Security Short Take: Microsoft gets vague on Windows 10 updates

Two recent security updates show how little users will know about what they're getting

Windows users who upgrade to Windows 10 take note: You're not going to know much about the automatic security updates Microsoft serves up.

Last week, Microsoft released two updates for devices running the Windows 10 preview build 10240: KB3074663 and KB3074665, with the latter one being announced on Twitter by Gabriel Aul, engineering general manager for Microsoft's OS group. "We're releasing an update package on WU [Windows Update] for PC build 10240 today. It will install automatically or you can check for updates to grab it," Aul tweeted Friday. "It will be described as a security update, but that's just because it's cumulative and includes the last package's security fix."

The first update, KB3074663, was also marked as a security update. "The vulnerability could allow elevation of privilege if the Windows Installer service incorrectly runs custom action scripts," said the accompanying support document. Like its follow-up, KB3074663 also used the phrase, "This update includes non-security-related changes to enhance the functionality of Windows 10 through new features and improvements."

What may disturb long-time Windows users is the lack of information about the contents of KB3074663 and KB3074665; the phrase "includes non-security-related changes to enhance the functionality of Windows 10 through new features and improvements" could cover a variety changes across wide spectrums of the OS.

Among the issues raised by the shift:

  • It's another move to pare back the information Microsoft shares with users about OS updates. In January, the company ended the public advance notification service for upcoming security updates; before that, it had dumped a monthly webcast about the most recent updates and closed the Trustworthy Computing security group.
  • It raises questions about a new feature in Windows 10 that allows users to uninstall updates, or at least those marked as security updates. The feature is found under "Advanced options" on the Windows Update panel. When selected, it's followed by a "View your update history" option on the next screen, which leads to an "Uninstall updates" screen. Click or touch that and a Windows 7-esque window pops up showing updates that can be deleted. (On a PC running build 10240 of Windows 10 Pro, the only ones so listed were KB3074663 and KB3074665.)
  • It worries users who, because they don't know much about what's contained in any particular update, leaving them unsure about what will happen if they do try to uninstall one. "So what happens if an update causes an unknown issue on a system used for business?" asked David Ogg in a comment on a Computerworld news story about the automatic updates. "What does that person do? Are we forced to install this bad update? This has happened before."

Windows 10 is set to roll out on July 29 and promises to offer a faster update cadence, which could exacerbate concerns about the lack of update information.

With reports by Gregg Keizer at Computerworld.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecurity

More about AdvancedClickMicrosoftTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ken Mingis

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place