The reason this works is because ALL firewalls automatically trust BITS which makes it easy to piggyback malware onto files being transferred by BITS and this automatically grants the file unlimited access to network resources or the system itself. No file transferred by BITS is scanned for malware or virus infections, everything is automatically trusted.

Although BITS has been directly affected, there is no reason to suspect that the Windows Update Service itself has been compromised in any way. Computer World spoke with Oliver Friedrichs of Symantec’s Security Response group and he said, “There is no evidence to suspect that Windows Update can be compromised. If it has a weakness, someone would have found it by now.” That’s probably true.

In case you’re curious BITS is part of every modern operating system based on NT code which started with Windows XP, was included with Windows Server 2003 and yes Vista has it as well.

The idea is that once a system has an infected file on it, it will use BITS to download just about anything it wants and install it into the system and because this happens in the background, you won’t notice it. Of course, a quick check of Task Manager could tell you, if you know what to look for.

The same remains true, don’t download files from unknown sources, don’t open email attachments from people you don’t know, don’t click on unknown links and keep up to date security software even if it requires you to pay for it, just do it.

I can see it now, security vendors will being building in protection systems for BITS, I’m not saying it would be a bad thing but downloads are bound to take longer if each incoming file is checked for malicious code or behaviors.