Horowitz: Windows Update on Win7 is not secure

Topic

New Reply

Interesting discussion from Michael Horowitz: When you run Windows Update on Windows 7 (I did not test other versions of Windows) it opens MANY connec
[See the full post at: Horowitz: Windows Update on Win7 is not secure]

6 users thanked author for this post.

Myst, Elly, SueW, Wheel_D, GreatAndPowerfulTech, PhotM

Reply | Quote

Replies

Windows 7: “Cortana, is that you?”

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

2 users thanked author for this post.

Myst, OscarCP

Reply | Quote

Just another reason why Windows 7 users may be better off when January 2020 arrives, or sooner if they so choose.

2 users thanked author for this post.

Myst, FakeNinja

Reply | Quote

@Seff  I guess I’ll be taking that course on updating Windows 10 and a course on Windows 10 itself.

Reply | Quote

Not what I had in mind, but if that option appeals to you then I believe someone not a million miles from this site has written a book that will tell you all you need to know about Windows 10 ;}!

Reply | Quote

I seem to remember from my wet brain database, not always to be trusted, that we had a similar in depth discussion about WU (WIN7) security over open ports using insecure protocols by design. This was less than a year ago but before Christmas. I am not sure how much of this is new information, or recovering ground already tread. It might take a while to find. If I do, I’ll link here.

Reply | Quote

Yes, I seem to recall hashing this out at an earlier time. Seems MS said it was by design. It seems there was something about the Catalog downloads being http then to, although I see https now.

1 user thanked author for this post.

walker

Reply | Quote

@pkcano , possibly not for publication, edit as you see fit

Either my timeframe is wrong, my search terms are inadequate, or I’m flat out wrong. But I did find enough topic discussions that reminded me there is a period or group of subjects lost to the void around a year ago. As I am not on the inside loop, I do not know if the missing material was the result of an underpowered server reaching it’s limitations; or if there was material removed because it elicited attacks.

I do not need to know one way or the other, only hoping to jostle loose a remembered thought for you. I may be barking up the wrong tree in the wrong forest.

Reply | Quote

Don’t think it’s lost, just think you can’t find it (yet?)

Reply | Quote

I apologize for suggesting this without finding it first. Thanks for the encouragement to search. I’ve run down the front page articles list in the time frame, but thought it was introduced in the lounge. So I dug into archived replies by likely candidates who would have been interested. I either have a blind spot, a false memory, or correctly suspect it was lost during a stressful time. In any case, I’ve chased the wild goose and gone hungry. The goose won.

Reply | Quote

All the more reason to use it only when absolutely necessary.

1 user thanked author for this post.

Myst

Reply | Quote

Isn’t that just ducky

Windows 11 Pro
Version 23H2
OS build 22631.5189

1 user thanked author for this post.

Myst

Reply | Quote

What is the work around?

Is it necessary to do a work around?

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

What, me worry? A Windows 7 system is at far greater risk of getting borked by a Microsoft update than by a man-in-the-middle or spoofing attack.

11 users thanked author for this post.

Kranium, Cesar, Myst, Karlston, Charlie, Microfix, Geo, JCCWsusser, wdburt1, OscarCP, cesmart4125

Reply | Quote

Now that’s a scary thought

Reply | Quote

Indeed it is.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote

WINDOWS UPDATE BUGS
The buggy nature of Windows Update on Windows 7 last got publicity when it would take half a day to figure out the missing patches. This month, it was shamed for failing to install the August and September monthly updates because it had failed to update itself first.
A bug fix to Windows Update (KB3177467) was issued in October of 2016, and a system without this fix ran fine until very recently, when Windows Update failed with a 0x8000FFFF error for many people. Woody Leonhard covered the details in Computerworld.
John Wilcox of Microsoft offered an explanation for the problem where he wrote “when we released the Windows 7 SP1 servicing stack update (KB3177467) it was marked ‘critical.’ ” Yet, on August 25, 2018, I tweeted about a Windows 7 system that installed all the available August 2018 patches and then, after the mandatory reboot, wanted to install KB3177467. Nothing said that KB3177467 was critical. I wondered why a two year old patch appeared after installing all the current patches. The 2016 patch was checked by default, but it looked and felt like a Windows Update bug, so I didn’t install it.

