New Windows 7 'security-only' update installs telemetry/snooping, uh, feature

Credit to Author: Woody Leonhard| Date: Thu, 11 Jul 2019 03:16:00 -0700

Back in October 2016, Microsoft divided the Win7 and 8.1 patching worlds into two parts.

Those who got their patches through Windows Update received so-called Monthly Rollups, which included security patches, bug fixes – and we frankly don’t know what else – rolled out in a cumulative stream.

The folks who were willing to download and manually install patches were also given the option of installing “security-only” patches, not cumulative; these were meant to address just the security holes.

…From October 2016 onwards, Windows will release a single Security-only update. This update collects all of the security patches for that month into a single update. Unlike the Monthly Rollup, the Security-only update will only include new security patches that are released for that month. Individual patches will no longer be available…. The security-only update will allow enterprises to download as small of an update as possible while still maintaining more secure devices.

We’ve had lots of problems with the security-only patches in the intervening three years, with most of the difficulties tied to bugs created by the security-only patches that are fixed in Monthly Rollups. 

Those who use Windows Update to get their Win7 patches have been treated to all sorts of extraneous stuff, including the infamous snooping (or should I be politically correct and call it “telemetry”?) patch KB 2952664.

Now comes word that the July security-only patch, KB 4507456, includes an unexpected bonus. Snooping, er, telemetry.

According to an eagle-eyed anonymous tip on AskWoody:

The “July 9, 2019—KB4507456 (Security-only update)” is NOT “security-only” update.

It replaces infamous KB2952664 and contains telemetry. Some details can be found in file information for update 4507456 (keywords: “telemetry”, “diagtrack” and “appraiser”) and under http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=7cdee6a8-6f30-423e-b02c-3453e14e3a6e (in “Package details”->”This update replaces the following updates” and there is KB2952664 listed).

As @PKCano explains:

Microsoft included the KB2952664 functionality (known as the “Compatibility Appraiser”) in the Security Quality Monthly Rollups for Windows 7 back in September 2018. The move was announced by Microsoft ahead of time.

With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).

Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now.

Windows guru @abbodi86 has looked at the internals of the patch and concludes:

Disabling (or deleting) these schedule tasks after installation (before reboot) should be enough to turn off the appraiser

MicrosoftWindowsApplication ExperienceProgramDataUpdater
MicrosoftWindowsApplication ExperienceMicrosoft Compatibility Appraiser
MicrosoftWindowsApplication ExperienceAitAgent

but it’s best to wait until next month to see if the Security-only update comes clean

I’ve found no indication that the Windows 8.1 Security-only patch has been similarly subverted.

Debate among patch cognoscenti rages. Some feel that Microsoft is justified in adding telemetry to the last vestiges of Win7 – due for the scrap heap in January. Most see a fundamental deceit at play, with yet more Windows snooping software getting installed without forewarning or consent…, this time in a “Security-only” patch for heaven’s sake.

Security veteran Dr. Vess Bontchev put it simply:

I have officially stopped updating my Win7 machine. I no longer trust Microsoft’s updating process. I’ll protect it from any existing and future vulnerabilities with my other defenses, as well as I can. 

Even if Microsoft’s motives are clean as the driven snow, I find it difficult to justify this kind of contempt for Windows 7 customers. Unfortunately, with just six months of support left for the old OS, it seems unlikely that any regulatory body will take MS to task.

Join the debate on AskWoody.

http://www.computerworld.com/category/security/index.rss