Updated: March 18, 2016
Sounds like a horror story. But this is exactly the premise of an article posted on Ghacks a few days ago. As it goes, there's a brand new cumulative security update for Internet Explorer 11, and it seems to come with a bunch of non-security updates, potentially designed to entice Windows 7 and Windows 8.X users to try Windows 10. If true, this would be a first.
Having non-essential, advertisement-laden content bundled with security updates is a sure way to invoke the wrath of the tech community, alienate users, and cause total and utter mayhem. But wait. Most people simply don't give a shit. However, the same way I gave you the GWX removal guide, I must give this rumor its due focus. Let's see if this is something you will need to worry about. After me.
In more detail
Anyhow, I tried the standard Windows Update thingie on a Windows 7 box. Indeed, the aforementioned update, KB3139929, is available in the standard list. There's nothing special about it. But as always, the More information link ought to be useful.
Without repeating what Martin wrote on Ghacks, the KB page lists all the different things this update provides, including several non-security fixes. Specifically, the GDR fix 3146449 will add functionality on some computers, letting users know about or start an upgrade to Windows 10. So, this isn't a rumor. This is a fact.
Now, how does it come to bear? Again, following the trail of gossip around the Web, it turns out users running Internet Explorer - are there any - will supposedly be presented with Windows 10 offers when they open the new tab page, which comes with a few speed dial like thumbs and such. The standard place where browser vendors place all sorts of crap.
Update & test
Of course, with a full system image in place, I let the system run its update process. It was slow, but this is another problem, and one which we will try to resolve in a separate article. Anyhow, I had some 50-ish updates available, let them install, then rebooted. Then, I fired the useless IE11 again and checked if there were any signs of intrusion.
I can say that having tested this on two separate Windows 7 boxes - Windows 8.1 testing is still pending - I do not see any change in how IE11 behaves, and there's nothing, I repeat nothing new or unusual there. No ads, and no Windows 10 offers.
My conclusion from this test so far is that - I do not know what kind of algorithm Microsoft uses to determine which computer they should dry-violate with their Windows 10 silly desperation, but it does not seem to happen on systems that have turned off OS upgrades. Wait, did you say, turned off OS upgrades?
On this particular box, IE11 isn't really used, and there's nothing at all to see in the new tab page. Moreover, super-ultra most importantly, this system has also been neutered of any trace of GWX, and it has the sweet patch that turns off upgrades to the latest version of Windows. Yes, if you do want to never be offered any OS upgrades, the likes of Windows 10, then you want:
KB3050265 for Windows 7
KB3050267 for Windows 8.1
At the very least, this gives us an easy fix. So far ...
Now, the bigger issue
As I've explained in the GWX article, it is all about user choice. Allow users to have that false perception of actual worth, that they are not just numbers on a corporate greed sheet. But then, as Martin pointed out, there is a bigger issue of trust.
If a company can allow itself to bundle non-security crap - ads really, or if you want, malware, because this is exactly what malware does, it hijacks your browser - then what prevents the company from mandating Windows 10 upgrades? After all, the next update you get might force you to move on to the new version of the system.
You must not allow this to happen. Do not be frightened by the security scare crap. If a push comes to shove, you're the boss. You're a paying customer, you will dictate what happens with your system, and no one else.
You can always mitigate security issues using sane tools like EMET. You can always choose not to use Internet Explorer. You can also uninstall the browser, but I do not recommend this, as it is tied deeply into the Windows nethers. The simpler way is to simple block the browser executable by changing its permissions to nothing, or maybe to rename it to something like .old or some random stuff like that. There are ways.
It might not be pretty, tearing up or uninstalling updates, leaving your browser supposedly exposed and whatnot, but in reality, if you practice safe browsing and use a bit of common sense, the way I think it should be used, of course, not the general common sense, you will be fine. Just not using Internet Explorer is good enough.
Do not cave in to pressure and scaremongering. Do not let this story die quietly. Express yourself, as a user, as a shareholder, as a human being. Do not let corporate monkeys make you into their bitch. You earned your money, you paid for an operating system, it's your right to use it the way it was sold to you, without crap mantras trying to get you into this new vision of happy blue-colored fascism that someone imagines will be good for you, but in reality, will just bring in more revenue to the boys. Nope. Won't do. And as a shareholder, I am very close to expressing myself.
Relax, what's the big deal?
Last but not the least, you may say, Microsoft competitors might be doing the same thing, especially in the mobile space. Well, that's not really relevant. It's like saying, everyone is keen on doing bullshit, so why not have Microsoft do it, too. Two wrongs don't make a right.
Moreover, Microsoft has had a reputation for keeping their security stuff and everything else separate. And that's the crucial point. Trust. If it's peddled as a security update, it should be a security update. As simple as that. Nothing more, nothing less. Call it Windows promo patch, call it a divine gift, but don't use sleazy tricks.
It is perfectly FINE to offer this kind of update - but again, it should then be a separate recommended update, or something. Not a security one. And finally there's the matter of choice. Allow users to be able to defer or reject or turn off this kind of stuff, without having to resort to corporate-quality KB patches. That's all.
I'm not done this with crap. I will follow up with more testing, more updates, and I will think of nice innovative ways of how to block and neuter this nonsense, if I ever get to see it in action, just like I did with GWX. Remember, turning off OS upgrades with those patches is the best thing you can do. It kills everything. Awesome. Amazeballs.
If you don't defer upgrades, then there's a question of how you manage this new silliness. What about any and every other future update? What is the limit when you stop trusting Microsoft, and how does it scale against your actual day-to-day need to run Windows? I'm not telling you to ditch Microsoft, whatever the cost. That's pointless. If you need to use their tools for work, you use them, no questions asked. Do not worsen your situation just because Microsoft wants it that way. Plan smartly, act coolly, and then retaliate when it best suits you.
At the moment, it may mean using products from a company you do not trust. Or cannot trust anymore. This is a very tricky situation. I don't have any good suggestions. No silver bullets. Yet. So your coping must be tactical for now. Small steps. Make sure you triple-check every update, postpone them, decide not to install them at all, think of alternative ways to manage your system and security. It's not easy, but your day will come, little man. Woe the company that decides to take a collective piss on its users. Never give up. Never surrender. Stay tuned for updates [sic]. Hi hi.