The recent Windows 7 ‘security-only’ update also includes Telemetry components, which users may be unaware of. It may be used to secretly monitor individual PC’s for “innocuous data collection to outright spyware”, according to ZDNet.
Per Microsoft, the “Security-only updates” should not include quality fixes or diagnostic tools, etc. other than sole security updates. This is because, in 2016, Microsoft divided Win7 and 8.1 patchings into two parts, a monthly rollup of updates and fixes and, for those who want only essential patches, and second, a Security-only update package.
Why is this “security-only” update suspicious?
What was surprising about this month’s Security-only update, formally titled the “July 9, 2019—KB4507456 (Security-only update),” is that it bundled the Compatibility Appraiser, KB2952664, which is designed to identify issues that could prevent a Windows 7 PC from updating to Windows 10.
An anonymous user commented on Woody Leonhard’s post on the July 2019 security update published on his website, AskWoody. Leonhard is a Senior Contributing Editor at InfoWorld, and Senior Editor at Windows Secrets.
“Warning for group B Windows 7 users!
The “July 9, 2019—KB4507456 (Security-only update)” is NOT “security-only” update.
It replaces infamous KB2952664 and contains telemetry. Some details can be found in file information for update 4507456 (keywords: “telemetry”, “diagtrack” and “appraiser”) and under http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=7cdee6a8-6f30-423e-b02c-3453e14e3a6e (in “Package details”->”This update replaces the following updates” and there is KB2952664 listed).
It doesn’t apply for IA-64-based systems, but applies both x64 and x86-based systems.”
“Microsoft included the KB2952664 functionality (known as the “Compatibility Appraiser”) in the Security Quality Monthly Rollups for Windows 7 back in September 2018. The move was announced by Microsoft ahead of time”, another user with the name @PKCano explains.
The user further added, “With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).”
“Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now?”, the user concluded.
ZDNet states, “The Appraiser tool was offered via Windows Update, both separately and as part of a monthly rollup update two years ago; as a result, most of the declining population of Windows 7 PCs already has it installed”.
Ed Bott, a technology writer at ZDNet, says that this update is benign and also that Microsoft is being truthful when they say “There is no GWX or upgrade functionality contained in this update.”
If so, why is Microsoft not briefing users about this update? Many users are confused about whether or not they should update their systems.
A user commented on AskWoody, “So should this update be skipped or installed? This appears to pose a dilemma, at least right now. I hope that some weeks from now, by the time we are closer to a green DEFCON, this has been sorted out”.
Another user speculated that this issue might be resolved in the next update, “Disabling (or deleting) these schedule tasks after installation (before reboot) should be enough to turn off the appraiser
MicrosoftWindowsApplication ExperienceMicrosoft Compatibility Appraiser
but it’s best to wait next month to see if the SO update comes clean”
ZDNet states this might be because Windows 7 is nearing end-of-support date, which is on January 14, 2020, “It’s also possible that Microsoft thinks it has a strong case for making the Compatibility Appraiser tool mandatory as the Windows 7 end-of-support date nears”.
To know more about this news, visit Microsoft’s security update.
*** This is a Security Bloggers Network syndicated blog from Security News – Packt Hub authored by Savia Lobo. Read the original post at: https://hub.packtpub.com/microsoft-adds-telemetry-files-in-a-security-only-update-without-prior-notice-to-users/