That’s the trouble when you let users decide which updates to install: They guess wrong and it comes back to bite them, even if it is years later.

Reply | Quote

Yeah, and when you let MS decide, it comes back to bite almost immediately!

15 users thanked author for this post.

Kranium, Cesar, Elly, Seff, jelson, OscarCP, Karlston, Microfix, SueW, Cybertooth, David F, wdburt1, EstherD, jburk07, lanceboil

Reply | Quote

Would this apply to anything offered as checked by Windows Update when one has WU set to “let me know but let me decide what and when to install”?

I understand from the previous discussion here (and, please, correct me if I’m wrong in this) that, being in Group B, when I download Win 7 updates (Security Only and IE11) from the Catalog, this is not a problem.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

Would this apply to anything offered as checked by Windows Update when one has WU set to “let me know but let me decide what and when to install”?

The discussion applies to any updates delivered through the Windows built-in Windows Update mechanism, whether checked by default or checked by the user, no matter what their settings are.

Updating Windows (from Catalogue downloads) is not the same as updating through Windows Update

3 users thanked author for this post.

Myst, Elly, OscarCP

Reply | Quote

@PKCano In this situation, how does MS Update Catalog differ from Windows Update?  Thanks in advance for answering my question.

Reply | Quote

In the back recesses of my mind the Windows updating process is digitally signed.  The bits of the patches are put together based on these signed bits of code. If any patch doesn’t reorganize properly the operating system will throw out the bad bits and try again.  “it can also be modified in-flight”   Irrelevant and doesn’t matter.  Even if bits are modified in flight Windows update on the client puts the bits together, checks the digital signature and as long as the check sums align up, it will stamp it as good code an install.

Remember the Flame malware and the resulting code signing cert/WSUS patching we all did a few years back?  https://en.wikipedia.org/wiki/Flame_%28malware%29  The certificate process ensures we get good code.

Now as far as how bad windows update diagnostics is… well…

Susan Bradley Patch Lady/Prudent patcher

10 users thanked author for this post.

Kranium, Myst, Elly, JCCWsusser, GoneToPlaid, Jan K., AlexEiffel, cesmart4125, b, jburk07

Reply | Quote

P.S. I ran that Windows 7 KB3177467 back when it came out.  It’s been a recommended patch for 7 (and servers) for a long long time.  http://wu.krelay.de/en/ has had it listed for many many months.  Don’t beat up Microsoft over something that should have been installed a long time ago….other than it showcases that lack of trust of patching isn’t new.

Susan Bradley Patch Lady/Prudent patcher

5 users thanked author for this post.

Myst, Elly, Geo, Jan K., b

Reply | Quote

Susan Bradley: ” Don’t beat up Microsoft over something that should have been installed a long time ago….other than it showcases that lack of trust of patching isn’t new.  ”

So, to be clear about the Patch Lady’s point, that might be a decisive one here: having installed KB3177467 back when, is one now quite free from the problem this thread is about?

And, if one has not install it yet, is it OK to go ahead and install it now? (First I must confess here that I am patched with all this year’s patches through August.)

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Myst

Reply | Quote

KB3177467 is one of the updates that you probably installed it two years ago and never realized it.

If you had the dreaded slow scanning for updates, you installed probably a year ago and forgot about it.  It’s safe to install and if you don’t have it now, you should have it now.

Try to install it, if you already have it installed, it will let you know that it’s already installed.

Susan Bradley Patch Lady/Prudent patcher

5 users thanked author for this post.

