Microsoft in Windows Update spell-check shocker

Filed Under: Law & order, Malware, Microsoft

Naked Security reader Thu Win commented on my recent Patch Tuesday article to remind me that Micrososft, sorry, Microsoft, blundered into spell-check shock territory during the latest batch of updates.

There's quite a bit of online laughter at the mistake, in which the software giant mis-spelled its own domain name in one of the update notifications presented by Windows Update:

I'm guessing that most users don't bother to research the details behind every Windows Update announcement, so many of you may have applied this update without even noticing the glitch. Sadly for Micrososft, sorry, Microsoft, this one is going to be easy to find online for weeks, thanks to the embarrassingly definitive search term!

(This reminds me wryly of the 1990s Word macro virus, WM/Wazzu. This once-rampant virus randomly added the word "Wazzu" - the nickname for Washington State University - into documents as it spread. In a pre-Google-era form of Google Hacking, you could quickly find out which companies were lax at security simply by searching the web for officially-published corporate documents which contained this otherwise-unlikely word.)

But there's a serious side to this Microsoft glitch: what about the well-informed users who clicked on the link? It's not as though it arrived in an email, solicited or otherwise. It was presented by Windows itself, in an official dialog.

Fortunately - at least when I checked - the domain redirects to a domain parking site. (These are websites which collect click-through revenue - possibly only small amounts, but with near-zero effort - using elementary search and redirection facilities. They often aim to find prospective buyers for potentially-interesting domain names.)

It could have been much worse. If the "typosquat" domain name had belonged to cybercrooks, they would have enjoyed an endorsed-by-Microsoft opportunity to foist the malevolent code of their choice on trusting users.

Word is that Microsoft quickly altered the offending link, which now takes you where it should have all along.

Two pieces of advice:

* Look before you leap. If you can, double-check every link before you click it, even if it's an official link from a well-known brand. If in any doubt, leave it out.

* Proofread everything. That especially includes messages delivered by your software. Don't rely merely on a spell-check, which can't easily tell if a web link is correct, since many domain names aren't real words.

Thanks to Thu Win, who in turn passes on his thanks to the folks on #wikipedia-en and #freenode.

, , , , , ,

You might like

10 Responses to Microsoft in Windows Update spell-check shocker

  1. The spelling was fixed when I downloaded the update.

  2. breannadrew · 1675 days ago

    Copy and Paste... always copy and paste, never type by hand... bad micrososft programmer

    • Irene · 1674 days ago

      He probably did Copy and Paste. And then pressed Ctrl S, but Ctrl didn't quite catch. Can happen to the best of us.

  3. Randy Knobloch · 1674 days ago

    MS has fixed this, it is now a non-issue.

    • But those installed the updates can still see the typo if they look in the view history for that update. In fact, I think it would be forever there until it is pushed off the front page when more updates are released. Hope that doesn't give Microsoft any ideas to many release junk or plasebo updates to push that update off the list.

  4. ColonelFazackerley · 1674 days ago

    Malware can often be identified by its typos...

    • Are you implying Microsoft is releasing Malware to their customers?

    • Mrs. W · 1674 days ago

      . . .but sometimes it can't. Remember that the guys who are serious about FakeAV and so on can easily afford to hire the services of an unscrupulous but good proofreader/copyeditor/UI designer/etc.

    • ColonelFazackerley · 1672 days ago

      Just taking the opportunity to make a joke...

      Points taken. I know serious malware authors can spell, and that MS would not intentionally release malware.

  5. rbrogers · 1611 days ago

    I just had a client who picked up a Sophos product and received this email:

    Looks like Sophos fat-fingers keys too :)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog