News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Horowitz: Windows Update on Win7 is not secure

    Home Forums AskWoody blog Horowitz: Windows Update on Win7 is not secure

    Viewing 18 reply threads
    • Author
      Posts
      • #219399 Reply
        woody
        Da Boss

        Interesting discussion from Michael Horowitz: When you run Windows Update on Windows 7 (I did not test other versions of Windows) it opens MANY connec
        [See the full post at: Horowitz: Windows Update on Win7 is not secure]

        6 users thanked author for this post.
      • #219403 Reply
        WildBill
        AskWoody Plus

        Windows 7: “Cortana, is that you?”

        Windows 8.1, 64-bit, back in Group A... & leaning toward Windows 10 V2004. As long as it's a Lot Less Buggy!
        Wild Bill Rides Again...

        2 users thanked author for this post.
      • #219422 Reply
        Seff
        AskWoody Plus

        Just another reason why Windows 7 users may be better off when January 2020 arrives, or sooner if they so choose.

        2 users thanked author for this post.
        • #219468 Reply
          cesmart4125
          AskWoody Plus

          @Seff  I guess I’ll be taking that course on updating Windows 10 and a course on Windows 10 itself.

          Attachments:
          • #219662 Reply
            Seff
            AskWoody Plus

            Not what I had in mind, but if that option appeals to you then I believe someone not a million miles from this site has written a book that will tell you all you need to know about Windows 10 ;}!

      • #219423 Reply
        anonymous
        Guest

        I seem to remember from my wet brain database, not always to be trusted, that we had a similar in depth discussion about WU (WIN7) security over open ports using insecure protocols by design. This was less than a year ago but before Christmas. I am not sure how much of this is new information, or recovering ground already tread. It might take a while to find. If I do, I’ll link here.

        • #219425 Reply
          PKCano
          Da Boss

          Yes, I seem to recall hashing this out at an earlier time. Seems MS said it was by design. It seems there was something about the Catalog downloads being http then to, although I see https now.

          1 user thanked author for this post.
          • #219431 Reply
            anonymous
            Guest

            @pkcano , possibly not for publication, edit as you see fit

            Either my timeframe is wrong, my search terms are inadequate, or I’m flat out wrong. But I did find enough topic discussions that reminded me there is a period or group of subjects lost to the void around a year ago. As I am not on the inside loop, I do not know if the missing material was the result of an underpowered server reaching it’s limitations; or if there was material removed because it elicited attacks.

            I do not need to know one way or the other, only hoping to jostle loose a remembered thought for you. I may be barking up the wrong tree in the wrong forest.

            • #219436 Reply
              PKCano
              Da Boss

              Don’t think it’s lost, just think you can’t find it (yet?)

              • #219488 Reply
                anonymous
                Guest

                I apologize for suggesting this without finding it first. Thanks for the encouragement to search. I’ve run down the front page articles list in the time frame, but thought it was introduced in the lounge. So I dug into archived replies by likely candidates who would have been interested. I either have a blind spot, a false memory, or correctly suspect it was lost during a stressful time. In any case, I’ve chased the wild goose and gone hungry. The goose won.

      • #219428 Reply
        The Surfing Pensioner
        AskWoody Plus

        All the more reason to use it only when absolutely necessary.

        1 user thanked author for this post.
      • #219432 Reply
        fernlady
        AskWoody Lounger

        Isn’t that just ducky

        Windows 7 Home Premium x64 AMD Group A Realtek PCLe GBE Family Controller

        1 user thanked author for this post.
      • #219434 Reply
        geekdom
        AskWoody Plus

        What is the work around?

        Is it necessary to do a work around?

        G{ot backup} TestBeta
        offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3
        online▸ Win10Pro 2004.19041.572 x64 i5-9400 RAM16GB HDD Firefox83.0b4 WindowsDefender
        TargetReleaseVersion=1909
        WUMgr
      • #219433 Reply
        anonymous
        Guest

        What, me worry? A Windows 7 system is at far greater risk of getting borked by a Microsoft update than by a man-in-the-middle or spoofing attack.

        11 users thanked author for this post.
        • #219440 Reply
          lurks about
          AskWoody Plus

          Now that’s a scary thought

          • #219640 Reply
            Charlie
            AskWoody Plus

            Indeed it is.

