Home > Articles > Programming > Windows Programming

  • Print
  • + Share This
From the author of

"Trojaned" SP3

While WPA is humiliating, in practice it is no more than one more obstacle for the busy network administrator to overcome. With Service Pack 3 (SP3), using Microsoft products has suddenly become much more sinister.

Any Windows admin knows, understands, and expects that Windows must be patched and updated to ensure that the software is secure. As a result, Microsoft has provided service packs for its operating systems that package multiple security issues into one large patch. Although these service packs have a notorious reputation for causing more problems then they fix, they are nevertheless mandatory for security. Without these service packs, it is almost guaranteed that a system will fall victim to a hacker attack or worm infestation.

Until recently, Microsoft has provided these service packs without invasive monitoring or obvious privacy conflicts. However, with the release of SP3 for Windows 2000, Microsoft is treading dangerous ground. In fact, if you have installed SP3 for Windows 2000, you could be in violation of the security policy of your organization, and you might have even broken federal law.

The problem is found in the User Agreement of the service pack:

The OS Product or OS Components contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer.

This seemingly innocuous statement opens new possibilities as to what Microsoft can do to you if you install SP3. This addition to the EULA also brings with it a range of potential problems for those businesses and companies that absolutely cannot permit remote access to their computers. For example, the HIPAA act that was mentioned in the introduction is an example of potential violations by Microsoft's EULA.

For example, to be HIPAA compliant, your health-care organization must "reasonably safeguard protected health information from any intentional or unintentional use or disclosure." However, if SP3 is installed, Microsoft can now access your machines containing safeguarded information, such as confidential medical records. Ironically, however, you must install SP3 to be secure. Thus, every organization that needs to meet HIPAA's regulations must choose the lesser of two evils.

The obvious solution would seem to be to reverse-engineer SP3 to give yourself more control over Windows Update (in fact, this has already been done, and the "patch" is available on the Internet). However, we do not recommend this because it might put you in violation of the abominable Digital Millennium Copyright Act (DMCA). Although the DMCA allows provisions for reverse-engineering for security purposes, the interpretation is still nebulous. Worse, releasing, linking to, or using a third-party ready-made patch could be an even worse violation of the DMCA.

  • + Share This
  • 🔖 Save To Your Account