Software giant Microsoft has been accused of making a stealth download via one of its recent security patches.

Stealth downloads involve an unwitting computer user downloading code onto their machine without knowing of its transmission. It is sensitive subject in the computer security industry, as this is one of the main ways that malware is delivered onto people’s computers. It is a practice abhorrent in the industry and so for a leading company like Microsoft to be accused of such actions, has caused some embarrassment.

Allegedly, along with its regular Patch Tuesday security update, Microsoft bundled a Bing toolbar add-on. The stealth download adds the Bing toolbar to both the Mozilla Firefox and Internet Explorer browsers. And it does so without the users permission.

News of the stealth download was reported by technology blog Ars Technica. It stated that the Search Enhancement Pack update actually loaded the Bing toolbar onto those users who had installed the Windows Live Toolbar, or MSN bar, onto their Firefox and Internet Explorer browsers.

An apparently unabashed Microsoft told another tech news site, The Register, when questioned about the stealth download, that the problem arose because of a bug in the update file. It has, said Microsoft, now been fixed. They went on to explain the update, via the Search Enhancement Pack, was only supposed to work on those users with a Windows Live toolbar, MSN toolbar and a Bing Bar.

A spokesman said:
“We fixed the update so that going forward folks who still have only the older Windows Live Toolbar or MSN Toolbar will not see this behaviour anymore.”

So that’s alright then! Industry experts are a little less understanding and some have questioned Microsoft’s real intentions behind their stealth download tactics.

Microsoft was also in the news for suing an alledged spammer. Target of the lawsuit is Connecticut spammer Boris Mizhen. He is alledged to have sent unwanted emails to Microsoft customers and for gaming Hotmail’s spam filter. Mizhen is named in the legal action, as are several of his companies.

This is not the first time that Mizhen and Microsoft have locked horns. He was sued by the Seattle software giant in 2003 for sending spam to the web-based Hotmail service. The case then ended in a settlement with Mizhen paying out a reported $2 million and an agreement not to send anymore spam to Hotmail customers.

As regards the new, alledged campaign, Mizhen’s associates are keen to point out that these new messages were not spam and that many Hotmail users had moved them from their junk folders to their inboxes. Fair enough, although it’s thought by some that Mizhen and his companies alledgedly created the accounts which did this.

This has opened up the whole debate as to how successful spam filters are, especially those that rely on user feedback to judge the criteria of spam. Such techniques as whitelisting, blacklisting and Bayesian filtering are some of the ones used to recognize and filter out spam. Because these techniques are well known, they can be abused by spammers intent on ‘fixing’ the system and allowing their spam to get through.

Guest Article by Neil Camp