Myst, walker, Geo, woody, OscarCP

Reply | Quote

P.P.S., yes if you installed it then, you wouldn’t see this installation error problem.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

OscarCP

Reply | Quote

Went through installed updates list back to 2016 and couldn’t find KB3177467 so thought I would download and install through MS. Started to download and then a window popped up with the message “This update does not apply to your computer.” Patched up through August 2018. No errors ever encountered. What gives? Win 7 Pro x64, SP1, i7-core Haswell

Reply | Quote

It was already installed. You just didn’t find it.

1 user thanked author for this post.

Demeter

Reply | Quote

see the pic – enough said

Reply | Quote

Susan Bradley wrote:

Don’t beat up Microsoft over something that should have been installed a long time ago

Beating up seems fair. A 2 year old patch showed up after installing the usual August 2018 patches and rebooting. That looks like an error. Why was it not listed along with the other Aug patches? Why does it first show up 2 years late? If that’s not a bug, what is? Nothing said to an end user that it was critical, in fact there were no documentations updates to it for 2 years.

And, the heavy use of port 80 (at least 6 connections for a Windows Update session) is the main point. Seems fair to beat up MS for that too, whether HTTP is used for transmitting patches or for another purpose.

 

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

1 user thanked author for this post.

Elly

Reply | Quote

It showed up for me back in 2016.  The issue was these folks ignored the update and didn’t install it.  I remember recommending that folks update it.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

Elly, Geo

Reply | Quote

https://support.microsoft.com/en-us/help/818018/how-to-solve-connection-problems-concerning-windows-update-or-microsof

“Windows Update agent uses port 80 for HTTP and port 443 for HTTPS to obtain updates.”

You can block outbound port 80 and windows update will work just fine.

 

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

Myst, Elly

Reply | Quote

With all due respect, didn’t we already discussed this similar subject?
https://www.askwoody.com/2018/microsoft-using-insecure-http-links-to-distribute-security-patches-through-the-update-catalog/

do you think malware hackers would not have taken WU years ago if it was that insecure?

3 users thanked author for this post.

Elly, woody, geekdom

Reply | Quote

abbodi86 wrote:

do you think malware hackers would not have taken WU years ago if it was that insecure?

Perhaps they already have since July 2015, Microsoft AI

Windows - commercial by definition and now function...

Reply | Quote

Similar topic, but not exactly the same. Still, it does show the mindset at Microsoft – secure transmission of data is not important. I hope to test Susan’s claim that you can block outgoing port 80 connections and Windows Update will still work… Even if true though, the bigger issue is about Microsoft themselves and whether the company deserves to be trusted.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Reply | Quote

? says:

with all due respect please google “KB3177467 problem.” you will find many links that show people having problems installing the “update” since it was released. i chose not to install it then and have fully patched 5 windows 7 Pro 32bit installations (b style) current to September 11 without installing it. I downloaded it to linux and looked at the files and did not see anything untoward within. no digitrack (Diagnostic Tracking Service) or CEIP or get winx either. i will consider installing it in the future if need be. win 7 is on the way out soon anyway. tip of the hat to abbodi86 in post #219238 “how to [neuter] telemetry…” it took me much searching and time a few years ago to apply his method without the comprehensive guide he posted earlier today. i keep wondering why Microsoft spends so much time and money working to completely control windows7 when it is all but finished and causing customers so much lost time trying to keep it secure and operating in a satisfactory manner. call me naive. for example i was able to fully patch windows xp pro in under 4 minutes earlier today.

Reply | Quote

anonymous wrote:

? says: with all due respect please google “KB3177467 problem.” you will find many links that show people having problems installing the “update” since it was released…

All of this was not due to the update itself, but instead was due to MS deliberately throttling Windows Update on Win7 computers. There is no other possible explanation since the issues occurred whether or not KB3177467 was installed, and since all of the issues instantly disappeared after Microsoft ended its GWX campaign.

