Microsoft may need to reconsider its practice of automatically upgrading components of Windows Updates.

On Thursday, two consultants highlighted the fact that the software giant's update system, Windows Update, patches itself even when users have chosen to only receive notifications of program upgrades. The consultants -- Scott Dunn of Windows Secrets and Adrian Kingsley-Hughes who blogs for ZDNet -- stated that the decision to update without notifying the user undermined trust in Microsoft.

"These updates without notification (are) a slippery slope," wrote Kingsley-Hughes. "I just don’t like the idea of having updates foisted upon systems without being aware that they are coming in and having the option to postpone them. Why? Simple. IT’S MY PC!!!"

Dunn described the activity as "behavior that's usually associated with hacker Web sites," while handlers at the Internet Storm Center, a security information service, pointed out that having software secretly installed on corporate systems could cause problems for a company's compliance efforts.

Microsoft, however, stated that users with automatic updates turned off will not have the new components installed. In addition, enterprise customers that use Windows Server Update Services (WSUS) or Systems Management Server (SMS) also have complete control over what software gets updated.

In a post to the Microsoft Update Product Team blog, Program Manager Nate Clinton explained that the act of upgrading Windows Update files was intended to ensure that the user could receive future updates.

"To ensure on-going service reliability and operation, we must also update and enhance the Windows Update service itself, including its client side software," Clinton wrote. "These upgrades are important if we are to maintain the quality of the service."

Clinton acknowledged that Microsoft may not have been as upfront about the behavior as it should have been. He also stressed that turning off automatic updates will prevent Windows Update from being upgraded as well.

If you have tips or insights on this topic, please contact SecurityFocus.