Windows 10
- With new feature update calendar, Microsoft finally settles on a sensible Windows 10 release schedule
- Windows 10 19H2: If you're on 1903, expect 'far faster' update, says Microsoft
- The Windows 10 security guide: How to safeguard your business
- How to do a clean install of Windows 10: Which option is best for you?
- How to control updates in Windows 10 (TechRepublic)
- Turn on the dark mode in Windows 10 (CNET)
Under Microsoft's rules, what it calls "Security-only updates" are supposed to include, well, only security updates, not quality fixes or diagnostic tools. Nearly three years ago, Microsoft split its monthly update packages for Windows 7 and Windows 8.1 into two distinct offerings: a monthly rollup of updates and fixes and, for those who are want only those patches that are absolutely essential, a Security-only update package. What was surprising about this month's Security-only update, formally titled the "July 9, 2019—KB4507456 (Security-only update)," is that it bundled the Compatibility Appraiser, KB2952664, which is designed to identify issues that could prevent a Windows 7 PC from updating to Windows 10.
Among the fierce corps of Windows Update skeptics, the Compatibility Appraiser tool is to be shunned aggressively. The concern is that these components are being used to prepare for another round of forced updates or to spy on individual PCs. The word telemetry appears in at least one file, and for some observers it's a short step from seemingly innocuous data collection to outright spyware. My longtime colleague and erstwhile co-author, Woody Leonhard, noted earlier today that Microsoft appeared to be "surreptitiously adding telemetry functionality" to the latest update:
With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the "Compatibility Appraiser" and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now.
I had the same question, so I spent the afternoon poking through update files and security bulletins and trying to get an on-the-record response from Microsoft. I got a terse "no comment" from Redmond. My research did, however, lead me to a theory for why these mysterious files are shipping in an unexpected location. I suspect that some part of the Appraiser component on Windows 7 SP1 has a security issue of its own. If that's the case, then the updates indisputably belong in a Security-only update.
And if they happen to get installed on systems where administrators had taken special precautions not to install those components, Microsoft's reaction seems to be, "Well ... tough." The Appraiser tool was offered via Windows Update, both separately and as part of a monthly rollup update two years ago; as a result, most of the declining population of Windows 7 PCs already has it installed.For the record, my experience with this update is that it's benign and Microsoft is being truthful when they say "There is no GWX or upgrade functionality contained in this update." But given the headaches users faced over unwanted upgrades back in Windows 10's first year, it's understandable that some people don't believe that assurance.
Why is Microsoft being so tight-lipped about this update? The company's understandably reluctant to talk about security issues except in formal settings like release notes and support bulletins. If you're a Microsoft security engineer, this has already been an exhausting week thanks to a pair of Windows 10 zero-day exploits being used in the wild, including by Kremlin-backed hackers .
Microsoft's communications about updates have gotten generally better (or at least more consistent) in recent years, but there are still issues like this one where the company's stubborn silence is baffling. It just serves as evidence for critics that the company has an ulterior motive. Would it really be that difficult to publicly state that the additional files were included because of an unspecified security issue?
It's also possible that Microsoft thinks it has a strong case for making the Compatibility Appraiser tool mandatory as the Windows 7 end-of-support date nears. (Yikes! That deadline is only about six months away, on January 14, 2020.) And even though Microsoft will offer paid support for another three years, that's a business unit whose milestones probably include decreasing the user base as quickly as possible.
Microsoft
- Microsoft wants to start marketing Microsoft 365 as a single product in its new fiscal year
- With new feature update calendar, Microsoft finally settles on a sensible Windows 10 release schedule
- Microsoft's baffling new launch: 'All-new' Windows 1.0 with MS-Dos Executive
- Microsoft just dumped password expirations and other companies should too
- Microsoft teases Windows 1.0, and we don't know why (CNET)
- How to work with multiple documents in Microsoft Word (TechRepublic)
READ ALSO:
Why you need to update Windows regularly