is supposed to work like this (on XP at least):

Launch "System Properties".
Select the "Automatic Updates" tab.
Select the "turn off Automatic Updates" (or manual) checkbox.

And that, AFAIAC should be it. Off means off.

And yet, according to Microsoft, apparently it doesn't.

If Microsoft ever wanted to get caught with their pants down, they succeeded. For most people, the above doesn't make a whole lot of sense past the "you might have a virus" part. VerifyMyPC requires a little extra knowledge about computer systems when dealing with the details. Google is your friend in these cases. Running searches for 'wups.dll' and 'wups2.dll' turns up something about Automatic Updates. In particular, those DLLs provide Automatic Update functionality for Windows.

In other words, the Automatic Updates utility automatically updated itself. Now this might not seem like a big deal but I have automatic updates set to manual (both download and installation have to be approved by me) and not the usual 'automatic' setting found on most user PCs. In other words, Windows updated itself without my express permission. Such behavior is right in line with spyware-like activity.

http://cubicspot.blogspot.com/2007/08/windows-update-updating-without.html

New information from the ZDNet article suggests that the total number of files that are covertly replaced by Microsoft in this latest attack totals 9 on Vista and XP, as follows:

Vista:

• wuapp.exe
• wucltux.dll
• wudriver.dll
• wuwebv.dll

XP SP2:

• cdm.dll
• wuaucpl.cpl
• wucltui.dll
• wuweb.dll

Common to both Vista and XP:

• wuapi.dll
• wuauclt.exe
• wups.dll
• wups2.dll
• wuaueng.dll

Kingsley-Hughes is also running a poll, asking his readers whether they approve or disapprove of these stealth updates. Unsurprisingly the vote is currently standing at 94% disapproval. I encourage you to add your vote to the 10,000+ already cast.

So let this serve as a reminder to all those who denounce claims of stealth updates as "paranoia" ... Microsoft do deploy updates that are installed without user's explicit permission, and indeed contrary to those users' express instructions. The Windows EULA even states that Microsoft reserves such a right:

2.3 Internet-Based Services Components. The Software contains components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the Software and/or its components that you are utilizing and may provide upgrades or fixes to the Software that will be automatically downloaded to your Workstation Computer.

[Translation]

You agree that Microsoft can automatically and without your consent put new software on your computer.

Archive of the original linuxadvocate.org article on the WayBack Machine

Why is this such a big deal?:

• Because the supposed ability to "turn off" Automatic Updates is little more than a lie.
• Lying about updates is suspicious and untrustworthy behaviour, which one does not exactly expect from the vendor that you paid for the "privilege" of running their software. IOW if the vendor has lied about this, then what else have they lied about?
• Updates may not necessarily be deployed in good faith. Microsoft have demonstrated in the past that certain updates are quite deliberately designed to cripple and inhibit their customers' systems. Example: driver update designed to prevent all DVD playback (conspiracy with nVidia and Macrovision).
• Even when not designed with malicious intent, updates are not always necessarily a GoodThing®, on any system, including GNU/Linux. Poorly tested updates may actually cause problems, rather than fix them. Users need to have the freedom of choice to decide whether or not to apply any given update in a timely fashion, if at all. User's should be in control of their own systems, for both practical and principled reasons. Without exception.

How to resolve this problem:

• Do not rely on the control panel settings for Windows Updates, it is untrustworthy and essentially bogus. Disable the two services - WAUS and BITS ("Windows Automatic Updates Service" and "Background Intelligent Transfer Service" respectively). And keep them disabled ... permanently.
• Do not trust updates from Microsoft ... ever ... especially so-called high priority automatic updates. Consider all software from Microsoft to be potential Malware. Use WindizUpdate with Firefox to obtain updates instead, and be sure to carefully research each and every update before deploying.
• As ever, keep your Anti-Spyware and Anti-Virus definitions up to date (although it's likely that third party vendors have exception rules for Windows components, at Microsoft's behest, so do not rely on this either). Use Free Software tools where you can (e.g. packet sniffers, etc.) to determine what exactly the updated software is covertly trying to do. IOW - use extreme caution at all times.

Of course there is a more permanent and trustworthy solution, simply wipe that Malware known as Microsoft Windows off your system completely, and install GNU/Linux instead, for some peace of mind, real control, and an overall much better user experience.