Windows 7 users were thrown into a panic overnight by what we can only think to describe as a harmlessly incorrect genuine botched fake update.
Help forums filled up with rumours of a hack at Microsoft, thanks to an update notification looking something like this:
gYxseNjwafVPfgsoHnzLblmm...YMEILGNIPwNOgEazuBVJcyVjBRL Download size: 4.3 MB You may need to restart your computer for this update to take effect. Update type: Important qQMphgyOoFUxFLfNprOUQpHS More information: https://hckSLpGtvi.PguhWDz.fuVOl.gov https://jNt.JFnFA.Jigf.xnzMQAFnZ.edu Help and Support: https://IIKaR...PGetGeG.lfIYQIHCN.mil
Here it is in Russian, with some URLs the same, but others different:
SjXyXBBRruIsrRKigWTXppLl...ybEUZjzNVTpnpTfNlJlkbHObmKv Размер загрузки: 4,3 МБ Чтобы обновление вступило в силу, может потребоваться перезапуск компьютера. Способ обновления: Важное qQMphgyOoFUxFLfNprOUQpHS Дополнительные сведения: https://hckSLpGtvi.PguhWDz.fuVOl.gov https://jNt.JFnFA.Jigf.xnzMQAFnZ.edu Справка и поддержка: http://qPhnIf...svQSjg.feOXkVeoJ.gov
At least one brave chap, either by accident or design, tried to install the mysterious update, fortunately without success:
What about the URLs?
The URLs listed in the notifications look alarming, especially the .GOV domain that starts with the letters HCK.
But unlike .COM and .NET, the top-level domains .MIL, .GOV and .EDU aren’t open slather, so not just anyone can register them, and not just any old domain name is acceptable.
So thse URLs aren’t directly dangerous because they don’t exist.
But that makes them indirectly worrying, because they’re in an apparently-official Microsoft notification.
And Windows 7, despite its age, still has a strangely loyal following of users.
Many of them consider Windows 8, and even 8.1, unusable, and are showing similar signs of skipping Windows 10 as well.
In a few years, they may well become the next generation of XP “survivalists,” running ageing, unpatched PCs with a determined disregard for the rest of us.
For now, however, Windows 7 is still fully supported, so you can forgive its users for getting genuinely worried about what was clearly a bogus update.
Was it a hack? A prank? A giant Man-in-The-Middle attack?
Stand down!
Stand down from Windows-coloured alert!
The good news is that it was a genuine bogus update.
According to a Microsoft spokesperson:
We incorrectly published a test update and are in the process of removing it.
Because the update seems to have existed only as a test of the notification process, and not as an update package that could actually be installed, it seems to have been a fake update, too.
So, you can stand down from red alert.
It was a harmlessly incorrect genuine botched fake update.
And before you get angry about it because of the nervous night you just spent waiting to find out the facts…
…spare a thought for the persons or persons unknown at Microsoft HQ who made the blunder, and are currently spending a nervous afternoon waiting to be summoned to the Principal’s office for a telling-off.
Note. If you are going to invent domain names for test purposes, never use real top-level domains like .COM, .MIL and so on. For more than 16 years, there has been a well-defined list of reserved domain names, both at the top-level (e.g. .TEST) and at the second level (e.g. .EXAMPLE.COM). Use those instead. Likewise, if you need to make up realistic-looking IP numbers, use ranges specifically reserved for documentation purposes (e.g. 198.51.100.0/24).
Anonymous
So can I use ip addresses 192.xxx.xxx.0 and 192.xxx.xxx.24 or am I understanding something wrong?
Paul Ducklin
The IPv4 addresses in the range 198.51.100.0/24 are reserved for documentation. So if you write them in an article, or print them in a book, or use them as an example in demonstration source code, and someone copies and pastes them “into real life,” they won’t accidentally match real addresses that belong to other people. Indeed, correctly-programmed routers should simply throw them away.
It’s a bit like those 555-xxx-xxxx phone numbers you see in movies. They’ll never actually work, so that no-one will get irritated by calls from viewers who somehow think they’re real and try them out.
198.51.100.0/24 means that the first 24 bits (three bytes, i.e. the 198.51.100 part) are “locked in”, and the last 8 bits (one byte, shown as 0) are “unlocked” and can be anything. The rules of routing say that the “unlocked” part of an IPv4 number can’t be all zero bits or all ones, so in this case, .0 and .255 are out.
