Visual Studio 2015 C++ Compiler Secretly Inserts Telemetry Code Into Binaries

Reader edxwelch writes: Reddit user sammiesdog discovered recently that Visual Studio 2015 C++ compiler was inserting calls to a Microsoft telemetry function into binaries. "I compiled a simple program with only main(). When looking at the compiled binary in IDA, I see a call for telemetry_main_invoke_trigger and telemetry_main_return_trigger. I cannot find documentation for these calls, either on the web or in the options page," he wrote. Only after the discovery did Steve Carroll, the dev manager for Visual C++ admit to the "feature" and posted a workaround to remove it.A Microsoft spokesperson confirmed the existence of this behavior to InfoQ, adding that the company wil be removing it in a future preview build. For those who wish to get rid of it, the blog writes: Users who have a copy of VS2015 Update 2 and wish to turn off the telemetry functionality currently being compiled into their code should add notelemetry.obj to their linker command line.

Re:MS Spyware

[bondsbw]

Do you think that "debug performance telemetry" should be in a mission critical embedded application build in release mode? Do you?

I don't believe any mission critical application (or any production application) should be built in unreleased software.

That said, I'm pretty pissed about this, Microsoft is screwing themselves over by withholding things like this until they get found out, and by not making it a simple obvious setting that remains the way you left it. I'm ok with the idea of telemetry, but that should be my decision, not theirs. I'm not ok with how they push it on everyone. Doing this to developers is burning some of the only good bridges they have left.

Re:MS Spyware

Microsoft Telemetry - dedicated to fast-tracking the confirmation of Richard Stallman as public visionary.

Re:Ken Thompson Attack

[Geoffrey.landis]

Reading through the long Reddit thread, it looks as if the "telemetry" call saves the telemetry data locally; it does not seem to export it. So it's hard to call it "inserting backdoors".
From https://www.reddit.com/r/cpp/c...

[–]flashmozzg 68 points 1 month ago
Apparently it's only VS15 feature. It logs at least when your app is executed. You can access logs via logman and tracerpt. Some investigation was done here recently: (lang: Russian) https://habrahabr.ru/post/2813...

[–]sammiesdog[S] 30 points 1 month ago
Are the logs a local feature (i.e. stays on the user's computer)?
And can it be disabled?

[–]flashmozzg 29 points 1 month ago
Seems to be that way. At least right now they only keep main invoked/returned, exit/abort called and such. Nothing serious.
The suggested way to disable it is adding this to your project:

extern "C"
{
        void _cdecl __vcrt_initialize_telemetry_provider() {}
        void _cdecl __telemetry_main_invoke_trigger() {}
        void _cdecl __telemetry_main_return_trigger() {}
        void _cdecl __vcrt_uninitialize_telemetry_provider() {}
};

Re:MS Spyware

[bondsbw]

You seem to have stopped before reading to the end of the sentence. I went on to say:

but that should be my decision, not theirs.

It's the same reason you give feedback for beta software, you want to help make the final product better. Either way, regardless of whether it's automated, it should still be your choice.

Re:Ken Thompson Attack

[AntronArgaiv]

Boy this is at the scale of the Ken Thompson attack. Compilers that insert backdoors

http://c2.com/cgi/wiki?TheKenT...

No, I think that requires one more level of indirection -- reinserting the backdoor in the compiler when it is recompiled without the backdoor.