            My memory is still good...but access time is down.

      • #219445 Reply
        b
        AskWoody Plus

        WINDOWS UPDATE BUGS
        The buggy nature of Windows Update on Windows 7 last got publicity when it would take half a day to figure out the missing patches. This month, it was shamed for failing to install the August and September monthly updates because it had failed to update itself first.
        A bug fix to Windows Update (KB3177467) was issued in October of 2016, and a system without this fix ran fine until very recently, when Windows Update failed with a 0x8000FFFF error for many people. Woody Leonhard covered the details in Computerworld.
        John Wilcox of Microsoft offered an explanation for the problem where he wrote “when we released the Windows 7 SP1 servicing stack update (KB3177467) it was marked ‘critical.’ ” Yet, on August 25, 2018, I tweeted about a Windows 7 system that installed all the available August 2018 patches and then, after the mandatory reboot, wanted to install KB3177467. Nothing said that KB3177467 was critical. I wondered why a two year old patch appeared after installing all the current patches. The 2016 patch was checked by default, but it looked and felt like a Windows Update bug, so I didn’t install it.

        That’s the trouble when you let users decide which updates to install: They guess wrong and it comes back to bite them, even if it is years later.

      • #219447 Reply
        OscarCP
        AskWoody Plus

        Would this apply to anything offered as checked by Windows Update when one has WU set to “let me know but let me decide what and when to install”?

        I understand from the previous discussion here (and, please, correct me if I’m wrong in this) that, being in Group B, when I download Win 7 updates (Security Only and IE11) from the Catalog, this is not a problem.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

        • #219449 Reply
          PKCano
          Da Boss

          Would this apply to anything offered as checked by Windows Update when one has WU set to “let me know but let me decide what and when to install”?

          The discussion applies to any updates delivered through the Windows built-in Windows Update mechanism, whether checked by default or checked by the user, no matter what their settings are.

          Updating Windows (from Catalogue downloads) is not the same as updating through Windows Update

          3 users thanked author for this post.
          • #219471 Reply
            cesmart4125
            AskWoody Plus

            @PKCano In this situation, how does MS Update Catalog differ from Windows Update?  Thanks in advance for answering my question.

            Attachments:
      • #219450 Reply
        Susan Bradley
        AskWoody MVP

        In the back recesses of my mind the Windows updating process is digitally signed.  The bits of the patches are put together based on these signed bits of code. If any patch doesn’t reorganize properly the operating system will throw out the bad bits and try again.  “it can also be modified in-flight”   Irrelevant and doesn’t matter.  Even if bits are modified in flight Windows update on the client puts the bits together, checks the digital signature and as long as the check sums align up, it will stamp it as good code an install.

        Remember the Flame malware and the resulting code signing cert/WSUS patching we all did a few years back?  https://en.wikipedia.org/wiki/Flame_%28malware%29  The certificate process ensures we get good code.

        Now as far as how bad windows update diagnostics is… well…

        Susan Bradley Patch Lady

        10 users thanked author for this post.
      • #219453 Reply
        Susan Bradley
        AskWoody MVP

        P.S. I ran that Windows 7 KB3177467 back when it came out.  It’s been a recommended patch for 7 (and servers) for a long long time.  http://wu.krelay.de/en/ has had it listed for many many months.  Don’t beat up Microsoft over something that should have been installed a long time ago….other than it showcases that lack of trust of patching isn’t new.

        Susan Bradley Patch Lady

        5 users thanked author for this post.
        • #219457 Reply
          OscarCP
          AskWoody Plus

          Susan Bradley: ” Don’t beat up Microsoft over something that should have been installed a long time ago….other than it showcases that lack of trust of patching isn’t new. 

          So, to be clear about the Patch Lady’s point, that might be a decisive one here: having installed KB3177467 back when, is one now quite free from the problem this thread is about?

          And, if one has not install it yet, is it OK to go ahead and install it now? (First I must confess here that I am patched with all this year’s patches through August.)

           

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

          1 user thanked author for this post.
          • #219462 Reply
            Susan Bradley
            AskWoody MVP

            KB3177467 is one of the updates that you probably installed it two years ago and never realized it.

