Last Tuesday Microsoft released several security updates, including a patch for Internet Explorer which fixes critical security issues. Security Bulletin MS16-023 resolves a number of reported vulnerabilities in the popular internet browser. According to Microsoft, one of these vulnerabilities could allow an attacker to remotely execute malicious code on a victim’s computer.

If an unpatched version of Internet Explorer visits an attack site designed to exploit the vulnerability, an attacker could gain the same access rights to the target computer as the user. This would allow an attacker to install programs, view, change, or delete data, or create new computer accounts with full user rights. Microsoft also adds the vague provision that, “Additionally, this security update includes several nonsecurity-related fixes for Internet Explorer.” 

InfoWorld first reported that when you look at the security update in detail, you’ll find the provision, “This update adds functionality to Internet Explorer 11 on some computers that lets users learn about Windows 10 or start an upgrade to Windows 10.” They go on to note that, “On non-domain joined machines this adds a blue banner when a user opens a "New Tab" saying "Microsoft recommends upgrading to Windows 10"

Placing an advertisement when a user opens a new tab in Internet Explorer isn’t particularly malevolent. Though the bait and switch element of bundling a serious vulnerability update with advertising does set a strange precedent with regards to consumer trust. It doesn't end there: for one thing, users can’t uninstall the Windows 10 advertising component of the update without uninstalling the security patch in its entirety, essentially being forced to comply with the bundled ad in exchange for their security. 

Furthermore, Windows IT Pro reports that companies which have chosen to block the Windows 10 update are receiving additional messages as a result of this security patch. Users on these networks are receiving messages which read in part, “Your system administrator has blocked upgrades on this PC. Check with your system administrator about upgrading this PC to Windows 10.” This kind of manipulation of users and system administrators is annoying at best and potentially damaging in the long run. Combining marketing efforts with security updates may persuade some users to disregard important updates in the future.