Microsoft raises doubts by adding security-only updated telemetry files

Microsoft require only security updates

The update for Windows will be released earlier this week as part of the normal patch Tuesday delivery cycle for all Windows versions, by several security and reliability packages. But in one of those Windows 7 packages some hawk-eyed observers noted a surprise.

The rules of Microsoft require only security updates, and not quality fixes or diagnostic tools, to include what is referred to as “security-only updates.” Microsoft divided its monthly update packages for Windows 7 and Windows 8.1 almost three years ago into two distinct offers: monthly updates and fixes and a Security-only update package for those who just want those patch packages that are indispensable.

The surprise of the Security-Only Update this month officially titled’ KB4507456′ was that it bundled the KB2952664 Compatibility Assessor to detect the problems of a Windows 7 PC to be updated to Windows10.

The Compatibility Appraiser tool should be shunned aggressively among the fierce body of Windows Update skeptics. The concern is that such items are used to prepare or to spy on individual PCs for yet another round of forced updates. The word “telemetry” appears in at least one file, and is a short step from seemingly unsafe data collection to pure spyware for certain observers.

Earlier today, my former co-author and colleague, Woody Leonhard, noted that Microsoft “surposeful addment of telemetry functions” to the latest update:

With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).

Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now.

I had the same question so I spent the afternoon trying to get an up-to-date answer from Microsoft and updated files and security newsletters. I have a terse Redmond “no comment.”

However, my research has led me to a theory of why these mysterious files are delivered in an unexpected place. I suspect there’s a security problem for some of the Appraiser component on Windows 7 SP1. If so, the updates are undoubtedly included in a security update.

And if it comes with installations where administrators took special precautions not to install these components, it would appear that the Microsoft response was, “Well… tough.” The Windows Update appraiser has been provided for most declined Windows 7 PCs, both separately and as part of a monthly roll-up update two years ago.

My records are that it’s benign and that Microsoft is true if it says, “There’s no GWX or upgrade feature included in this update.” However, because of headaches users face undesirable upgrades back in their first year, Windows 10 makes it understandable that some people don’t believe in that assurance.

Why is this update so close to Microsoft? The company is understandably reluctant to discuss safety issues except in formal settings such as release notes and newsletters. If you are a security engineer from Microsoft, that’s a tiring week, with a couple of Windows 10 zero-day exploits, including Kremlin-backed hackers, being used in the wild.

In recent years, Microsoft has generally improved (or, at least, more consistent) its update reports, but issues such as this still hurt the company’s stubborn silence. It is only proof that the company has an additional motive for criticism. Would it be so difficult to publicly state that because of an unspecified security problem the additional files were included?

Microsoft also thinks it has strong arguments to make the Compatibility Assessment tool mandatory as the end-of – the-compatibility date is approaching Windows 7. And while Microsoft will be offering paid support for another three years, it is a business unit that has the most important characteristically of a decreasing user base as quickly as possible. (Yikes! The date is only six months away on January 14, 2020.)

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.