• Microsoft Click-to-Run update: Is it legitimate?

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » Microsoft Click-to-Run update: Is it legitimate?

    Author
    Topic
    #495996

    On my little ASUS Win7 notebook, I’ve been getting a pop-up offering an online update for my Office 2010 Starter Edition (click-to-run). I’ve used the notebook for about 3 years and Office 2010 has been on it since the beginning. I’ve never seen any message like this before; it doesn’t look “Microsoft-ish”. I keep the notebook updated with the latest updates from Microsoft and other applications. I did full scans with MalwareBytes and Microsoft Security Essentials, which showed no problems.

    Here’s an image of the pop-up:

    37642-CTR-popup

    Is this thing legitimate? I did an online chat with Microsoft and the only thing they offered was a link on how to uninstall Office 2010! Not something I want to do.

    Thanks in advance for any info.

    Ron Hodges

    Viewing 14 reply threads
    Author
    Replies
    • #1464224

      Ron,

      Certainly sounds fishy to me. You could try running it in a Virtual Machine.

      Zig

    • #1464230

      Click to Run is a type of virtualization technology used both on Office 2010 and Office 2013. Here is more info on what it is: http://office.microsoft.com/en-us/products/what-is-click-to-run-HA101868855.aspx

      I suggest that you check the running processes to see what is running. With Office 2013, there is a process identified as Click to Run whenever there is an Office update.

      Without further info, I would risk that it can perfectly be a legitimate offering, but only further checking can ensure that it is.

    • #1464234

      Office 2010 has an auto update facility. This is what you are seeing in operation. If you go to Control Panel, Windows updates and check for updates, you will probably see it offered as an optional update.

    • #1464368

      Thanks to everyone for their responses! I did some more research and have the following additional info:

      1 – The Click-to-Run window only shows up after a cold boot or restart. It doesn’t pop up immediately; only after starting another app such as browser, game, e-mail, etc.

      2 – I close the window with the red X in the upper right corner. It does not show up again until I restart/reboot the system.

      3 – The windows shows up the Task Manager with an Applicatin name of “Click to Run”. The process associated with the window is “csrss.exe”. A search for this program shows up two instances, one in WindowsSystem32 and one in a subfolder of WindowsWinsxs. Both instances are the same size and date (07/13/2009).

      4 – I have received other updates to Office 2010, but always they showed up in Windows Update. The Click-to-Run window has never shown up prior to a few days ago. There are no updates waiting in Windows Update, either recommended or optional.

      5 – Some virus cases have exploited csrss.exe in the past but always shows massive CPU utilization or odd-ball versions of csrss.exe in other directories. Not so in my case (so far).

      6 – Zig suggested running the program in a virtual machine. I don’t know how to do this and there doesn’t appear to be a specific program associated with the pop-up window other than the normal Windows process csrss.exe .

      One thought I had was that maybe this is some sort of update to the Click-to-Run feature itself and not a regular Office update? That raises the question whether it’s legitimate or not.

      If it persists, I’ll probably just uninstall Office 2010 Starter Edition. I’m happy with LibreOffice on my big computer and Wordpad is adequate for quick documents on the laptop.

      Any other thoughts/info are welcome. Thanks again for the input so far!

      Ron

    • #1464373

      Is your Office 2010 a click to run version? See if the info here helps to determine that: http://www.onenotegem.com/blog/category/office%20tips

      • #1464375

        Is your Office 2010 a click to run version?

        Thanks ruirib – Yes, it’s Office 2010 Starter Edition – click to run.

        Thanks also for the link! I looked it over and explored the Help area of my Word 2010 program and found the information on updates.

        I now tend to agree with your earlier comment that it’s probably a legitimate update. But, I’m not sure why I’m getting the pop-up now and not over the past 3 years. Maybe it’s a really important update.

        There apparently was one or more updates to Office on Aug 12-13 and that’s about when I started seeing the pop-up. I’ll dig a bit further and maybe I can apply the update in some manner that does not use the pop-up window. I’m still suspicious.

        Thanks again…
        Ron

    • #1464376

      Further discussion of this issue:

      Why is “Click to Run” message suddenly popping up after years of Office 2010?

      Official Word Starter update?

      I would click OK (or uninstall it).

      Bruce

    • #1464377

      I am not sure if it is the same in Office 2010, but in Office 2013, if you click the Update Options (shown below), the first option available is Update Now. That option will make Office check if there are updates and will apply them. This will be a safe way to check it and if it completes, the “problem” dialog should go away.

      37660-CaptureClickToRun

      • #1464378

        Ruirib – I was looking for the same thing, but apparently Office 2010 Starter does NOT have the Update Now option.

        And, thanks to BruceR for the links. Looks like others are starting to see the problem and report it also. It will be interesting to see what the “official” Microsoft response to this issue is, if any.

        Ron

    • #1464381

      It seems unlikely that quite a few Office users would get this if it was not a legitimate popup. At the end of one of the threads, someone said they had clicked to install and it seemed to be ok.

    • #1464388

      When the popup first appeared a few days ago, I started running through many of the considerations and checks others in the thread have also done. What’s been bothering me about the popup is that there are several red flags that would make me suspicious about any such message: poor grammar/typing (“internet” is not capitalized; a blank space appears before the question mark) and there’s nothing the least bit “official-looking” to indicate Microsoft Corporation had anything to do with the message, other than the words “Microsoft” and “Office.” The message itself looks borderline amateurish and unofficial. And the update not appearing in the list of pending (optional or otherwise) Microsoft updates (yes, that was the first thing I checked) added to my skepticism. But I’ve yet to see a definitive consensus on the Web on this issue. Where is Microsoft on this one? You’d think the update notice has popped up on enough computers that Microsoft would have publicly declared “yes, we’re making this message pop up and it’s legitimate” (and “[yes/no], it [will/won’t] affect other versions of Office installed on the computer). Or “no, don’t believe the popup–it’s not from us.” I’m going to need some more convincing before I click “yes.”

      • #1464403

        When the popup first appeared a few days ago, I started running through many of the considerations and checks others in the thread have also done. What’s been bothering me about the popup is that there are several red flags that would make me suspicious about any such message: poor grammar/typing (“internet” is not capitalized; a blank space appears before the question mark) and there’s nothing the least bit “official-looking” to indicate Microsoft Corporation had anything to do with the message, other than the words “Microsoft” and “Office.” The message itself looks borderline amateurish and unofficial. And the update not appearing in the list of pending (optional or otherwise) Microsoft updates (yes, that was the first thing I checked) added to my skepticism. But I’ve yet to see a definitive consensus on the Web on this issue. Where is Microsoft on this one? You’d think the update notice has popped up on enough computers that Microsoft would have publicly declared “yes, we’re making this message pop up and it’s legitimate” (and “[yes/no], it [will/won’t] affect other versions of Office installed on the computer). Or “no, don’t believe the popup–it’s not from us.” I’m going to need some more convincing before I click “yes.”

        With Office 2013, updates come through Click and Run, so updates not being in the Windows Update list is not surprising. The Click to Run dialogs in Office 2013 are professional looking though.

        With some many people having the same dialog, I have now little doubts about this being legitimate.

    • #1464406

      It doesn’t trigger any alarms for me. Office Starter 2010 is extremely low priority for Microsoft except where it pertains to advertising for upgrading to some form of subscription service, so I make some allowances for method of informing that there is an update.

      Specifically, the message does not come up on any system that does not have Starter 2010 installed as far as I know. That’s giving a virus writer waaay to much credit for targeted specificity, although not beyond very remote possibility. My fear is more to the possibility that the click to run update purposely cripples something in Starter 2010!

    • #1464613

      you regularly update anyway, and it ain’t broke, don’t fix it !

      On my little ASUS Win7 notebook, I’ve been getting a pop-up offering an online update for my Office 2010 Starter Edition (click-to-run). I’ve used the notebook for about 3 years and Office 2010 has been on it since the beginning. I’ve never seen any message like this before; it doesn’t look “Microsoft-ish”. I keep the notebook updated with the latest updates from Microsoft and other applications. I did full scans with MalwareBytes and Microsoft Security Essentials, which showed no problems.

      Here’s an image of the pop-up:

      37642-CTR-popup

      Is this thing legitimate? I did an online chat with Microsoft and the only thing they offered was a link on how to uninstall Office 2010! Not something I want to do.

      Thanks in advance for any info.

      Ron Hodges

      • #1465033

        OK – my curiosity got the better of me. I just had to run the update to see what would happen.

        First of all, I did an image backup of my entire drive. Next I disconnected from my local network and rebooted. After a few minutes, the Click-To-Run update message appeared. I clicked the “Yes” button and waited.

        After just a few minutes, the following pop-up message appeared:
        37712-image_1

        That was reassuring but still not very “official” looking. At any rate, I went back into my supposedly updated version of Word 2010 Starter and looked at the Help page. Below is a comparison of the before and after of the version numbers:
        37713-image_2

        If the info is correct, there was NO UPDATE to Word 2010. Instead, there is a version change reflected in the “Click To Run” product. This seems to confirm my thought that it was, indeed, an update to the CTR feature and not to the actual Word product.

        As a final step, I ran full malware scans to Security Essentials and Malware Bytes. Nothing showed up and the system has run correctly since.

        So, I guess it was a valid update, but really poorly handled at the source. And, I still have the system image in case “stuff” shows up later.

