June 05, 2006

Windows XP Update May Be Classified As "Spyware"

Greetings. There have been some murmurs about this in other forums, but since I've now independently verified I figured I'd better report here.

A recent Microsoft update to Windows XP, which modifies the tool that verifies the "validity" of XP installations to insure that they are not illicit, may itself be considered to be spyware under commonly accepted definitions.

The new version of the "Microsoft Genuine Advantage" tool reportedly will repeatedly nag users of systems it declares to be invalid, and will then apparently deny such users various "non-critical" updates. Apparently various parties have already found ways to bypass this tool, though the effects of this on later updating capabilities remain to be seen.

However, I've noted a much more serious issue on local XP systems, all of which are legit and pass the MS validity tests with flying colors. It appears that even on such systems, the MS tool will now attempt to contact Microsoft over the Internet every time that you boot. At least, I'm seeing these contacts on every boot after the tool update so far, and I've allowed them to proceed to completion each time. Perhaps it stops after some number of boots, but there's no indication of such a limit so far. The connections occur even if you do not have Windows "automatic update" enabled.

I do not know what data is being sent to MS or is being received during these connections. I cannot locate any information in the MS descriptions to indicate that the tool would notify MS each time I booted a valid system. I fail to see where Microsoft has a "need to know" for this data after a system's validity has already been established, and there may clearly be organizations with security concerns regarding the communication of boot-time information.

I'll leave it to the spyware experts to make a formal determination as to whether this behavior actually qualifies the tool as spyware.

For now, you can block the tool's connection attempts via firewalls such as ZoneAlarm, though the long-term ramifications of doing this are unclear. I do not know if it's possible to block this behavior using the internal XP firewall system.

This situation is potentially a very disturbing development.


Blog Update (June 6, 2006): Please see this entry for a discussion of Microsoft's response regarding this issue.

Posted by Lauren at June 5, 2006 10:24 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein