News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Horowitz: Windows Update on Win7 is not secure

    Home » Forums » AskWoody blog » Horowitz: Windows Update on Win7 is not secure

    Author
    Topic
    #219399

    Interesting discussion from Michael Horowitz: When you run Windows Update on Windows 7 (I did not test other versions of Windows) it opens MANY connec
    [See the full post at: Horowitz: Windows Update on Win7 is not secure]

    6 users thanked author for this post.
    Viewing 17 reply threads
    Author
    Replies
    • #219403

      Windows 7: “Cortana, is that you?”

      2 Machines for Now!
      #1: Windows 8.1, 64-bit, back in Group A.
      #2: Getting close to buying a refurbished Windows 10 64-bit, recently updated to v1909. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
      Wild Bill Rides Again...

      2 users thanked author for this post.
    • #219422

      Just another reason why Windows 7 users may be better off when January 2020 arrives, or sooner if they so choose.

      2 users thanked author for this post.
      • #219468

        @Seff  I guess I’ll be taking that course on updating Windows 10 and a course on Windows 10 itself.

        • #219662

          Not what I had in mind, but if that option appeals to you then I believe someone not a million miles from this site has written a book that will tell you all you need to know about Windows 10 ;}!

    • #219423

      I seem to remember from my wet brain database, not always to be trusted, that we had a similar in depth discussion about WU (WIN7) security over open ports using insecure protocols by design. This was less than a year ago but before Christmas. I am not sure how much of this is new information, or recovering ground already tread. It might take a while to find. If I do, I’ll link here.

      • #219425

        Yes, I seem to recall hashing this out at an earlier time. Seems MS said it was by design. It seems there was something about the Catalog downloads being http then to, although I see https now.

        1 user thanked author for this post.
        • #219431

          @pkcano , possibly not for publication, edit as you see fit

          Either my timeframe is wrong, my search terms are inadequate, or I’m flat out wrong. But I did find enough topic discussions that reminded me there is a period or group of subjects lost to the void around a year ago. As I am not on the inside loop, I do not know if the missing material was the result of an underpowered server reaching it’s limitations; or if there was material removed because it elicited attacks.

          I do not need to know one way or the other, only hoping to jostle loose a remembered thought for you. I may be barking up the wrong tree in the wrong forest.

          • #219436

            Don’t think it’s lost, just think you can’t find it (yet?)

            • #219488

              I apologize for suggesting this without finding it first. Thanks for the encouragement to search. I’ve run down the front page articles list in the time frame, but thought it was introduced in the lounge. So I dug into archived replies by likely candidates who would have been interested. I either have a blind spot, a false memory, or correctly suspect it was lost during a stressful time. In any case, I’ve chased the wild goose and gone hungry. The goose won.

    • #219428

      All the more reason to use it only when absolutely necessary.

      1 user thanked author for this post.
    • #219432

      Isn’t that just ducky

      Windows 7 Home Premium x64 AMD Group A Realtek PCLe GBE Family Controller

      1 user thanked author for this post.
    • #219434

      What is the work around?

      Is it necessary to do a work around?

      On Hiatus {with backup and coffee}
      offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender TRV=1909 WuMgr
      offline▸ Win10Pro 20H2.19042.685 x86 Atom N270 RAM2GB HDD WindowsDefender WuMgr GuineaPigVariant
      online▸ Win10Pro 20H2.19042.804 x64 i5-9400 RAM16GB HDD Firefox86.0 WindowsDefender TRV=20H2 WuMgr
    • #219433

      What, me worry? A Windows 7 system is at far greater risk of getting borked by a Microsoft update than by a man-in-the-middle or spoofing attack.

      11 users thanked author for this post.
    • #219445

      WINDOWS UPDATE BUGS
      The buggy nature of Windows Update on Windows 7 last got publicity when it would take half a day to figure out the missing patches. This month, it was shamed for failing to install the August and September monthly updates because it had failed to update itself first.
      A bug fix to Windows Update (KB3177467) was issued in October of 2016, and a system without this fix ran fine until very recently, when Windows Update failed with a 0x8000FFFF error for many people. Woody Leonhard covered the details in Computerworld.
      John Wilcox of Microsoft offered an explanation for the problem where he wrote “when we released the Windows 7 SP1 servicing stack update (KB3177467) it was marked ‘critical.’ ” Yet, on August 25, 2018, I tweeted about a Windows 7 system that installed all the available August 2018 patches and then, after the mandatory reboot, wanted to install KB3177467. Nothing said that KB3177467 was critical. I wondered why a two year old patch appeared after installing all the current patches. The 2016 patch was checked by default, but it looked and felt like a Windows Update bug, so I didn’t install it.

      That’s the trouble when you let users decide which updates to install: They guess wrong and it comes back to bite them, even if it is years later.

      Windows 10 Pro version 21H2 build 19044.1387 + Microsoft 365 (group ASAP)

    • #219447

      Would this apply to anything offered as checked by Windows Update when one has WU set to “let me know but let me decide what and when to install”?

