Microsoft Corp. confirmed that its OneCare consumer security software modifies Windows’ overall patch options during installation but said that the tool tells people that their settings may be changed.
“When you first install Windows Live OneCare, setup informs you that if you choose to proceed, your computer settings will be changed to automatically download and install important updates from Microsoft Update,” an unidentified member of the OneCare team blogged late last Thursday.
Earlier that same day, a popular Windows newsletter reported that OneCare altered Automatic Updates (AU) in Windows XP and Vista without telling users or getting their approval. According to Scott Dunn, an editor of the “Windows Secrets” newsletter, OneCare sets AU to full-automatic mode and even switches a pair of services back on if they have been manually disabled by the user. Dunn speculated that the behavior might explain two-week-old reports of patches being installed and systems rebooting without permission.
“This behavior is by design and is not unique to the latest version of OneCare,” the Microsoft blog post continued. “It helps ensure that your computer continues to receive important updates as soon as possible after they are released.”
The post included a screenshot of the first installation dialog that users see. Text in that dialog reads, “By using OneCare you agree to let Microsoft make changes to your system, such as enabling features that keep your system up to date and make it safer for you to browse the Internet.” The disclaimer does not specifically say that AU’s settings will be changed and, contrary to the statement in the OneCare blog post, it does not mention the Microsoft Update patch service.
A researcher noted for his work in dissecting questionable install disclosures said that OneCare fumbles when it comes to adequately informing users.