Subscribe to Email Updates

w10.jpg

Microsoft Sneaks Nagging Windows 10 Ads into Critical Security Patch

By Graham Cluley on Mar 11, 2016 | 0 Comments

Microsoft really really wants your business to upgrade to Windows 10 as soon as possible.

In fact, they are so keen that your firm switches to Windows 10 that they’re sneaking adverts for the upgrade into security patches, and using some controversial tactics to encourage users into shaming their system administrators for not allowing the upgrade to happen.

Don’t believe me?  Well, let’s look at the evidence.

On Tuesday 8 March, Microsoft issued a number of security updates. Amongst them was a critical patch for Internet Explorer (MS16-023) that dealt with several vulnerabilities, including a particularly dangerous one that could have allowed remote code execution if a user visited a booby-trapped webpage.

Nothing controversial there, you might think. 

However, what initially went unnoticed – until InfoWorld spotted it – was that the security update also installed “several nonsecurity-related fixes for Internet Explorer.”

Look a little deeper and you discover that one of those ‘fixes’ is to display an advert for Windows 10:

“This update adds functionality to Internet Explorer 11 on some computers that lets users learn about Windows 10 or start an upgrade to Windows 10.”

microsoft-windows-10-ad

The precise circumstances which trigger the display of the advert are unclear, so it may not be seen by all users.  However, you can see why this behaviour would upset some users.

I can also completely understand that Microsoft is keen for as many computers as possible to update to Windows 10, but it seems a little underhand to include such non-essential functionality in a security update.

Especially when you consider that it isn’t possible to remove the aggressive ad without also uninstalling what sounds like a truly essential security patch.

As InfoWorld says:

“The only way to get rid of the new advertising inside Internet Explorer 11 is to remove the security patch entirely.”

But there’s more.

As WindowsITPro reports, Patch Tuesday’s raft of security fixes (and “nonsecurity-related fixes”) is seemingly taking things a step further by shaming system administrators in front of their staff for not switching to Windows 10.

get-windows-10

“Your system administrator has blocked upgrades on this PC

Check with your system administrator about upgrading this PC to Windows 10.

Are you a system administrator? You can customize this app to get your organization upgraded to Windows 10. Find out how”

You can see how sysadmins might feel annoyed or embarrassed (or both!) by Microsoft displaying such a nagging message in front of their users.

Yes, Microsoft may have good reasons for encouraging businesses to make the switch to Windows 10, but abusing a security update in this way to deliver an advert is a dangerous precedent that could result in some being less willing to apply patches in future.

 

  Business Insights | Virtualization and cloud security
 
 
Share This Post On

Author: Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.