            If you had the dreaded slow scanning for updates, you installed probably a year ago and forgot about it.  It’s safe to install and if you don’t have it now, you should have it now.

            Try to install it, if you already have it installed, it will let you know that it’s already installed.

            Susan Bradley Patch Lady

            5 users thanked author for this post.
            • #219463 Reply
              Susan Bradley
              AskWoody MVP

              P.P.S., yes if you installed it then, you wouldn’t see this installation error problem.

              Susan Bradley Patch Lady

              1 user thanked author for this post.
              • #219944 Reply
                Demeter
                AskWoody Plus

                Went through installed updates list back to 2016 and couldn’t find KB3177467 so thought I would download and install through MS. Started to download and then a window popped up with the message “This update does not apply to your computer.” Patched up through August 2018. No errors ever encountered. What gives? Win 7 Pro x64, SP1, i7-core Haswell

              • #219946 Reply
                PKCano
                Da Boss

                It was already installed. You just didn’t find it.

                1 user thanked author for this post.
              • #220230 Reply
                EP
                AskWoody_MVP

                kb3177467-installed

                see the pic – enough said

                Attachments:
        • #219474 Reply
          Michael432
          AskWoody_MVP

          Don’t beat up Microsoft over something that should have been installed a long time ago

          Beating up seems fair. A 2 year old patch showed up after installing the usual August 2018 patches and rebooting. That looks like an error. Why was it not listed along with the other Aug patches? Why does it first show up 2 years late? If that’s not a bug, what is? Nothing said to an end user that it was critical, in fact there were no documentations updates to it for 2 years.

          And, the heavy use of port 80 (at least 6 connections for a Windows Update session) is the main point. Seems fair to beat up MS for that too, whether HTTP is used for transmitting patches or for another purpose.

           

          Get up to speed on router security at RouterSecurity.org

          1 user thanked author for this post.
      • #219493 Reply
        abbodi86
        AskWoody_MVP

        With all due respect, didn’t we already discussed this similar subject? 🙂

        Microsoft using insecure HTTP links to distribute security patches through the Update Catalog

        do you think malware hackers would not have taken WU years ago if it was that insecure?

        3 users thanked author for this post.
        • #219573 Reply
          Microfix
          AskWoody MVP

          do you think malware hackers would not have taken WU years ago if it was that insecure?

          Perhaps they already have since July 2015, Microsoft AI 😀

          Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L
        • #219584 Reply
          Michael432
          AskWoody_MVP

          Similar topic, but not exactly the same. Still, it does show the mindset at Microsoft – secure transmission of data is not important. I hope to test Susan’s claim that you can block outgoing port 80 connections and Windows Update will still work… Even if true though, the bigger issue is about Microsoft themselves and whether the company deserves to be trusted.

          Get up to speed on router security at RouterSecurity.org

      • #219492 Reply
        anonymous
        Guest

        ? says:

        with all due respect please google “KB3177467 problem.” you will find many links that show people having problems installing the “update” since it was released. i chose not to install it then and have fully patched 5 windows 7 Pro 32bit installations (b style) current to September 11 without installing it. I downloaded it to linux and looked at the files and did not see anything untoward within. no digitrack (Diagnostic Tracking Service) or CEIP or get winx either. i will consider installing it in the future if need be. win 7 is on the way out soon anyway. tip of the hat to abbodi86 in post #219238 “how to [neuter] telemetry…” it took me much searching and time a few years ago to apply his method without the comprehensive guide he posted earlier today. i keep wondering why Microsoft spends so much time and money working to completely control windows7 when it is all but finished and causing customers so much lost time trying to keep it secure and operating in a satisfactory manner. call me naive. for example i was able to fully patch windows xp pro in under 4 minutes earlier today.

        • #219659 Reply
          GoneToPlaid
          AskWoody Plus

          ? says: with all due respect please google “KB3177467 problem.” you will find many links that show people having problems installing the “update” since it was released…

          All of this was not due to the update itself, but instead was due to MS deliberately throttling Windows Update on Win7 computers. There is no other possible explanation since the issues occurred whether or not KB3177467 was installed, and since all of the issues instantly disappeared after Microsoft ended its GWX campaign.

