Microsoft's OneCare silently changes Automatic Updates

Microsoft's consumer security software changes the AU (Automatic Updates) settings in Windows XP and Vista without telling users or getting their approval, a researcher said Thursday -- behavior that may explain recent reports of patches being installed and systems rebooting without permission.

When Microsoft responded to new charges of silent changes last week, however, it denied that AU settings were ever altered without user approval, and it didn't mention OneCare as a possible culprit.

Scott Dunn, an editor at the "Windows Secrets" newsletter, reported Thursday morning that OneCare silently changes AU settings as it installs. No matter what AU setting the user selected previously, OneCare's installer quietly changes it to the fully automatic option.

"Some security products have turned on AU in the past," said Dunn, who also tested several other current consumer suites, including Symantec's Norton 360 and Norton Internet Security, McAfee's Internet Security Suite, and Check Point Software's ZoneAlarm Internet Security Suite. "But OneCare was the only guilty party."

OneCare's willful way with AU may be an explanation for the reports two weeks ago of machines downloading and installing the Oct. 9 set of security fixes even though their owners had explicitly instructed Windows to ignore all downloads or notify them before they were installed.

Several days later, after it wrapped up an investigation, Microsoft said AU settings were never changed without user consent, and it blamed absent-minded users for making modifications and then forgetting that they had.

"I find this surprising and very disturbing," said Dunn. "If they're going to change [AU] settings, they should let you know."

Four options, down to one
In both Windows XP and Vista, users can select from four options in AU: Download and install all updates automatically; download files but do not install them without user consent; check for but neither download nor install without permission; and disable Automatic Updates entirely.

OneCare, sold for $49.95 and offered as a free 90-day trial, sets AU to the first, and all-automatic, setting, said Dunn, on both operating systems. "It does that even if Automatic Updates is completely disabled," he added. If users later uninstall OneCare -- for instance, after a trial has expired -- the software does not return the machine to the earlier settings; they must be reset by the user.

"Worse, OneCare silently turns on [Windows] services that have been disabled by the user," Dunn said, referring to the two services that some users, frustrated at earlier incidents in which Windows retrieved and installed patches without permission, have manually turned off: Automatic Updates and Background Intelligent Transfer Service. The services can be switched off manually using the Windows services.msc utility. Normally, once disabled, they remain that way until the user manually turns them back on.

ComputerWorld confirmed Dunn's account of OneCare's AU changes by installing the security suite on both Windows XP and Windows Vista.