1 user thanked author for this post.

Myst

Reply | Quote

Anonymous (  #219492  ): ”  i keep wondering why Microsoft spends so much time and money working to completely control windows7 when it is all but finished ”

I have found that, in human affairs, there are some big groups, organizations, companies, etc. that are oriented mostly towards:

(1) Preeminence (to do anything they want).

(2) Control (to achieve and maintain (1) — and because they can’t help themselves).

(3) Respect (to them).

MS has been, since Bill Gates on, mostly about (1) and (2).

Early example and harbinger of things to come: IE imposed as the default browser.

It took a serious court battle to end that:

https://www.britannica.com/technology/Internet-Explorer

https://www.nytimes.com/2000/04/04/opinion/microsoft-s-illegal-monopoly.html

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I just checked and the update catalog is now served over HTTPS (wasn’t too long ago that it was still using HTTP). The links to the catalog from the Windows 10 update changelog pages still point to the HTTP site though (it will then redirect to HTTPS, but as I’ve been told, there’s still the opportunity to hijack a connection even if HTTP is used only briefly to redirect to HTTPS).

I never update from Windows Update anymore (I use Windows 10, which should be self-explanatory as to why I don’t use Windows Update). I download my updates from the catalog and install them there. More control, and as a plus I can uninstall them later through the Control Panel. Get off my lawn, Microsoft.

Reply | Quote

anonymous wrote:

I never update from Windows Update anymore (I use Windows 10, which should be self-explanatory as to why I don’t use Windows Update). I download my updates from the catalog and install them there. More control, and as a plus I can uninstall them later through the Control Panel. Get off my lawn, Microsoft.

You can uninstall any Windows 10 update through Control Panel:

How to Uninstall a Windows Update in Windows 10

Reply | Quote

Just because data is transmitted via port 80, it does not mean the data is not encrypted. All the HTPPS hype is just that — and doesn’t make anything more secure.

Reply | Quote

I may be reading into your short comment here, and apologise if that is so.

Reading in previous discussions led me to believe that Windows update transmissions are secured by signatures and verifying hashed checksum values without relying on the additional hurdle of the HTTPS protocol.

If I am repeating a misunderstanding, I offer an apology for that as well.

Reply | Quote

Using SOAP Secure Message for end-to-end encryption of the payload ensures that things are secure, even over HTTP. That’s what Microsoft is using for data transfers over port 80.

Reply | Quote

anonymous wrote:

Just because data is transmitted via port 80, it does not mean the data is not encrypted.

Technically this is true, but very very unlikely. And HTTPS is not hype. It is not perfect but it does make things more secure. And, the flip side is that there is no excuse to still use HTTP when updating the operating system. I suspect the reason is that MS does not care.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Reply | Quote

anonymous wrote:

Using SOAP Secure Message for end-to-end encryption of the payload ensures that things are secure, even over HTTP. That’s what Microsoft is using for data transfers over port 80.

Where did you read this? Verifying it requires packet sniffing the traffic and trying to decrypt the data (if it is encrypted). And, even if they are sending encrypted data over HTTP, the fact remains that there is no reason not to use HTTPS. And, HTTP traffic can be modified in flight, so they need to detect and fix that too, something HTTPS already do.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Reply | Quote

SOAP Secure Message ensures that data is not tampered with. HTTPS just encrypts the transport, not the payload — and, other than SOAP Secure Message, HTTPS does not protect against man-in-the-middle attacks. And yes, there’s way too much hype about HTTPS and the HTTPS fanboys should do their homework before parroting nonsense.

Reply | Quote

imho, so humble I won’t capitalise it, we have more worries about poorly tested and broken updates than intercepted and maliciously changed updates. I think there are years worth of data points to back this conjecture on both sides of the argument.

It may be far easier to discuss how little Microsoft cares about end consumers in the realm of customer service transparency, agility, reliability &c.

Reply | Quote