WinUpdate - faked address in the license

Tried to send this message to news:microsoft.public.pl.windowsupdate
group, but it seems the group is not installed on my provider's
server - so I translate it and post here.

The problem is in Polsh version of WindowsUpdate. I do not
know, if it affects other version either.


----- Polish

WinUpdate - sfa³szowany adres w licencji


Instalacja "Powiadamiania o oryginalno¶ci systemu" wymaga
zgody na warunki licencji. W niej s± (w ró¿nych miejscach)
trzy adresy do stron z dodatkowymi obja¶nieniami:

!!! NIE KLIKAJ !!!
http://go.microsoft.com/fwlink/?linkid=39157
http://go.micorsoft.com/fwlink/?Linkld=56310
http://www.microsoft.com/exporting

Jeden z nich - ¶rodkowy - jest ewidentnie sfa³szowany.
Nie do¶æ, ¿e klucz "Linkld" tylko udaje "Id" (bo zamiast
du¿ego 'i-I' faktycznie jest tam ma³e 'l-L'), to w ogóle
prowadzi do domeny micORsoft, zamiast micROsoft.

Ciekawe, czy kto¶ to zdo³a³ zhakowaæ z zewn±trz, czy te¿
mamy przypadek dywersji wewn±trz firmy?

A mo¿e... W pierwszym zdaniu licencja podaje, ¿e chodzi
o wersjê pre-release programu. Mo¿e wiêc sama licencja
tak¿e jest w wersji pre-release.....?

----- English (at least i hope so)

WinUpdate - faked address in the license


Installing the tool reporting authenticity of the system
requires accepting licensing terms. In the license there
are three addresses of Web pages with 'further information':

!!! DO NOT CLICK !!! (unless you know what you're doing)
http://go.microsoft.com/fwlink/?linkid=39157
http://go.micorsoft.com/fwlink/?Linkld=56310
http://www.microsoft.com/exporting

One of them - the middle one - is obviously faked.
The key "Linkld" only imitates "Id" (it contains small
letter 'l-L' instead of capital 'i-I'), and in fact
it directs you to micORsoft domain, instead of micROsoft.

I wonder, if someone managed to hack it from outside,
or maybe it's a sabotage inside Microsoft Corp?

Or... The very first license sentence states
it is a pre-release version af the softwae.
Possibly the license itself is pre-release, too...?
-----


Maciek

PS.
Online Support answered I should better request support from
the Microsoft Poland subsidiary, as 'there are significant
programming differences between North America and localized
versions of software. blah blah blah'.
Yeah, hacking Microsoft's WindowsUpdate service is a very
country-and-language-specific programming issue. ;-)

U¿ytkownik "Maciek" <>
napisa³ w wiadomo¶ci news:dv3mln$v0l$...
>
> [... cut ...]
>
> The problem is in Polsh version of WindowsUpdate.
> I do not know, if it affects other version either.

Typo: Polish, not Polsh.


> [... cut ...]
>
>
> Installing the tool reporting authenticity of the system

Just thought I should've added this key: KB905474.


> requires accepting licensing terms. In the license there
> are three addresses of Web pages with 'further information':
>
> [... cut ...]
>
> One of them - the middle one - is obviously faked. [....]
> it directs you to micORsoft domain, instead of micROsoft.
>
> I wonder, if someone managed to hack it from outside,
> or maybe it's a sabotage inside Microsoft Corp?
>
> Or... The very first license sentence states
> it is a pre-release version af the softwae.
> Possibly the license itself is pre-release, too...?


Maciek

> Installing the tool reporting authenticity of the system
> requires accepting licensing terms. In the license there
> are three addresses of Web pages with 'further information':
>
> !!! DO NOT CLICK !!! (unless you know what you're doing)
> http://go.microsoft.com/fwlink/?linkid=39157
> hxxx://go.micorsoft.com/fwlink/?Linkld=56310
> http://www.microsoft.com/exporting

Exactly where did you download this "license" from ?
Suggest you contact and report this.

MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============

Maciek wrote:

> Tried to send this message to news:microsoft.public.pl.windowsupdate
> group, but it seems the group is not installed on my provider's
> server - so I translate it and post here.
>
> The problem is in Polsh version of WindowsUpdate. I do not
> know, if it affects other version either.
>
>
> ----- Polish
>
> WinUpdate - sfa³szowany adres w licencji
>
>
> Instalacja "Powiadamiania o oryginalno¶ci systemu" wymaga
> zgody na warunki licencji. W niej s± (w ró¿nych miejscach)
> trzy adresy do stron z dodatkowymi obja¶nieniami:
>
> !!! NIE KLIKAJ !!!
> http://go.microsoft.com/fwlink/?linkid=39157
> http://go.micorsoft.com/fwlink/?Linkld=56310
> http://www.microsoft.com/exporting
>
> Jeden z nich - ¶rodkowy - jest ewidentnie sfa³szowany.
> Nie do¶æ, ¿e klucz "Linkld" tylko udaje "Id" (bo zamiast
> du¿ego 'i-I' faktycznie jest tam ma³e 'l-L'), to w ogóle
> prowadzi do domeny micORsoft, zamiast micROsoft.
>
> Ciekawe, czy kto¶ to zdo³a³ zhakowaæ z zewn±trz, czy te¿
> mamy przypadek dywersji wewn±trz firmy?
>
> A mo¿e... W pierwszym zdaniu licencja podaje, ¿e chodzi
> o wersjê pre-release programu. Mo¿e wiêc sama licencja
> tak¿e jest w wersji pre-release.....?
>
> ----- English (at least i hope so)
>
> WinUpdate - faked address in the license
>
>
> Installing the tool reporting authenticity of the system
> requires accepting licensing terms. In the license there
> are three addresses of Web pages with 'further information':
>
> !!! DO NOT CLICK !!! (unless you know what you're doing)
> http://go.microsoft.com/fwlink/?linkid=39157
> http://go.micorsoft.com/fwlink/?Linkld=56310
> http://www.microsoft.com/exporting
>
> One of them - the middle one - is obviously faked.
> The key "Linkld" only imitates "Id" (it contains small
> letter 'l-L' instead of capital 'i-I'), and in fact
> it directs you to micORsoft domain, instead of micROsoft.
>
> I wonder, if someone managed to hack it from outside,
> or maybe it's a sabotage inside Microsoft Corp?
>
> Or... The very first license sentence states
> it is a pre-release version af the softwae.
> Possibly the license itself is pre-release, too...?
> -----
>
>
> Maciek
>
> PS.
> Online Support answered I should better request support from
> the Microsoft Poland subsidiary, as 'there are significant
> programming differences between North America and localized
> versions of software. blah blah blah'.
> Yeah, hacking Microsoft's WindowsUpdate service is a very
> country-and-language-specific programming issue. ;-)
>

"MowGreen [MVP]" <>
wrote in news:%...
>> Installing the [KB905474] tool reporting authenticity of the
>> system requires accepting licensing terms. In the license there
>> are three addresses of Web pages with 'further information':
>>
>> !!! DO NOT CLICK !!! (unless you know what you're doing)
>> http://go.microsoft.com/fwlink/?linkid=39157
>> hxxx://go.micorsoft.com/fwlink/?Linkld=56310
>> http://www.microsoft.com/exporting
>
> Exactly where did you download this "license" from ?

Actually, I did not explicitly *download* it - I've read it
in the pop-up dialog box.

See the the message subject? It was a MS Windows Update site.

In details: I called 'Windows Update' command from my WinXP Pro's
Start menu, which opened http://windowsupdate.microsoft.com/
to get finally to:
http://update.microsoft.com/windowsu...ult.aspx?ln=pl

Then I chose Custom installation ('Niestandardowa' in Polish,
i.e. Nonstandard) and got into the 'High priority' list. There
was a single item displayed (and already selected, as usually
in high-priority section).
So I switched to 'Install' page and clicked 'Install' pushbutton.
Then the dialog popped up to display the EULA for KB905474.

The suspicious micorsoft URL is mentioned in EULA section 3.a)
'Internet services agreement', I suppose (by translating the
Polish version back to English).



> Suggest you contact and report this.

I wish this mail address was published on the WindowsUpdate site...

After some searching I got to this page:
http://support.microsoft.com/contact...rt/?ws=support
and followed the link saying 'Send us your comments and questions
about this Web site'. That looked good to me, as I have no problem
with any specific product, but rather a comment about the Web site.

In about two hours I've received a carboncopy of my note being
forwarded by 'Microsoft Contact US' (msconus at microsoft dot com)
to some address in .com.pl domain - so I suppose the issue
is under investigation.

If it is not solved until tomorrow, probably I'll send
the message to secure@ too. Thank you for the advice.


Maciek
from Poland

"Maciek" <> wrote in message
news:dv3mln$v0l$...
> Tried to send this message to news:microsoft.public.pl.windowsupdate
> group, but it seems the group is not installed on my provider's
> server - so I translate it and post here.


Don't use your provider's server.
Use Microsoft's public server: msnews.microsoft.com

Since you are using OE you can create a new news account for it
by clicking on the following link:

news://msnews.microsoft.com/microsof....windowsupdate

You may want to do some customizing of it before posting with it.


Good luck

Robert Aldwinckle
---

U¿ytkownik "Robert Aldwinckle" <> napisa³
w wiadomo¶ci news:...
> "Maciek" <> wrote
> in message news:dv3mln$v0l$...
>> Tried to send this message to news:microsoft.public.pl.windowsupdate
>> group, but it seems the group is not installed on my provider's
>> server - so I translate it and post here.
>
>
> Don't use your provider's server.
> Use Microsoft's public server: msnews.microsoft.com
>

Thank you, Robert, it works (news:).


Maciek

You're welcome. Please keep us posted as to how this turns out, Maciek.
I've posted this to a Security list where MS employees interact with
MVPs. Am wondering if this is a caching issue with one of the Polish
update servers ?

