Windows patch KB 3139929: When a security update is not a security update

If Microsoft’s documentation is correct, installing Patch Tuesday’s KB 3139929 security update for Internet Explorer also installs a new Windows 10 ad-generating routine called KB 3146449.

Many people — present company included — feel that putting an ad generator inside a security patch crosses way over the line. In fact, you have to ask yourself if there are any lines any more.

Microsoft lays it all out in black and white in its inimitable, most obfuscatory way.

This month’s MS16-023 security patch for Internet Explorer, KB 3139929, says:

This security update resolves several reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Internet Explorer… Additionally, this security update includes several nonsecurity-related fixes for Internet Explorer.

Later in the same KB article, Microsoft lists six “nonsecurity-related fixes that are included in this security update,” including this:

3146449  Updated Internet Explorer 11 capabilities to upgrade Windows 8.1 and Windows 7

If you then look at KB 3146449, you see:

This update adds functionality to Internet Explorer 11 on some computers that lets users learn about Windows 10 or start an upgrade to Windows 10.

According to one of my sources, this new user education works like this:

On non-domain joined machines this adds a blue banner when a user opens a “New Tab” saying “Microsoft recommends upgrading to Windows 10”

It’s important to note that KB 3146449 is not installed separately. You can’t remove it. If you look in your installed updates list, KB 3146449 doesn’t appear. Instead, it’s baked into the IE security patch KB 3139929. The only way to get rid of the new advertising inside Internet Explorer 11 is to remove the security patch entirely.

AskWoody.com poster Annemarie explains it like this:

On Dutch security-forum http://www.security.nl user Spiff states:

Overigens, na installatie van KB3139929 is geen individuele KB3146449 te vinden in Geschiedenis van updates en in Geïnstalleerde updates. Het na installatie van KB3139929 verwijderen van KB3146449 is dus geen optie.

Which translates as: after installing KB3139929 there is no individual KB3146449 to be found in Installed Updates nor in Update History. Installing KB3139929 and then afterwards removing KB3146449 does not seem to be an option.

I spent most of the night trying to replicate this behavior — a blue banner on new tabs in IE11 with “Microsoft recommends upgrading to Windows 10” — and couldn’t get it to trigger. If you can, I’d appreciate your shooting an email with a screenshot to woody@askwoody.com.

If the documentation can be verified, Microsoft’s intrusive Get Windows 10 behavior has reached new lows. Rubbing salt in the wound: PCs attached to corporate domains are spared the pain — but not the bits — of this decidedly nonsecurity patch. In bypassing domain-joined PCs, Microsoft has avoided the inevitable screams of “foul play” from its largest corporate customers.

For the rest of us? Meh.