      I understand from the previous discussion here (and, please, correct me if I’m wrong in this) that, being in Group B, when I download Win 7 updates (Security Only and IE11) from the Catalog, this is not a problem.

      Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

      MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
      Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
      Waterfox "Current" and (now and then) Chrome. also Intego AV and Malwarebytes for the Mac.

      • #219449

        Would this apply to anything offered as checked by Windows Update when one has WU set to “let me know but let me decide what and when to install”?

        The discussion applies to any updates delivered through the Windows built-in Windows Update mechanism, whether checked by default or checked by the user, no matter what their settings are.

        Updating Windows (from Catalogue downloads) is not the same as updating through Windows Update

        3 users thanked author for this post.
        • #219471

          @PKCano In this situation, how does MS Update Catalog differ from Windows Update?  Thanks in advance for answering my question.

    • #219450

      In the back recesses of my mind the Windows updating process is digitally signed.  The bits of the patches are put together based on these signed bits of code. If any patch doesn’t reorganize properly the operating system will throw out the bad bits and try again.  “it can also be modified in-flight”   Irrelevant and doesn’t matter.  Even if bits are modified in flight Windows update on the client puts the bits together, checks the digital signature and as long as the check sums align up, it will stamp it as good code an install.

      Remember the Flame malware and the resulting code signing cert/WSUS patching we all did a few years back?  https://en.wikipedia.org/wiki/Flame_%28malware%29  The certificate process ensures we get good code.

      Now as far as how bad windows update diagnostics is… well…

      Susan Bradley Patch Lady

      10 users thanked author for this post.
    • #219453

      P.S. I ran that Windows 7 KB3177467 back when it came out.  It’s been a recommended patch for 7 (and servers) for a long long time.  http://wu.krelay.de/en/ has had it listed for many many months.  Don’t beat up Microsoft over something that should have been installed a long time ago….other than it showcases that lack of trust of patching isn’t new.

      Susan Bradley Patch Lady

      5 users thanked author for this post.
      • #219457

        Susan Bradley: ” Don’t beat up Microsoft over something that should have been installed a long time ago….other than it showcases that lack of trust of patching isn’t new. 

        So, to be clear about the Patch Lady’s point, that might be a decisive one here: having installed KB3177467 back when, is one now quite free from the problem this thread is about?

        And, if one has not install it yet, is it OK to go ahead and install it now? (First I must confess here that I am patched with all this year’s patches through August.)

         

        Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

        MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
        Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
        Waterfox "Current" and (now and then) Chrome. also Intego AV and Malwarebytes for the Mac.

        1 user thanked author for this post.
        • #219462

          KB3177467 is one of the updates that you probably installed it two years ago and never realized it.

          If you had the dreaded slow scanning for updates, you installed probably a year ago and forgot about it.  It’s safe to install and if you don’t have it now, you should have it now.

          Try to install it, if you already have it installed, it will let you know that it’s already installed.

          Susan Bradley Patch Lady

          5 users thanked author for this post.
          • #219463

            P.P.S., yes if you installed it then, you wouldn’t see this installation error problem.

            Susan Bradley Patch Lady

            1 user thanked author for this post.
            • #219944

              Went through installed updates list back to 2016 and couldn’t find KB3177467 so thought I would download and install through MS. Started to download and then a window popped up with the message “This update does not apply to your computer.” Patched up through August 2018. No errors ever encountered. What gives? Win 7 Pro x64, SP1, i7-core Haswell

            • #219946

              It was already installed. You just didn’t find it.

              1 user thanked author for this post.
            • #220230

              kb3177467-installed

              see the pic – enough said

      • #219474

        Don’t beat up Microsoft over something that should have been installed a long time ago

        Beating up seems fair. A 2 year old patch showed up after installing the usual August 2018 patches and rebooting. That looks like an error. Why was it not listed along with the other Aug patches? Why does it first show up 2 years late? If that’s not a bug, what is? Nothing said to an end user that it was critical, in fact there were no documentations updates to it for 2 years.

        And, the heavy use of port 80 (at least 6 connections for a Windows Update session) is the main point. Seems fair to beat up MS for that too, whether HTTP is used for transmitting patches or for another purpose.

         

        Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

        1 user thanked author for this post.
    • #219493

      With all due respect, didn’t we already discussed this similar subject? 🙂

      Microsoft using insecure HTTP links to distribute security patches through the Update Catalog

      do you think malware hackers would not have taken WU years ago if it was that insecure?

      3 users thanked author for this post.
      • #219573

        do you think malware hackers would not have taken WU years ago if it was that insecure?

        Perhaps they already have since July 2015, Microsoft AI 😀

        | Quality over Quantity |
      • #219584

        Similar topic, but not exactly the same. Still, it does show the mindset at Microsoft – secure transmission of data is not important. I hope to test Susan’s claim that you can block outgoing port 80 connections and Windows Update will still work… Even if true though, the bigger issue is about Microsoft themselves and whether the company deserves to be trusted.

        Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

    • #219492

      ? says:

      with all due respect please google “KB3177467 problem.” you will find many links that show people having problems installing the “update” since it was released. i chose not to install it then and have fully patched 5 windows 7 Pro 32bit installations (b style) current to September 11 without installing it. I downloaded it to linux and looked at the files and did not see anything untoward within. no digitrack (Diagnostic Tracking Service) or CEIP or get winx either. i will consider installing it in the future if need be. win 7 is on the way out soon anyway. tip of the hat to abbodi86 in post #219238 “how to [neuter] telemetry…” it took me much searching and time a few years ago to apply his method without the comprehensive guide he posted earlier today. i keep wondering why Microsoft spends so much time and money working to completely control windows7 when it is all but finished and causing customers so much lost time trying to keep it secure and operating in a satisfactory manner. call me naive. for example i was able to fully patch windows xp pro in under 4 minutes earlier today.

      • #219659

        ? says: with all due respect please google “KB3177467 problem.” you will find many links that show people having problems installing the “update” since it was released…

        All of this was not due to the update itself, but instead was due to MS deliberately throttling Windows Update on Win7 computers. There is no other possible explanation since the issues occurred whether or not KB3177467 was installed, and since all of the issues instantly disappeared after Microsoft ended its GWX campaign.

        1 user thanked author for this post.
    • #219506

      Anonymous (  #219492  ): ”  i keep wondering why Microsoft spends so much time and money working to completely control windows7 when it is all but finished

      I have found that, in human affairs, there are some big groups, organizations, companies, etc. that are oriented mostly towards:

      (1) Preeminence (to do anything they want).

      (2) Control (to achieve and maintain (1) — and because they can’t help themselves).

      (3) Respect (to them).

      MS has been, since Bill Gates on, mostly about (1) and (2).

      Early example and harbinger of things to come: IE imposed as the default browser.

      It took a serious court battle to end that:

      https://www.britannica.com/technology/Internet-Explorer

      Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

      MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
      Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
      Waterfox "Current" and (now and then) Chrome. also Intego AV and Malwarebytes for the Mac.

    • #219586

      I just checked and the update catalog is now served over HTTPS (wasn’t too long ago that it was still using HTTP). The links to the catalog from the Windows 10 update changelog pages still point to the HTTP site though (it will then redirect to HTTPS, but as I’ve been told, there’s still the opportunity to hijack a connection even if HTTP is used only briefly to redirect to HTTPS).

      I never update from Windows Update anymore (I use Windows 10, which should be self-explanatory as to why I don’t use Windows Update). I download my updates from the catalog and install them there. More control, and as a plus I can uninstall them later through the Control Panel. Get off my lawn, Microsoft.

      • #219606

        I never update from Windows Update anymore (I use Windows 10, which should be self-explanatory as to why I don’t use Windows Update). I download my updates from the catalog and install them there. More control, and as a plus I can uninstall them later through the Control Panel. Get off my lawn, Microsoft.

        You can uninstall any Windows 10 update through Control Panel:

        How to Uninstall a Windows Update in Windows 10

        Windows 10 Pro version 21H2 build 19044.1387 + Microsoft 365 (group ASAP)

    • #219833

      Just because data is transmitted via port 80, it does not mean the data is not encrypted. All the HTPPS hype is just that — and doesn’t make anything more secure.

      • #219848

        I may be reading into your short comment here, and apologise if that is so.

        Reading in previous discussions led me to believe that Windows update transmissions are secured by signatures and verifying hashed checksum values without relying on the additional hurdle of the HTTPS protocol.

        If I am repeating a misunderstanding, I offer an apology for that as well.

        • #219872

          Using SOAP Secure Message for end-to-end encryption of the payload ensures that things are secure, even over HTTP. That’s what Microsoft is using for data transfers over port 80.

      • #219924

        Just because data is transmitted via port 80, it does not mean the data is not encrypted.

        Technically this is true, but very very unlikely. And HTTPS is not hype. It is not perfect but it does make things more secure. And, the flip side is that there is no excuse to still use HTTP when updating the operating system. I suspect the reason is that MS does not care.

        Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

    • #219927

      Using SOAP Secure Message for end-to-end encryption of the payload ensures that things are secure, even over HTTP. That’s what Microsoft is using for data transfers over port 80.

      Where did you read this? Verifying it requires packet sniffing the traffic and trying to decrypt the data (if it is encrypted). And, even if they are sending encrypted data over HTTP, the fact remains that there is no reason not to use HTTPS. And, HTTP traffic can be modified in flight, so they need to detect and fix that too, something HTTPS already do.

      Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

      • #220102

        SOAP Secure Message ensures that data is not tampered with. HTTPS just encrypts the transport, not the payload — and, other than SOAP Secure Message, HTTPS does not protect against man-in-the-middle attacks. And yes, there’s way too much hype about HTTPS and the HTTPS fanboys should do their homework before parroting nonsense.

    • #219931

      imho, so humble I won’t capitalise it, we have more worries about poorly tested and broken updates than intercepted and maliciously changed updates. I think there are years worth of data points to back this conjecture on both sides of the argument.

      It may be far easier to discuss how little Microsoft cares about end consumers in the realm of customer service transparency, agility, reliability &c.

    Viewing 17 reply threads
    Reply To: Horowitz: Windows Update on Win7 is not secure

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.