[German]It’s an unpleasant surprise administrators of Windows 7 systems. July 9, 2019 patchday from Microsoft comes also with security-only Update KB4507456, but this package has telemetry on board.
Rollup and security-only updates
A brief review of the nomenclature. For Windows 7 SP1 and Windows Server 2008/R2 there was a monthly rollup update as well as a security-only update. The monthly rollup update contained all security fixes, but also bug fixes. And this rollup update included telemetry features.
Exactly these telemetry functions were missing in the security-only updates that Microsoft offers in the Microsoft Update Catalog and via WSUS. Many administrators have therefore installed the security-only updates.
Security-only update with Telemetry
German blog reader Bolko had already posted this comment on the blog a few hours ago (thanks for that).
The security-only KB4507456 contains telemetry (KB2952664, diagtrack, appraiser). Telemetry was previously only included in the rollups, but not in security-only. Secretly quiet and quietly Microsoft wants to extend the monitoring.
I only noticed that, but haven’t time to dig in. Later, while visiting askwoody.com I came across the article Microsoft surreptitiously adds telemetry functionality to July 2019 Win7 Security-only patch linked by Bolko. Microsoft has added silently telemetry functionality to the July 2019 Security-only update for Windows 7 KB4507456. An anonymous poster had contacted askwoody.com with the following hint:
Warning for group B Windows 7 users!
The “July 9, 2019—KB4507456 (Security-only update)” is NOT “security-only” update.
It replaces infamous KB2952664 and contains telemetry. Some details can be found in file information for update 4507456 (keywords: “telemetry”, “diagtrack” and “appraiser”) and under http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=7cdee6a8-6f30-423e-b02c-3453e14e3a6e (in “Package details”->”This update replaces the following updates” and there is KB2952664 listed).
It doesn’t apply for IA-64-based systems, but applies both x64 and x86-based systems.
The poster had inspected the file list (link is available the KB article). There are entries for files with names like “telemetry”, “diagtrack” and “appraiser”. In 2016, I had already written something about the Diagnostics Tracking service (DiagTrack) in the article Plant Microsoft die Ausweitung der Telemetriedatenerfassung in Windows 7/8.1? At askwoody.com abbodi86 writes that DiagTrack is part of the Compatel Runner. And about appraiser I had written something documented in the article Windows 10 V1607: Update KB4033637 finally documented.
The anonymous poster at askwoody.com made another interesting statement. In the Microsoft Update Catalog for update KB4507456 you will find on the tab Package Details the information that the update KB4507456 replaces three other updates. Among others the update KB2952664 will be replaced, a compatibility update to keep Windows 7 up to date. The KB article says:
This update performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program. The diagnostics evaluate the compatibility status of the Windows ecosystem, and help Microsoft to ensure application and device compatibility for all updates to Windows. There is no GWX or upgrade functionality contained in this update.
This is interpreted on askwoody.com in such a way that telemetry functions now find their way into security-only updates. It is still unclear whether the telemetry is now included in every security-only update or whether it is a one-time thing. At askwoody.com there is this thread which describes how to disable the telemetry.
I have officially stopped updating my Win7 machine. I no longer trust Microsoft’s updating process. I’ll protect it from any existing and future vulnerabilities with my other defenses, as well as I can. Fuck you, @microsoft.https://t.co/x3CYassKMO
— Vess (@VessOnSecurity) 10. Juli 2019
VessOnSecurity, a security researcher has drawn consequences and announced them on Twitter (see above). He won’t update his Windows 7 anymore, because he doesn’t trust Microsoft anymore.