Critical Update slipped in through the back door

[Guest]

Windows Update software 7.0.6000.381

Installation date: ‎8/‎22/‎2007 5:52 AM

Installation status: Successful

Update type: Important


My Windows Update is NOT automatic. It is set to notify me when updates are
available so that I can download them when convenient.

On my update history I found an entry with yesterdays date, 22 August,
indicating that the following had been downloaded and installed - Windows
Update Software 7.0.6000.381.

I did not download this and my Windows Update is still NOT set to automatic.

A Google check shows no results in respect of this 'update'.

This has got me really puzzled - there is no trace in Microsofts Web Site.

I cant find a description of the update can anyone shed any light on the
update thank you
--

 

[Guest]

It's an IE7 update but I'm not sure which one.

The version numbers don't match.

7.0.6000 is IE7, and the update is build 381 for the respective DLL/File.

This doesn't jive with any of the security update notifications on
Microsoft's site.

It could be a trojan/rogue installed via BITS, but that's purely speculation
on my part.

381 is a very low build number for an IE7 update, even MS07-033 has a high
build on 7.0.6000 and that's a cumulative update patch.
- --

 

[Dave M]

Well... According to Moe Green
http://forums.techarena.in/showthread.php?t=805596
the answer is here:
http://support.microsoft.com/kb/932494
But I don't see it, unless as he says it might be in the download...
then again the KB may not have been updated recently, so perhaps the
ultimate way to ensure no updates occur until you want em is to pull the
power plug at night, ...and monitor your net connection during the day<g>

 

[dean-dean]

Hi Engel,

Windows Update Software 7.0.6000.381 is an update to Windows Update itself.
It is an update for both Windows XP and Windows Vista. Unless the update is
installed, Windows Update won't work, at least in terms of searching for
further updates. Normal use of Windows Update, in other words, is blocked
until this update is installed.

In Vista, it updates the following System32 files to version 7.0.6000.381:

wucltux.dll
wuauclt.exe
wuaueng.dll
wups2.dll
wuapi.dll
wudriver.dll
wups.dll
wuapp.exe
wuwebv.dll

In XP, it updates the following system32 files to version 7.0.6000.381:

wuweb.dll
wuaueng.dll
wuapi.dll
wucltui.dll
wuaucpl.cpl
cdm.dll
wuauclt.exe
wups2.dll
wups.dll

Hope this helps.

 

[Guest]

Hi dean and Dave M,

Thank you for your input.

Still I feel unconfortable when Microsoft or anyone mess around wth any PC
with out the consente of the user.

Thank you guys.
--

 

[Dave M]

Yr Welcome, but now that dean showed us the files involved, I'm still at
..374 and I want my download too, cause now I'm backlevel.

 

[Guest]

Has anyone had this update automatically installed on a IE 7.0 - XP machine.
I show no signs of an update installed yesterday and there is nothing
available
today, Or is it just for Vista ? I see dean-dean said Vista and XP but i
see nothing.
Thanks Ron

 

[Dave M]

Try a Ms Update... I'm on XP and it's IE 6 no 7, but I got this on the
first screen:

"Update Windows to work with this website
To continue, you must first download and install the latest version of some
Windows updating software that is designed to work with the website."

Along with a hard to resist BIG update now button. Well heck if I "must".
No further info as to what it was being downloaded and installed... duh!

Sure enough, though only after a reboot, I'm now at version .381 on deans
list of files.
I guess the theory is that forcing this insures it gets installed by even
the clueless. ;o)

 

[dean-dean]

I can only speak to my own settings, which is having Automatic Updates
turned off, in both XP and Vista, on a computer which has both OS's in a
dual-boot situation.

In my situation, in Vista, I clicked on Check for Updates in the Windows
Update control panel window, and it said software had to be installed before
I could check for updates, and that Windows Update would install the
software, close, and then reopen, with no changes made to my personal
settings, or something to that effect. It showed up in the history window
after that. (It can't be uninstalled).

