This morning I saw a post from Larry Seltzer rehashing the argument that Microsoft should be allowing the deployment of third part updates via Microsoft Update. (He uses the older term “Windows Update” which is for Windows products only. Microsoft Update is the term for the update server for the broader group of Microsoft products). He argues, there are so many vulnerabilities that it is time consuming to keep up with it all. Additionally it is difficult to verify the source of programs.
The ink hadn’t even tried on that post when antimalware firm ESET reported on malware they had found in the Microsoft Update Catalog.
Microsoft actually does include some third-party developed things in Microsoft Update. They do this so you don’t have to install drivers every time you add new hardware, or plug something into the USB port. Windows can updates drivers from Microsoft Update. In this case Microsoft was serving up a remote access trojan when it installed battery charger management software.
That is just a small example of what is feared both by the consumer and by Microsoft when we talk about opening up Microsoft Update to third-party developers.
ESET has a followup post from someone with insight on the antimalware scanning process for files available publically at Microsoft. Their author feels it is impractical to scan the TB of update files Microsoft already has posted, and not respectful to Mother Earth. I think it is rather easy to say ‘let the consumer’s desktop antivirus detect it’ when it is no longer your reputation on the line and no longer your desktop getting infected and you work for a desktop antivirus company.
As the ESET blog posts say, this is a rare event. I fear it would be many times worse if Microsoft were also allowing multiple venders to push their updates through Microsoft Update. This is why MIcrosoft cannot open Microsoft Update to third-party developers.