MowGreen [MVP 2003=2006]
===============
*-343-* FDNY
Never Forgotten
===============


Maciek wrote:

>
> "MowGreen [MVP]" <> wrote in
> news:%...
>
>>> Installing the [KB905474] tool reporting authenticity of the
>>> system requires accepting licensing terms. In the license there
>>> are three addresses of Web pages with 'further information':
>>>
>>> !!! DO NOT CLICK !!! (unless you know what you're doing)
>>> http://go.microsoft.com/fwlink/?linkid=39157
>>> hxxx://go.micorsoft.com/fwlink/?Linkld=56310
>>> http://www.microsoft.com/exporting
>>
>>
>> Exactly where did you download this "license" from ?
>
>
> Actually, I did not explicitly *download* it - I've read it
> in the pop-up dialog box.
>
> See the the message subject? It was a MS Windows Update site.
>
> In details: I called 'Windows Update' command from my WinXP Pro's
> Start menu, which opened http://windowsupdate.microsoft.com/
> to get finally to:
> http://update.microsoft.com/windowsu...ult.aspx?ln=pl
>
> Then I chose Custom installation ('Niestandardowa' in Polish,
> i.e. Nonstandard) and got into the 'High priority' list. There
> was a single item displayed (and already selected, as usually
> in high-priority section).
> So I switched to 'Install' page and clicked 'Install' pushbutton.
> Then the dialog popped up to display the EULA for KB905474.
>
> The suspicious micorsoft URL is mentioned in EULA section 3.a)
> 'Internet services agreement', I suppose (by translating the
> Polish version back to English).
>
>
>
>> Suggest you contact and report this.
>
>
> I wish this mail address was published on the WindowsUpdate site...
>
> After some searching I got to this page:
> http://support.microsoft.com/contact...rt/?ws=support
> and followed the link saying 'Send us your comments and questions
> about this Web site'. That looked good to me, as I have no problem
> with any specific product, but rather a comment about the Web site.
>
> In about two hours I've received a carboncopy of my note being
> forwarded by 'Microsoft Contact US' (msconus at microsoft dot com)
> to some address in .com.pl domain - so I suppose the issue
> is under investigation.
>
> If it is not solved until tomorrow, probably I'll send
> the message to secure@ too. Thank you for the advice.
>
>
> Maciek
> from Poland

"MowGreen [MVP]" <> wrote
in news:%...
> (....) Please keep us posted as to how this turns out, Maciek.
> I've posted this to a Security list where MS employees interact
> with MVPs. Am wondering if this is a caching issue with one of
> the Polish update servers ?


Today, March 14, about 12.45 GMT, I've sent the message
to and 4 hours later (8.40 am -0800
zone -- it's Pacific time zone, I suppose) got a response,
which reads as follows:

'Thanks for forwarding this to us. It appears to simply
be a typo rather than a hack, and I forwarded it to the
proper group to fix immediately.'

Sorry, I can't believe it's just a typo. Well, I agree
it's quite easy to swap O and R (ask Google for examples).
However replacing capital 'I' with little 'el', especially
when the initial character in the word is also capital
('Link') is obviously delibarate.
I just can not imagine one typing that long text corretly,
and making a single mistake, which involves hitting wrong
key AND failing to press Shift at the same time.

Anyway, whatever the reason was, hack, sabotage or a mistake,
it's not my job to investigate the case and catch the decevier.
I just wait for correction -- and 6.55 pm GMT (20 minutes ago)
the link was still wrong.


About possible caching issue: sorry, I have no idea how to
verify that. Probably only the servers' admin (i.e. Microsoft
staff) can verify/correct that. The only cache I could purge
is my Explorer's temporary files folder, which obviously has
nothing to do with the problem I report.


Maciek
from Poland

U¿ytkownik "Maciek" <>
napisa³ w wiadomo¶ci news:dv74ra$h2t$...
>
> "MowGreen [MVP]" <> wrote
> in news:%...
>> (....) Please keep us posted as to how this turns out, Maciek.
>
>
> Today, March 14, about 12.45 GMT, I've sent the message
> to and 4 hours later (8.40 am -0800
> zone -- it's Pacific time zone, I suppose) got a response,
>
> [snip]
>
> and 6.55 pm GMT (20 minutes ago) the link was still wrong.

March 15, 7.30 CET (6.30 GMT) - no change.


Maciek
from Poland

"Maciek" <>
wrote in news:dv8d5f$34c$...
>
> "Maciek" <>
> in news:dv74ra$h2t$...
>>
>> "MowGreen [MVP]" <> wrote
>> in news:%...
>>> (....) Please keep us posted as to how this turns out, Maciek.
>>
>>
>> Today, March 14, about 12.45 GMT, I've sent the message
>> to and 4 hours later (8.40 am -0800
>> zone -- it's Pacific time zone, I suppose) got a response,
>>
>> [snip]
>>
>> and 6.55 pm GMT (20 minutes ago) the link was still wrong.
>
> March 15, 7.30 CET (6.30 GMT) - no change.

March 15, ~ 1.00 pm CET (12.00 GMT) - still wrong.

March 15, 7.30 pm CET (18.30 GMT) - fixed.

Corrected link:
http://go.microsoft.com/fwlink/?linkid=56310


Thanks for the assistance.

Maciek
from Poland