March’s Patch Tuesday includes a bad example of Microsoft abusing the security update cycle. KB3139929 is an actual security update. It resolves remote code execution vulnerabilities.
This security update resolves several reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Internet Explorer.
There are several “nonsecurity-related fixes that are included in this security update” :
- 3144816 – XSS filter breaks submission of token for ADAL authentication in Internet Explorer 11
- 3144520 -Poor performance in Internet Explorer 11 when you enter characters in text field
- 3144521 – Internet Explorer 11 is closed when you use F12 Developer Tools
- 3144522 – Users can’t access Internet because proxy settings are overwritten in Internet Explorer 11
- 3144523 – Empty textarea loses its closing tag in Internet Explorer 11 after conversion from XML to HTML
- 3146449 – Updated Internet Explorer 11 capabilities to upgrade Windows 8.1 and Windows 7
While all of the other fixes in MS16-023 seem to address legitimate bugs, KB3146449 is actually adware that introduces a pop-up layer ad to the New Tab page of Internet Explorer for Windows 7 and Windows 8 computers on non-domain computers. The ad is in the form of a blue banner that states “Microsoft recommends upgrading to Windows 10”.
As KB3146449 is installed as part of 3139929, you cannot install the Windows 10 advertisement “patch”. Instead, you would have to remove KB3139929 and leave your computer vulnerable.
If you do not use IE, you are already on Windows 10, or your computer is joined to a domain, this may not be too concerning. However, the bundling of non-security updates with security updates and the inability to uninstall specific updates is a scary foreshadowing of Microsoft’s desperation to upgrade computers to Windows 10.