{"id":15754,"date":"2019-07-11T02:30:03","date_gmt":"2019-07-11T10:30:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/11\/news-9501\/"},"modified":"2019-07-11T02:30:03","modified_gmt":"2019-07-11T10:30:03","slug":"news-9501","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/07\/11\/news-9501\/","title":{"rendered":"New Windows 7 'security-only' update installs telemetry\/snooping, uh, feature"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Thu, 11 Jul 2019 03:16:00 -0700<\/strong><\/p>\n

Back in October 2016, Microsoft <\/span>divided the Win7 and 8.1 patching worlds<\/span><\/a> into two parts. <\/span><\/p>\n

Those who got their patches through Windows Update received so-called Monthly Rollups, which included security patches, bug fixes \u2013 and we frankly don\u2019t know what else \u2013 rolled out in a cumulative stream. <\/span><\/p>\n

The folks who were willing to download and manually install patches were also <\/span>given the option<\/span><\/a> of installing \u201csecurity-only\u201d patches, not cumulative; these were meant to address just the security holes.<\/span><\/p>\n

…From October 2016 onwards, Windows will release a single Security-only update. This update collects all of the security patches for that month into a single update. Unlike the Monthly Rollup, the Security-only update will only include new security patches that are released for that month. Individual patches will no longer be available…. The security-only update will allow enterprises to download as small of an update as possible while still maintaining more secure devices.<\/span><\/p>\n

We\u2019ve had lots of problems with the security-only patches in the intervening three years, with most of the difficulties tied to bugs created by the security-only patches that are fixed in Monthly Rollups.\u00a0<\/span><\/p>\n

Those who use Windows Update to get their Win7 patches have been treated to all sorts of extraneous stuff, including the infamous snooping (or should I be politically correct and call it \u201ctelemetry\u201d?) patch<\/span> KB 2952664<\/span><\/a>.<\/span><\/p>\n

Now comes word that the July security-only patch, KB 4507456, includes an unexpected bonus. Snooping, er, telemetry.<\/span><\/p>\n

According to an eagle-eyed <\/span>anonymous tip on AskWoody<\/span><\/a>:<\/span><\/p>\n

The \u201cJuly 9, 2019\u2014<\/span>KB4507456<\/strong> (Security-only update)\u201d is <\/span>NOT \u201csecurity-only\u201d update<\/strong>.<\/span><\/p>\n

It replaces infamous <\/span>KB2952664<\/strong> and contains telemetry. Some details can be found in\u00a0<\/span>file information for update 4507456<\/span><\/a> (keywords: \u201ctelemetry\u201d, \u201cdiagtrack\u201d and \u201cappraiser\u201d) and under<\/span> http:\/\/www.catalog.update.microsoft.com\/ScopedViewInline.aspx?updateid=7cdee6a8-6f30-423e-b02c-3453e14e3a6e<\/span><\/a> (in \u201cPackage details\u201d->\u201dThis update replaces the following updates\u201d and there is KB2952664 listed).<\/span><\/p>\n

As <\/span>@PKCano explains<\/span><\/a>:<\/span><\/p>\n

Microsoft included the <\/span>KB2952664<\/strong> functionality (known as the \u201cCompatibility Appraiser\u201d) in the Security Quality Monthly <\/span>Rollups<\/strong> for Windows 7 back in September 2018. The move was announced by Microsoft ahead of time.<\/span><\/p>\n

With the July 2019-07 <\/span>Security Only<\/strong> Quality Update <\/span>KB4507456<\/strong>, Microsoft has slipped this functionality into a <\/span>security-only patch<\/strong> without any warning, thus adding the \u201cCompatibility Appraiser\u201d and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).<\/span><\/p>\n

Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now.<\/span><\/p>\n

Windows guru @abbodi86 has looked at the internals of the patch and <\/span>concludes<\/span><\/a>:<\/span><\/p>\n

Disabling (or deleting) these schedule tasks after installation (before reboot) should be enough to turn off the appraiser<\/span><\/p>\n

MicrosoftWindowsApplication ExperienceProgramDataUpdater<\/span>
<\/span>MicrosoftWindowsApplication ExperienceMicrosoft Compatibility Appraiser<\/span>
<\/span>MicrosoftWindowsApplication ExperienceAitAgent<\/span><\/p>\n

but it\u2019s best to wait until next month to see if the Security-only update comes clean<\/span><\/p>\n

I\u2019ve found no indication that the Windows 8.1 Security-only patch has been similarly subverted.<\/span><\/p>\n

Debate among patch cognoscenti <\/span>rages<\/span><\/a>. Some feel that Microsoft is justified in adding telemetry to the last vestiges of Win7 \u2013 due for the scrap heap in January. Most see a fundamental deceit at play, with yet more Windows snooping software getting installed without forewarning or consent\u2026, this time in a \u201cSecurity-only\u201d patch for heaven\u2019s sake.<\/span><\/p>\n

Security veteran Dr. Vess Bontchev <\/span>put it simply<\/span><\/a>:<\/span><\/p>\n

I have officially stopped updating my Win7 machine. I no longer trust Microsoft’s updating process. I’ll protect it from any existing and future vulnerabilities with my other defenses, as well as I can.\u00a0<\/span><\/p>\n

Even if Microsoft\u2019s motives are clean as the driven snow, I find it difficult to justify this kind of contempt for Windows 7 customers. Unfortunately, with just six months of support left for the old OS, it seems unlikely that any regulatory body will take MS to task.<\/span><\/p>\n

Join the debate on <\/span><\/i>AskWoody<\/span><\/i><\/a>.<\/span><\/i><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Thu, 11 Jul 2019 03:16:00 -0700<\/strong><\/p>\n

\n
\n

Back in October 2016, Microsoft <\/span>divided the Win7 and 8.1 patching worlds<\/span><\/a> into two parts. <\/span><\/p>\n

Those who got their patches through Windows Update received so-called Monthly Rollups, which included security patches, bug fixes \u2013 and we frankly don\u2019t know what else \u2013 rolled out in a cumulative stream. <\/span><\/p>\n

The folks who were willing to download and manually install patches were also <\/span>given the option<\/span><\/a> of installing \u201csecurity-only\u201d patches, not cumulative; these were meant to address just the security holes.<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10516,714,10525],"class_list":["post-15754","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-microsoft","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15754","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15754"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15754\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15754"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15754"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15754"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}