Inside Windows-Update

Conclusions

The details that we have documented in this article match the vague information provided by Microsoft. We believe that the biggest privacy issue with Windows Update is the list of hardware components that is transferred to the Microsoft server, which reveals the make and model of all installed PCI cards, mass storage devices, and other hardware components to Microsoft. The approach that older versions of Windows Update took was to download a complete list of updates and then filter out the relevant ones on the user's computer - without transferring any sensitive information to Microsoft. Why does the current version implement an approach that transfers the information required for the filtering from the user's computer to the Microsoft server, which then does the filtering and returns a list of updates that is tailored to the configuration of the user's computer? Bandwidth is hardly a limiting factor today and downloading a complete list of updates would probably take only a few seconds. This question therefore remains unanswered.

This does not only apply to driver updates. The server-side filtering could also be abused to determine which software is installed. Imagine that Microsoft would like to know whether you use Mozilla 1.0. It would then simply create a product category for Mozilla 1.0, e.g. mo10, add a rule for determining whether Mozilla 1.0 is installed, e.g. Mozilla 1.0 is installed if HKEY_LOCAL_MACHINE\\SOFTWARE\\Mozilla\\Mozilla 1.0 exists, and return this product category when Windows Update sends a Provider-level request to the Microsoft server. If you were using Mozilla, Windows Update would then by evaluating this rule determine that the product category mo10 applies to your computer, ask the Microsoft server to list the products by sending a Product-level request for mo10, and reveal in this way that you use Mozilla 1.0.

New product categories could also be used for more benign reasons. They make it technically very easy to open Windows Update to other software vendors. As Microsoft is trying to shift to making money with services instead of software, it might try to use the fact that most people who have Windows also have Windows Update as a lever and become the world's premier update service.

The ability of the GetSystemSpec() function of the COM component to list the software vendors of all installed software packages (<regKeys /> tag) is currently unused by Windows Update, but it might become a privacy issue in the future. Microsoft might be planning to open the Windows Update service to other software vendors, which could be the moment in which Windows Update starts using this feature of GetSystemSpec(). (mha)