Security Short Take: Microsoft gets vague on Windows 10 updates

Two recent security updates show how little users will know about what they're getting

patch windows
Credit: Michael Hiemstra (modified)
list making rounded

Windows users who upgrade to Windows 10 take note: You're not going to know much about the automatic security updates Microsoft serves up.

Last week, Microsoft released two updates for devices running the Windows 10 preview build 10240: KB3074663 and KB3074665, with the latter one being announced on Twitter by Gabriel Aul, engineering general manager for Microsoft's OS group. "We're releasing an update package on WU [Windows Update] for PC build 10240 today. It will install automatically or you can check for updates to grab it," Aul tweeted Friday. "It will be described as a security update, but that's just because it's cumulative and includes the last package's security fix."

The first update, KB3074663, was also marked as a security update. "The vulnerability could allow elevation of privilege if the Windows Installer service incorrectly runs custom action scripts," said the accompanying support document. Like its follow-up, KB3074663 also used the phrase, "This update includes non-security-related changes to enhance the functionality of Windows 10 through new features and improvements."

What may disturb long-time Windows users is the lack of information about the contents of KB3074663 and KB3074665; the phrase "includes non-security-related changes to enhance the functionality of Windows 10 through new features and improvements" could cover a variety changes across wide spectrums of the OS.

Among the issues raised by the shift:

  • It's another move to pare back the information Microsoft shares with users about OS updates. In January, the company ended the public advance notification service for upcoming security updates; before that, it had dumped a monthly webcast about the most recent updates and closed the Trustworthy Computing security group.
  • It raises questions about a new feature in Windows 10 that allows users to uninstall updates, or at least those marked as security updates. The feature is found under "Advanced options" on the Windows Update panel. When selected, it's followed by a "View your update history" option on the next screen, which leads to an "Uninstall updates" screen. Click or touch that and a Windows 7-esque window pops up showing updates that can be deleted. (On a PC running build 10240 of Windows 10 Pro, the only ones so listed were KB3074663 and KB3074665.)
  • It worries users who, because they don't know much about what's contained in any particular update, leaving them unsure about what will happen if they do try to uninstall one. "So what happens if an update causes an unknown issue on a system used for business?" asked David Ogg in a comment on a Computerworld news story about the automatic updates. "What does that person do? Are we forced to install this bad update? This has happened before."

Windows 10 is set to roll out on July 29 and promises to offer a faster update cadence, which could exacerbate concerns about the lack of update information.

With reports by Gregg Keizer at Computerworld.

This story, "Security Short Take: Microsoft gets vague on Windows 10 updates" was originally published by CSO.