Jump to content
Karlston

Microsoft surreptitiously adds telemetry functionality to July 2019 Win7 Security-only patch

Recommended Posts

Karlston

Microsoft surreptitiously adds telemetry functionality to July 2019 Win7 Security-only patch

Unannounced, Microsoft has added telemetry functionality to the July 2019 Security-only Update for Windows 7 KB4507456. Alerted on Patch Tuesday by an anonymous poster:

Warning for group B Windows 7 users!

 

The “July 9, 2019—KB4507456 (Security-only update)” is NOT “security-only” update.

 

It replaces infamous KB2952664 and contains telemetry. Some details can be found in  file information for update 4507456 (keywords: “telemetry”, “diagtrack” and “appraiser”) and under http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=7cdee6a8-6f30-423e-b02c-3453e14e3a6e (in “Package details”->”This update replaces the following updates” and there is KB2952664 listed).

 

It doesn’t apply for IA-64-based systems, but applies both x64 and x86-based systems.

Microsoft included the KB2952664 functionality (known as the “Compatibility Appraiser”) in the Security Quality Monthly Rollups for Windows 7 back in September 2018. The move was announced by Microsoft ahead of time.

 

With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).

 

Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now.

 

Susan, we need your Pinocchio with a loooooong nose.

 

 

 

Source: Microsoft surreptitiously adds telemetry functionality to July 2019 Win7 Security-only patch (AskWoody)

Share this post


Link to post
Share on other sites
funkyy

I had just downloaded the KB4507456 "security only" update yesterday but I hadn't installed it. This underhand dictatorial attitude by Microsoft is exactly why people fear how the digital/internet technology can and will be abused by those who see themselves as our (self-proclaimed) masters with the right to force feed us whatever they decide, whether we want it or not. If we don't fight back against this "1984" treatment now, then future generations will suffer the worst totalitarian surveillance and control that mankind has seen.

Needless to say I'm not going to install the aforementioned update...Microsneaky can install it where the sun don't shine!!😀😀😀   

Share this post


Link to post
Share on other sites
Karlston

More info from Woody...

New Windows 7 'security-only' update installs telemetry/snooping, uh, feature

Three years ago, Microsoft promised to keep Win7 and 8.1 updated with two tracks of patches - Monthly Rollups that include everything and “security-only” patches that are supposed to be limited to security fixes. Guess what just happened.

Windows security and protection [Windows logo/locks]
Thinkstock / Microsoft

Back in October 2016, Microsoft divided the Win7 and 8.1 patching worlds into two parts.

 

Those who got their patches through Windows Update received so-called Monthly Rollups, which included security patches, bug fixes – and we frankly don’t know what else – rolled out in a cumulative stream.

 

The folks who were willing to download and manually install patches were also given the option of installing “security-only” patches, not cumulative; these were meant to address just the security holes.

...From October 2016 onwards, Windows will release a single Security-only update. This update collects all of the security patches for that month into a single update. Unlike the Monthly Rollup, the Security-only update will only include new security patches that are released for that month. Individual patches will no longer be available.... The security-only update will allow enterprises to download as small of an update as possible while still maintaining more secure devices.

We’ve had lots of problems with the security-only patches in the intervening three years, with most of the difficulties tied to bugs created by the security-only patches that are fixed in Monthly Rollups. 

 

Those who use Windows Update to get their Win7 patches have been treated to all sorts of extraneous stuff, including the infamous snooping (or should I be politically correct and call it “telemetry”?) patch KB 2952664.

 

Now comes word that the July security-only patch, KB 4507456, includes an unexpected bonus. Snooping, er, telemetry.

According to an eagle-eyed anonymous tip on AskWoody:

The “July 9, 2019—KB4507456 (Security-only update)” is NOT “security-only” update.

 

It replaces infamous KB2952664 and contains telemetry. Some details can be found in file information for update 4507456 (keywords: “telemetry”, “diagtrack” and “appraiser”) and under http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=7cdee6a8-6f30-423e-b02c-3453e14e3a6e (in “Package details”->”This update replaces the following updates” and there is KB2952664 listed).

As @PKCano explains:

Microsoft included the KB2952664 functionality (known as the “Compatibility Appraiser”) in the Security Quality Monthly Rollups for Windows 7 back in September 2018. The move was announced by Microsoft ahead of time.

 

With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).

 

Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now.

Windows guru @abbodi86 has looked at the internals of the patch and concludes:

Disabling (or deleting) these schedule tasks after installation (before reboot) should be enough to turn off the appraiser

 

\Microsoft\Windows\Application Experience\ProgramDataUpdater
\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser
\Microsoft\Windows\Application Experience\AitAgent

 

but it’s best to wait until next month to see if the Security-only update comes clean

I’ve found no indication that the Windows 8.1 Security-only patch has been similarly subverted.

 

Debate among patch cognoscenti rages. Some feel that Microsoft is justified in adding telemetry to the last vestiges of Win7 – due for the scrap heap in January. Most see a fundamental deceit at play, with yet more Windows snooping software getting installed without forewarning or consent…, this time in a “Security-only” patch for heaven’s sake.

 

Security veteran Dr. Vess Bontchev put it simply:

I have officially stopped updating my Win7 machine. I no longer trust Microsoft's updating process. I'll protect it from any existing and future vulnerabilities with my other defenses, as well as I can. 

Even if Microsoft’s motives are clean as the driven snow, I find it difficult to justify this kind of contempt for Windows 7 customers. Unfortunately, with just six months of support left for the old OS, it seems unlikely that any regulatory body will take MS to task.

 

Join the debate on AskWoody.

 

 

 

Source: New Windows 7 'security-only' update installs telemetry/snooping, uh, feature (Computerworld - Woody Leonhard)

Share this post


Link to post
Share on other sites
dhjohns

So what is the deal about telemetry?  Anyone own a smartphone out there? 😄😄

Share this post


Link to post
Share on other sites
Karlston

The two issues here, as I see it, are...

 

1. Hiding a telemetry update in a Security-only Patch. Microsoft being sneaky. Yet again.

 

2. What can be the intention of a "Compatibility Appraiser" for Windows 7 other than sussing out whether it can be "upgraded" to Windows 10?

Share this post


Link to post
Share on other sites
dhjohns
Posted (edited)
37 minutes ago, Karlston said:

The two issues here, as I see it, are...

 

1. Hiding a telemetry update in a Security-only Patch. Microsoft being sneaky. Yet again.

 

2. What can be the intention of a "Compatibility Appraiser" for Windows 7 other than sussing out whether it can be "upgraded" to Windows 10?

1)  How do you know it is not for security?  If it is indeed a security update it is all about upgrading to the Windows 10 OS which is definitely more secure than Windows 7

2)  See #1

Edited by dhjohns

Share this post


Link to post
Share on other sites
Karlston
55 minutes ago, dhjohns said:

How do you know it is not for security?

 

I don't know for sure, and with respect, neither do you. :P  For now I'll believe the knowledgeable folks quoted in the article.

 

The Compatibility Appraiser has its roots in the infamous GWX campaign, and we all know how incredibly popular that was with 7 and 8.1 users.

 

Some of us have long memories and trust Microsoft about as far as we can throw Steve Ballmer's chair... with him sitting in it :)

 

1 hour ago, dhjohns said:

If it is indeed a security update it is all about upgrading to the Windows 10 OS which is definitely more secure than Windows 7

 

I'll happily trade Windows 10's alleged 'better security" for the stability, maturity, and user-control of 7 and 8.1 (together with a competent AV and practising good internet hygiene), every day of the week.

Share this post


Link to post
Share on other sites
dhjohns
2 minutes ago, Karlston said:

'll happily trade Windows 10's alleged 'better security" for the stability, maturity, and user-control of 7 and 8.1 (together with a competent AV and practising good internet hygiene), every day of the week.

I ditched Windows 7 at the first opportunity.  Oh well each to his own.  It is pretty ancient right now.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...