          1 user thanked author for this post.
      • #219506 Reply
        OscarCP
        AskWoody Plus

        Anonymous (  #219492  ): ”  i keep wondering why Microsoft spends so much time and money working to completely control windows7 when it is all but finished

        I have found that, in human affairs, there are some big groups, organizations, companies, etc. that are oriented mostly towards:

        (1) Preeminence (to do anything they want).

        (2) Control (to achieve and maintain (1) — and because they can’t help themselves).

        (3) Respect (to them).

        MS has been, since Bill Gates on, mostly about (1) and (2).

        Early example and harbinger of things to come: IE imposed as the default browser.

        It took a serious court battle to end that:

        https://www.britannica.com/technology/Internet-Explorer

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

      • #219586 Reply
        anonymous
        Guest

        I just checked and the update catalog is now served over HTTPS (wasn’t too long ago that it was still using HTTP). The links to the catalog from the Windows 10 update changelog pages still point to the HTTP site though (it will then redirect to HTTPS, but as I’ve been told, there’s still the opportunity to hijack a connection even if HTTP is used only briefly to redirect to HTTPS).

        I never update from Windows Update anymore (I use Windows 10, which should be self-explanatory as to why I don’t use Windows Update). I download my updates from the catalog and install them there. More control, and as a plus I can uninstall them later through the Control Panel. Get off my lawn, Microsoft.

        • #219606 Reply
          b
          AskWoody Plus

          I never update from Windows Update anymore (I use Windows 10, which should be self-explanatory as to why I don’t use Windows Update). I download my updates from the catalog and install them there. More control, and as a plus I can uninstall them later through the Control Panel. Get off my lawn, Microsoft.

          You can uninstall any Windows 10 update through Control Panel:

          How to Uninstall a Windows Update in Windows 10

      • #219833 Reply
        anonymous
        Guest

        Just because data is transmitted via port 80, it does not mean the data is not encrypted. All the HTPPS hype is just that — and doesn’t make anything more secure.

        • #219848 Reply
          anonymous
          Guest

          I may be reading into your short comment here, and apologise if that is so.

          Reading in previous discussions led me to believe that Windows update transmissions are secured by signatures and verifying hashed checksum values without relying on the additional hurdle of the HTTPS protocol.

          If I am repeating a misunderstanding, I offer an apology for that as well.

          • #219872 Reply
            anonymous
            Guest

            Using SOAP Secure Message for end-to-end encryption of the payload ensures that things are secure, even over HTTP. That’s what Microsoft is using for data transfers over port 80.

        • #219924 Reply
          Michael432
          AskWoody_MVP

          Just because data is transmitted via port 80, it does not mean the data is not encrypted.

          Technically this is true, but very very unlikely. And HTTPS is not hype. It is not perfect but it does make things more secure. And, the flip side is that there is no excuse to still use HTTP when updating the operating system. I suspect the reason is that MS does not care.

          Get up to speed on router security at RouterSecurity.org

      • #219927 Reply
        Michael432
        AskWoody_MVP

        Using SOAP Secure Message for end-to-end encryption of the payload ensures that things are secure, even over HTTP. That’s what Microsoft is using for data transfers over port 80.

        Where did you read this? Verifying it requires packet sniffing the traffic and trying to decrypt the data (if it is encrypted). And, even if they are sending encrypted data over HTTP, the fact remains that there is no reason not to use HTTPS. And, HTTP traffic can be modified in flight, so they need to detect and fix that too, something HTTPS already do.

        Get up to speed on router security at RouterSecurity.org

        • #220102 Reply
          anonymous
          Guest

          SOAP Secure Message ensures that data is not tampered with. HTTPS just encrypts the transport, not the payload — and, other than SOAP Secure Message, HTTPS does not protect against man-in-the-middle attacks. And yes, there’s way too much hype about HTTPS and the HTTPS fanboys should do their homework before parroting nonsense.

      • #219931 Reply
        anonymous
        Guest

        imho, so humble I won’t capitalise it, we have more worries about poorly tested and broken updates than intercepted and maliciously changed updates. I think there are years worth of data points to back this conjecture on both sides of the argument.

        It may be far easier to discuss how little Microsoft cares about end consumers in the realm of customer service transparency, agility, reliability &c.

    Viewing 18 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Horowitz: Windows Update on Win7 is not secure

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.