Hi @ll, after opting in to Microsoft Update additional (optional) software like Silverlight or Microsoft Security Essentials is offered when a user performs a "custom search" for updates.
Initially the current versions of this additional software are offered as "optional updates" for download and installation. For Silverlight cf. <https://support.microsoft.com/kb/2977218> If the user but does not want to install this software and checks the box "[x] Do not show this update´again", the next time he performs a "custom search" for updates the previous version of this software is offered until ALL of them are hidden. In case of Silverlight or Microsoft Security Essentials ALL these previous versions are but vulnerable, outdated and superseded. When I reported this behaviour as security bug on July 11, 2012 the MSRC answered: | The behavior you're seeing is desirable and expected behavior to | help customers maintain a good level of security even if they | decline the most recent security update. When the most recent | update for a product or component is hidden (which indicates the | user doesn't want the update to be offered ever again), we'll | offer the next newest (previously superseded) item to help | maintain some level of security. This behavior will continue | down the entire supersedence 'chain' in order to offer the 'next | best' update for any user that declines the newest (or the next | newest) update. | | This is one of the ways Microsoft and Windows Update attempt to | provide the 'next best' update even if the user declines the | most recent (best) update. I doubt that this behaviour is REALLY desirable for "optional updates" like Silverlight: Silverlight is not installed by default and therefore doesnt need any updates! If a user (or a 3rd party application) but installs one of these vulnerable, outdated and superseded versions after hiding them all Microsoft Update does NOT offer the necessary security updates, ALTHOUGH these updates have become (critical or important) "security updates" now and are no "optional updates" any more. So: user^Wadministrator BEWARE! regards Stefan Kanthak JFTR: unfortunately there dont exist registry entries like those for .NET Framework 4 and 4.5.1 or Internet Explorer 7 to 11 to generally block the offering/installation of Silverlight or Microsoft Security Essentials per Windows Update. Cf. <https://support.microsoft.com/kb/982320>, <https://support.microsoft.com/kb/2721187>, <https://support.microsoft.com/kb/928675> and <https://technet.microsoft.com/library/dd365124.aspx>, <https://support.microsoft.com/kb/2695147> and <https://technet.microsoft.com/library/gg615600.aspx>, <https://msdn.microsoft.com/library/jj898509.aspx> and <https://technet.microsoft.com/library/dn146011.aspx>, <https://technet.microsoft.com/library/dn449234.aspx> _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
