Mixing security updates with non-security content is never a good idea, but it is particularly worrisome when Microsoft pushes new "get Windows 10" functionality on Windows 7 and 8.1 systems that one cannot get rid of without removing the security update itself as well.
Security update MS16-023, released as part of the March 2016 Microsoft Patch Day, looks on first flance like any other security update Microsoft released for one of its operating systems.
In its summary, Microsoft notes that it "resolves several reported vulnerabilities in Internet Explorer", of which the most severe "could allow remote code execution" if users open web pages that were created to exploit the vulnerabilities.
If you read on, you will notice that the patch includes non-security fixes as well.
This security update resolves several reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Internet Explorer. To learn more about these vulnerabilities, see Microsoft Security Bulletin MS16-023.
Additionally, this security update includes several nonsecurity-related fixes for Internet Explorer.
To find out more about these non-security related fixes, one needs to scroll down on the page where they are all listed:
- 3144816 XSS filter breaks submission of token for ADAL authentication in Internet Explorer 11
- 3144520 Poor performance in Internet Explorer 11 when you enter characters in text field
- 3144521 Internet Explorer 11 is closed when you use F12 Developer Tools
- 3144522 Users can't access Internet because proxy settings are overwritten in Internet Explorer 11
- 3144523 Empty textarea loses its closing tag in Internet Explorer 11 after conversion from XML to HTML
- 3146449 Updated Internet Explorer 11 capabilities to upgrade Windows 8.1 and Windows 7
Of specific interest is KB3146449, which as it happens is the only KB entry of the six that is linked improperly.
When you open the right page, you find the following information:
This update adds functionality to Internet Explorer 11 on some computers that lets users learn about Windows 10 or start an upgrade to Windows 10.
Microsoft does not reveal what this means, or what this has to do with Internet Explorer. According to Woody Leonhard over at Infoworld, the update pushes a banner on Internet Explorer 11's New Tab Page advertising the company's new operating system Windows 10.
This appears to be only the case for non-domain joined machines, and the banner is not displayed on all systems the update is installed on.
The big, big problem
The main issue with pushing Windows 10 offers this way is that users cannot remove them from their system as KB3146449 does not appear in the list of installed updates for the system as it is integrated into KB3139929.
This means that one would have to remove the security updates as well to get rid of the advertisement for Windows 10 on the computer.
Obviously, not using Internet Explorer would resolve the issue as well, but this may not always be possible and only a temporary solution as Microsoft may be inclined to push Windows 10 offers to other programs or tools of the operating system in the future.
Apart from regularly updating updates so that they are pushed anew to user systems to bring along with them the dreaded "Get Windows 10" offer again, Microsoft seems to have made the decision to tighten the screws even more by pushing the offer to its Internet Explorer browser as well.
If you think that this is the end of it you are probably mistaken.
There is nothing that you can do about it right now. While you could block KB3139929 on your system, you'd prevent security patches from being installed on it, and if you allow it, you have no option to remove the KB3146449 update individually which pushes the ads to Internet Explorer 11.
Maybe someone will figure out a way to get around this, by blocking the ads or somehow installing the security updates without the added fixes.
Now You: What's your take on this?