Microsoft Includes Telemetry Update in Security Patches, Raising Fears About Company Motives
Several years ago, Microsoft changed how it delivered security patches to its older operating systems like Windows 7, 8.1, and Windows Server 2012. Under the rules for its “Security-only updates,” Microsoft only includes, well, security updates for these products when it releases its monthly patches. This week, Microsoft released updates that touch the telemetry gathering side of its operating systems, and that has certain users seeing red.
One of the updates included in the monthly rollup, formally known as KB4507456, is KB2952664, titled “Compatibility update for keeping Windows up-to-date in Windows 7.” The description for the update states:
This update performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program. The diagnostics evaluate the compatibility status of the Windows ecosystem, and help Microsoft to ensure application and device compatibility for all updates to Windows. There is no GWX or upgrade functionality contained in this update.
Ed Bott spent time digging at the problem but found little in the way of an explanation for why Microsoft is distributing a telemetry update in a security-only update roll-up. Microsoft was unwilling to comment. He was able to confirm that the update is not a mistake… and that’s pretty much all.
There’s a way to read this situation that isn’t nasty to Microsoft. Bott believes that the update actually is a security fix for the Compatibility Appraiser. Keep in mind that many Windows 7 systems still have the Appraiser installed, and may, therefore, have an intrinsic security vulnerability baked into their files. If this is the case — if Microsoft discovered a vulnerability in its Compatibility Appraiser — than few would argue that the company shouldn’t patch it or that distributing such a patch in a security rollup constitutes misuse.
But if that’s the case, why doesn’t Microsoft just admit it? It’s possible that the company is trying to avoid disclosing more about security updates than it has to, or wants to avoid kicking a hornet’s nest of trouble if it tells people that the Compatibility Appraiser has a problem. But there’s also the possibility that Microsoft wants to deploy the CA tool again, now that Windows 7 SP1 is due to be sunset by next January. When that happens, all of the computers currently running the OS will need to be upgraded to a newer OS in order to continue receiving security updates.
Microsoft Created This Problem for Itself
This problem is entirely Microsoft’s fault. The reason end-users are freaking out over a compatibility tool is simple. When Microsoft announced that it would give Windows 10 away for free and create a widget end-users could rely on to tell them when their PCs were cleared for upgrading, it was relatively well-received — at first.
It didn’t take long for the problems to start popping up. We put together a bit of a slideshow to walk you back through it, just for fun.
Microsoft poisoned the Windows 7 upgrade well by treating its customers who were choosing not to upgrade as if they were idiot children who needed to be lied to, brow-beaten, tricked, and forced into running an updated version of an operating system. In doing so, the company completely ignored one of the most basic principles of customer service: Forcing someone to use your product in the way you prefer but they loathe has long-term consequences. In this case, Microsoft destroyed its own ability to offer upgrade assistants to end-users who don’t want to install a utility on their computer that has a high likelihood of working against them and how they choose to use their system.
Personally, I think Ed Bott’s idea about a potential security flaw necessitating a software update is entirely reasonable. For Microsoft’s sake, I hope it’s true. The company has slowly, painstakingly won back some credibility for itself by being far more transparent on how it collects telemetry and giving users more control over updates. It would be a shame to blow that collection of goodwill by returning to the aggressive tactics that alienated its user base four years ago.
If this update was the first step in reintroducing a compatibility tool to Windows 7 users whether they want one or not, our advice is simple: Don’t.
Just don’t.
By all means, notify users that they’re going to stop getting security updates. But don’t take the step of trying to force them to upgrade to Windows 10. Nothing good will come of this.
Continue reading
Time to Update: Google Patches 2 Severe Zero-Day Chrome Vulnerabilities
Unlike the last few zero-days, Google didn't find these security holes itself. Instead, it was tipped by anonymous third-parties, and the problems are severe enough that it hasn't released full details. Suffice it to say, you should stop putting off that update.
AMD Confirms Windows 11 Performance Hit, Patches on the Way
If you’re contemplating upgrading to Windows 11 on an AMD system, you may want to hold off just a bit. The semiconductor design firm has confirmed that Windows 11 performance is a bit lower on Ryzen CPUs than under Windows 10 right now.AMD has published a new support article, PA-400, detailing the problem. The company…
New Patches Resolve AMD Issues in Windows 11
New Windows 11 patches are available to fix the bug issues that hit AMD at launch.
Old Zero-Day Vulnerabilities Remain Unpatched on Samsung, Google Phones
A recent batch of serious flaws in Arm's Mali GPU was reported by Project Zero and fixed by the manufacturer. However, smartphone vendors never implemented the patches, among them Google itself.