Microsoft has done it again.
We receive reports from our WSUS server telling what updates are rolling out to what servers. So when I started receiving TripWire reports indicating files being altered on a bunch of windows boxes I got concerned.
I started opening the files with hex editors looking for strange junk and ran sigverif to see if files are properly signed. After doing that I detected nothing fishy.
So why did these files change?!
After doing a couple quick searches the answer became clear… Microsoft pushed some updates that it told no one about. These updates come even if you choose not to have updates downloaded automatically.
In this world of heightened security awareness, file integrity verification and patch pre-validation I can’t think of why they would do this.
I guess its just Microsoft’s way.