Reverse engineering of BlueKeep patch reveals how dangerous it is Watch Now

As expected, Windows Update dropped off several packages of security and reliability fixes for Windows 7 earlier this week, part of the normal Patch Tuesday delivery cycle for every version of Windows. But some hawk-eyed observers noted a surprise in one of those Windows 7 packages.

Under Microsoft's rules, what it calls "Security-only updates" are supposed to include, well, only security updates, not quality fixes or diagnostic tools. Nearly three years ago, Microsoft split its monthly update packages for Windows 7 and Windows 8.1 into two distinct offerings: a monthly rollup of updates and fixes and, for those who are want only those patches that are absolutely essential, a Security-only update package.

What was surprising about this month's Security-only update, formally titled the "July 9, 2019—KB4507456 (Security-only update)," is that it bundled the Compatibility Appraiser, KB2952664, which is designed to identify issues that could prevent a Windows 7 PC from updating to Windows 10.

Among the fierce corps of Windows Update skeptics, the Compatibility Appraiser tool is to be shunned aggressively. The concern is that these components are being used to prepare for another round of forced updates or to spy on individual PCs. The word telemetry appears in at least one file, and for some observers it's a short step from seemingly innocuous data collection to outright spyware.

My longtime colleague and erstwhile co-author, Woody Leonhard, noted earlier today that Microsoft appeared to be "surreptitiously adding telemetry functionality" to the latest update:

With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the "Compatibility Appraiser" and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates). Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now.

I had the same question, so I spent the afternoon poking through update files and security bulletins and trying to get an on-the-record response from Microsoft. I got a terse "no comment" from Redmond.

My research did, however, confirm that this is not a mistake, and it led me to a theory for why these mysterious files are shipping in an unexpected location. I strongly suspect that some part of the Appraiser component on Windows 7 SP1 had a security issue of its own. If that's the case, then the updates indisputably belong in a Security-only update.

And if they happen to get installed on systems where administrators had taken special precautions not to install those components, Microsoft's reaction seems to be, "Well ... tough." The Appraiser tool was offered via Windows Update, both separately and as part of a monthly rollup update two years ago; as a result, most of the declining population of Windows 7 PCs already has it installed.

For the record, my experience with this update is that it's benign and Microsoft is being truthful when they say "There is no GWX or upgrade functionality contained in this update." But given the headaches users faced over unwanted upgrades back in Windows 10's first year, it's understandable that some people don't believe that assurance.

Why is Microsoft being so tight-lipped about this update? The company's understandably reluctant to talk about security issues except in formal settings like release notes and support bulletins. If you're a Microsoft security engineer, this has already been an exhausting week thanks to a pair of Windows 10 zero-day exploits being used in the wild, including by Kremlin-backed hackers.

Microsoft's communications about updates have gotten generally better (or at least more consistent) in recent years, but there are still issues like this one where the company's stubborn silence is baffling. It just serves as evidence for critics that the company has an ulterior motive. Would it really be that difficult to publicly state that the additional files were included because of an unspecified security issue?

It's also possible that Microsoft thinks it has a strong case for making the Compatibility Appraiser tool mandatory as the Windows 7 end-of-support date nears. (Yikes! That deadline is only about six months away, on January 14, 2020.) And even though Microsoft will offer paid support for another three years, that's a business unit whose milestones probably include decreasing the user base as quickly as possible.