In XP, going to Windows Update with Internet Explorer, it gave the message
that ActiveX software had to be installed in order to continue using Windows
Update. I don't believe it shows up in the history page for XP Windows
Update, it can't be uninstalled, nor is it otherwise "registered" by the
usual means. It doesn't show up in Belarc on XP, for example. The only way
I can think of to see if it was installed is to check your XP file versions.

I have a suspicion that unless Automatic Updates is turned off, it may well
install without user input, which was apparently what happened in Engel's
case.

 

[Guest]

Great information from all of you : dean-dean would you please guide me thru
the path to my XP file versions ? You are most likely right that the same
thing
that happened to Engel happened to me (but i show nothing in history) Ron

 

[dean-dean]

Hi Ron,

In XP, the following would be version 7.0.6000.381 after the Windows Update
software update:

wuweb.dell
wuaueng.dll
wuapi.dll
wucltui.dll
wuaucpl.cpl
cdm.dll
wuauclt.exe
wups2.dll
wups.dll

They are located in the C:\Windows\System32 folder. You can Copy and Paste
that path in Run, and click OK. If you view the folder by Details, and sort
the columns by Date Modified, they should be more or less grouped together.

Great information from all of you : dean-dean would you please guide me
thru
the path to my XP file versions ? You are most likely right that the same
thing
that happened to Engel happened to me (but i show nothing in history)
Ron

 

[Pat Willener]

I was prompted if I want to install the update. But I had the option to
check
- Always install software from "Microsoft Windows Components Publisher"
- Never install software from "Microsoft Windows Components Publisher"
- Ask me every time

You may have checked the 'Always' option at an earlier time?

 

[Bill Sanderson MVP]

Engel, I watched this one on a machine today. It appears to be an update to
Microsoft Update and WindowsUpdate. Not WGA, nothing sinister, but an
update to the basic plumbing.

 

[occam]

Hi All

The latest version of these files (.381) have been on my system since 30
Jul 2007.

Could they have been shipped out as part of an earlier update?

occam

 

[Alan D]

Ron, you might like to take a look in Event Viewer (System). I found two
entries like this on 22nd August:
Event Type: Information
Event Source: Windows Update Agent
Event Category: Installation
Event ID: 19
Date: 22/08/2007
Time: 09:57:48

I presume this is the event under discussion? (This is XP/IE6)

Great information from all of you : dean-dean would you please guide me
thru
the path to my XP file versions ? You are most likely right that the same
thing
that happened to Engel happened to me (but i show nothing in history)
Ron

 

[Guest]

Thank You dean-dean for those files and the path, yes the files are version
7.0.6000.381 but modified on mon. July 30, 2007. It appears the i received
my update like occam on an earlier date. Also no update installed on that
date
in history. (Green Checks For All) Thanks everybody Ron

 

[Alan]

Hi Bill,

It might very well be an update to the 'basic plumbing' as you refer to it,
but I don't quite think that's the point.

Otherwise, ALL high security updates from Microsoft should auto-install
whether or not the end user wants to have his/her machine modified.

And it's not as if Microsoft is always so diligent in ensuring that changes
to even 'basic plumbing' work exactly as they should.

Alan

 

[Dave M]

hi occam;

I think the Jul 30 date you're seeing refers to the digital signature date
of those files not to the date they got installed on your system. My files
came down manually yesterday 8/23 by using Microsoft Update, but they also
have that same Jul 30 modification date which I think stems from when the
Ms digital signature was attached to them.

 

[Robinb]

I have Vista home Premium and I just checked to see if it did that same
update- all by itself- and it sure did. Since I did not have the computer
on yesterday or the day before- it showed it today.
I have updates set to notify me first.
Funny not only did it not notify me first, it did the windows update one and
windows defender one together without notifying me.

I do not like the fact that I did not have a choice to update or not.
Robin

 

[Anonymous Bob]

In XP, it updates the following system32 files to version 7.0.6000.381:

wuweb.dll
wuaueng.dll
wuapi.dll
wucltui.dll
wuaucpl.cpl
cdm.dll
wuauclt.exe
wups2.dll
wups.dll

Could someone please verify the version of wups.dll after the update? I
still have version 7.6000.374. All the rest were updated. I hope that isn't
a problem lurking to bite me down the road.

Bob Vanderveen