So, if you use 198.51.100.1, 198.51.100.2, and so on to 198.51.100.254, in your documentation, then your network numbers will look realistic, but won’t clash with anything in the real world, and we shall all be grateful :-)
Sammie
With so many years of rolling out patches, one can’t help but be a bit paranoid when MS comes out with the storyline of ‘Ohh it was nothing, just an honest mistake’. Does that also explain the rollout of Win 10 to all Win 7 user machines? Another honest mistake, maybe.
Anonymous
If by “rolled out” you mean pushed down and installed”…that’s not actually what happened, it it? The installer was downloaded, but nothing was actually installed. (MS called that a feature, not a mistake! But you didn’t actually get upgraded by mistake, right?)
krull
At least for a short period of time it was available even to WSUS servers. We have configured our WSUS server to inform us whenever patches are available for our enterprise and we received the email WSUS sent us about the patch being available. We checked and it was actually recorded in the WSUS server Synchronization Report as well.
Ya, I want to use Win10 Pro and let MS choose what patches they automatically install in my enterprise. NOT! Guess they are forcing every company to WIN 10 Enterprise.
Gerry
“Windows 7, despite its age, still has a strangely loyal following of users.”
Strangely loyal –
because the concept of Microsoft inspiring loyalty is strange?
or
because loyalty to Windows 7 – a currently supported OS – is strange?
If the latter, I don’t see it as strange:
– Windows 8 / 8.1 seem to offer little benefit – unless you want “touch” (in which case go W10)
– Windows 10 is still very new – unless you want “touch”
– Windows 7 is “mature” as in reasonably stable and is still supported
– Change for change’s sake seems perverse.
I am currently on Windows 7 (and Ubuntu 14.04 LTS). If Ubuntu touch is available before Windows 7 support ends I will have an interesting pair of options – if I really want “touch”. (Will Ubuntu 16.04 be touch compatible?)
My current laptop does what I want (I have upgraded the harddisk)
My office suite runs on Windows 7 – and Ubuntu etc.
My browser runs on Windows 7 – and Ubuntu etc.
My email client runs on Windows 7 – and Ubuntu etc.
I have to use a different photo editor (mainly because I have not bothered to get to grips with GIMP which runs on Windows 7 – and Ubuntu etc.)
My preferred genealogy programme only runs on Windows 7+ (but I am told it runs under WINE on Ubuntu).
Sticking with Windows 7, at least until the free Windows 10 upgrade window closes, seems to be entirely rational.
Paul Ducklin
Maybe “strange” was the wrong word. I guess I find it odd that after 20 years of hearing people complain that Microsoft was a rip-off company for charging so much for upgrades…we now have people complaining when it’s free :-)
Rick L
No such thing as a free lunch, the price for Windows 10 is, amongst other things, a lack of privacy, some seriously exploitable things enabled by default by the OS and the OS itself, which seems to have corners cut to rush it out of a remarkably short testing period.
There’s more than enough for it to reasonable to be reluctant to rush into upgrading to the big shiny new product just because it’s there and “free”.
Paul Ducklin
Interested to hear about those seriously exploitable holes, if you mean exploits of the “software vulnerability” sort.
Gerry
Microsoft is a strange OS company as far as consumers are concerned.
1) Windows is “sold” to computer manufacturers for a lot less than they sell it to consumers.
2) They sell a product that compared to other “things” consumers buy seem to have faults which eventually we persuaded to pay to get rid of (and find ourselves with another bit of new software that does not quite work).
3) Amazon is listing Windows 8.1 Pro for £230+, but MS now says a radically “new” OS is available to existing consumers for £0?
It is not strange that people are a bit suspicious of MS – and when they get something that appears to work to want to stick with it.
Old Etonian
But why is some ‘tester’ inserting .gov and .mil into such a ‘test update’? Is the mistake that improperly configured military malware was published, and it would have been better from their point of view if they had done more work on it and delivered the payload disguised as a language pack or whatever without anyone actually finding out. I mean, what kind of Microsoft employee puts .gov and .mil URLs in a patch? Is anyone going to answer this?
Paul Ducklin
I reckon they just didn’t follow RFC2606. They were looking for domains that could be constructed randomly, would look realistic to a URL syntax checker, but couldn’t possibly work. It’s as simple as that. No conpsiracy theories needed. (And that’s why .TEST exists :-)