Microsoft stirs suspicions by adding telemetry files to security-only update

Nothing to see here, move along…

[…] My longtime colleague and erstwhile co-author, Woody Leonhard, noted earlier today that Microsoft appeared to be “surreptitiously adding telemetry functionality” to the latest update:

With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).

Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now.

I had the same question, so I spent the afternoon poking through update files and security bulletins and trying to get an on-the-record response from Microsoft. I got a terse “no comment” from Redmond.

My research did, however, lead me to a theory for why these mysterious files are shipping in an unexpected location. I suspect that some part of the Appraiser component on Windows 7 SP1 has a security issue of its own. If that’s the case, then the updates indisputably belong in a Security-only update.


Original Article