        Thanks for all the input!!

        Ron

        • #1465322

          OK – my curiosity got the better of me. I just had to run the update to see what would happen.

          First of all, I did an image backup of my entire drive. Next I disconnected from my local network and rebooted. After a few minutes, the Click-To-Run update message appeared. I clicked the “Yes” button and waited.

          After just a few minutes, the following pop-up message appeared:
          37712-image_1

          That was reassuring but still not very “official” looking. At any rate, I went back into my supposedly updated version of Word 2010 Starter and looked at the Help page. Below is a comparison of the before and after of the version numbers:
          37713-image_2

          If the info is correct, there was NO UPDATE to Word 2010. Instead, there is a version change reflected in the “Click To Run” product. This seems to confirm my thought that it was, indeed, an update to the CTR feature and not to the actual Word product.

          As a final step, I ran full malware scans to Security Essentials and Malware Bytes. Nothing showed up and the system has run correctly since.

          So, I guess it was a valid update, but really poorly handled at the source. And, I still have the system image in case “stuff” shows up later.

          Thanks for all the input!!

          Ron

          I have been getting this too, and I don’t even use the starter version of 2010 except when it gets launched accidentally by me, which is very rare. I also looked in the windows update area and nothing was listed, but I am getting these same update dialogs. It seems extremely odd for the reasons you have mentioned Ron. Also, this is the kicker, the update dialog has popped up at different times, including before I am even logged into windows 7! That seems to clinch it for me that this is illegitimate: what update dialog ever pops up before I am even logged into my computer?? Seems very strange! Now I need to figure out how to get rid of it, whatever it is. It may be some keylogger or something like that which wouldn’t seem to be causing a problem after you allow it to install like it would if it were a malware virus, but it may have compromised your security and be sending data to someone or allowing them to access your computer. I want to hear more about this from Microsoft officially, have they posted anything yet about it?

          • #1465383

            I have been getting this too, and I don’t even use the starter version of 2010 except when it gets launched accidentally by me, which is very rare. I also looked in the windows update area and nothing was listed, but I am getting these same update dialogs. It seems extremely odd for the reasons you have mentioned Ron. Also, this is the kicker, the update dialog has popped up at different times, including before I am even logged into windows 7! That seems to clinch it for me that this is illegitimate: what update dialog ever pops up before I am even logged into my computer?? Seems very strange! Now I need to figure out how to get rid of it, whatever it is. It may be some keylogger or something like that which wouldn’t seem to be causing a problem after you allow it to install like it would if it were a malware virus, but it may have compromised your security and be sending data to someone or allowing them to access your computer. I want to hear more about this from Microsoft officially, have they posted anything yet about it?

            For this I would suggest you check the Startup programs and Services in msconfig to see if any aspects of it are running in the background.

    • #1465035

      Thanks for posting your results.

    • #1465335

      Well, there’s actually been no evidence that it’s illegitimate so far. Since you don’t use it, you might try uninstalling Starter 2010 and see if the messages disappear. If they do, the reverse logic would indicate further that it’s legit.

      • #1465339

        Well, there’s actually been no evidence that it’s illegitimate so far. Since you don’t use it, you might try uninstalling Starter 2010 and see if the messages disappear. If they do, the reverse logic would indicate further that it’s legit.

        Thanks but I don’t rely on reverse logic when it comes to the nightmare of computer viruses or stealth data mining malware. And my main thrust was that I have never ever before seen a system popup that was legit appear before I am even logged into my computer, outside of windows and this one did.

    • #1465340

      that said I have clicked cancel several times when the dialog has come up and it didn’t cause a problem. with a virus etc. even the cancel button would potentially be rigged to cause problems, and that didn’t appear to happen this time around. although with a stealth spy program / data miner type thing it wouldn’t give off any strangeness. if its legit, its a really stupid thing Microsoft did having it be such a generic and odd dialog, and one with no option right there on the dialog to stop or delete the update. I have, though, gone in and stopped the updates in the help menu of Office starter 2010 and we shall see if the updates stop coming up now. Regardless, in this age of spying and other malware that lurks without giving itself away, it is (again) really dumb what Microsoft did with this update if indeed its legit.

    • #1465357

      There has been some speculation that it’s a Click to Run update and not an actual update to Starter 2010, in which case it probably would not go away.

      I’ve given it the green light on many systems already. The one that is similar and did cause me to be a bit leary was a pop up for WPS upgrade download and install. I put that on the back burner until one day I found out that Kings Office had changed it’s name to WPS without any apparent direct notification though I could have missed an email in the SPAM bucket.

    Viewing 14 reply threads
    Reply To: Microsoft Click-to-Run update: Is it legitimate?

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: