Microsoft surreptitiously adds telemetry functionality to July 2019 Win7 Security-only patch

[Karlston]

Microsoft surreptitiously adds telemetry functionality to July 2019 Win7 Security-only patch

Unannounced, Microsoft has added telemetry functionality to the July 2019 Security-only Update for Windows 7 KB4507456. Alerted on Patch Tuesday by an anonymous poster:

Warning for group B Windows 7 users!

 

The “July 9, 2019—KB4507456 (Security-only update)” is NOT “security-only” update.

 

It replaces infamous KB2952664 and contains telemetry. Some details can be found in  file information for update 4507456 (keywords: “telemetry”, “diagtrack” and “appraiser”) and under http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=7cdee6a8-6f30-423e-b02c-3453e14e3a6e (in “Package details”->”This update replaces the following updates” and there is KB2952664 listed).

 

It doesn’t apply for IA-64-based systems, but applies both x64 and x86-based systems.

Microsoft included the KB2952664 functionality (known as the “Compatibility Appraiser”) in the Security Quality Monthly Rollups for Windows 7 back in September 2018. The move was announced by Microsoft ahead of time.

 

With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).

 

Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now.

 

Susan, we need your Pinocchio with a loooooong nose.

 

 

 

Source: Microsoft surreptitiously adds telemetry functionality to July 2019 Win7 Security-only patch (AskWoody)

[funkyy]

I had just downloaded the KB4507456 "security only" update yesterday but I hadn't installed it. This underhand dictatorial attitude by Microsoft is exactly why people fear how the digital/internet technology can and will be abused by those who see themselves as our (self-proclaimed) masters with the right to force feed us whatever they decide, whether we want it or not. If we don't fight back against this "1984" treatment now, then future generations will suffer the worst totalitarian surveillance and control that mankind has seen.

Needless to say I'm not going to install the aforementioned update...Microsneaky can install it where the sun don't shine!!😀😀😀   

[Karlston]

More info from Woody...

New Windows 7 'security-only' update installs telemetry/snooping, uh, feature

Three years ago, Microsoft promised to keep Win7 and 8.1 updated with two tracks of patches - Monthly Rollups that include everything and “security-only” patches that are supposed to be limited to security fixes. Guess what just happened.

Thinkstock / Microsoft

Back in October 2016, Microsoft divided the Win7 and 8.1 patching worlds into two parts.

 

Those who got their patches through Windows Update received so-called Monthly Rollups, which included security patches, bug fixes – and we frankly don’t know what else – rolled out in a cumulative stream.

 

The folks who were willing to download and manually install patches were also given the option of installing “security-only” patches, not cumulative; these were meant to address just the security holes.

...From October 2016 onwards, Windows will release a single Security-only update. This update collects all of the security patches for that month into a single update. Unlike the Monthly Rollup, the Security-only update will only include new security patches that are released for that month. Individual patches will no longer be available.... The security-only update will allow enterprises to download as small of an update as possible while still maintaining more secure devices.

We’ve had lots of problems with the security-only patches in the intervening three years, with most of the difficulties tied to bugs created by the security-only patches that are fixed in Monthly Rollups. 

 

Those who use Windows Update to get their Win7 patches have been treated to all sorts of extraneous stuff, including the infamous snooping (or should I be politically correct and call it “telemetry”?) patch KB 2952664.

 

Now comes word that the July security-only patch, KB 4507456, includes an unexpected bonus. Snooping, er, telemetry.

 

According to an eagle-eyed anonymous tip on AskWoody:

The “July 9, 2019—KB4507456 (Security-only update)” is NOT “security-only” update.

 

It replaces infamous KB2952664 and contains telemetry. Some details can be found in file information for update 4507456 (keywords: “telemetry”, “diagtrack” and “appraiser”) and under http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=7cdee6a8-6f30-423e-b02c-3453e14e3a6e (in “Package details”->”This update replaces the following updates” and there is KB2952664 listed).

As @PKCano explains:

 

Microsoft included the KB2952664 functionality (known as the “Compatibility Appraiser”) in the Security Quality Monthly Rollups for Windows 7 back in September 2018. The move was announced by Microsoft ahead of time.

 

With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).

 

Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now.

Windows guru @abbodi86 has looked at the internals of the patch and concludes:

Disabling (or deleting) these schedule tasks after installation (before reboot) should be enough to turn off the appraiser

 

\Microsoft\Windows\Application Experience\ProgramDataUpdater
\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser
\Microsoft\Windows\Application Experience\AitAgent

 

but it’s best to wait until next month to see if the Security-only update comes clean

I’ve found no indication that the Windows 8.1 Security-only patch has been similarly subverted.

 

Debate among patch cognoscenti rages. Some feel that Microsoft is justified in adding telemetry to the last vestiges of Win7 – due for the scrap heap in January. Most see a fundamental deceit at play, with yet more Windows snooping software getting installed without forewarning or consent…, this time in a “Security-only” patch for heaven’s sake.

 

Security veteran Dr. Vess Bontchev put it simply:

 

I have officially stopped updating my Win7 machine. I no longer trust Microsoft's updating process. I'll protect it from any existing and future vulnerabilities with my other defenses, as well as I can. 

Even if Microsoft’s motives are clean as the driven snow, I find it difficult to justify this kind of contempt for Windows 7 customers. Unfortunately, with just six months of support left for the old OS, it seems unlikely that any regulatory body will take MS to task.

 

Join the debate on AskWoody.

 

 

 

Source: New Windows 7 'security-only' update installs telemetry/snooping, uh, feature (Computerworld - Woody Leonhard)

[dhjohns]

So what is the deal about telemetry?  Anyone own a smartphone out there? 😄😄

[Karlston]

The two issues here, as I see it, are...

 

1. Hiding a telemetry update in a Security-only Patch. Microsoft being sneaky. Yet again.

 

2. What can be the intention of a "Compatibility Appraiser" for Windows 7 other than sussing out whether it can be "upgraded" to Windows 10?

[dhjohns]

37 minutes ago, Karlston said:

The two issues here, as I see it, are...

 

1. Hiding a telemetry update in a Security-only Patch. Microsoft being sneaky. Yet again.

 

2. What can be the intention of a "Compatibility Appraiser" for Windows 7 other than sussing out whether it can be "upgraded" to Windows 10?

1)  How do you know it is not for security?  If it is indeed a security update it is all about upgrading to the Windows 10 OS which is definitely more secure than Windows 7

2)  See #1

[Karlston]

55 minutes ago, dhjohns said:

How do you know it is not for security?

 

I don't know for sure, and with respect, neither do you.   For now I'll believe the knowledgeable folks quoted in the article.

 

The Compatibility Appraiser has its roots in the infamous GWX campaign, and we all know how incredibly popular that was with 7 and 8.1 users.

 

Some of us have long memories and trust Microsoft about as far as we can throw Steve Ballmer's chair... with him sitting in it

 

1 hour ago, dhjohns said:

If it is indeed a security update it is all about upgrading to the Windows 10 OS which is definitely more secure than Windows 7

 

I'll happily trade Windows 10's alleged 'better security" for the stability, maturity, and user-control of 7 and 8.1 (together with a competent AV and practising good internet hygiene), every day of the week.

[dhjohns]

2 minutes ago, Karlston said:

'll happily trade Windows 10's alleged 'better security" for the stability, maturity, and user-control of 7 and 8.1 (together with a competent AV and practising good internet hygiene), every day of the week.

I ditched Windows 7 at the first opportunity.  Oh well each to his own.  It is pretty ancient right now.