New Windows Patch Policy At Odds With Acceptable Risk

Microsoft’s switch to rollup patching for Windows 7/8.1 will have an impact on security, one expert says.

With Microsoft’s Patch Tuesday release tomorrow, the countdown begins for application developers to button down code ahead of Microsoft’s new servicing model starting in October that could present vulnerability issues for some businesses.

“Tomorrow it’s going to be business as usual, but it will also raise anxiety as we get closer to October,” said Chris Goettl, product manager at Shavlik Technologies.

Goettl said Microsoft’s spotty track record on delivering reliable updates coupled with vendors concerned about patch compatibility with mission-critical apps will present security issues leaving some businesses at risk.

In August, Microsoft announced it will begin delivering patches for Windows 7, 8.1, Windows Server 2008 and Server 2012 as single rollups starting in October. Nathan Mercer a senior product marketing manager at Microsoft, said it would end the long-held practice of letting customers choose which patches they want to apply for versions of Windows prior to Windows 10.

For Microsoft’s part, the move to cumulative updates was an attempt to ensure PCs are uniformly patched and to avoid a “fragmentation where different PCs could have a different set of updates installed leading to multiple potential problems,” Mercer wrote.

Under the new cumulative update guidelines, Microsoft will reduce the number of monthly security bulletins from 12 to fewer than six, Goettl said. A rollup of cumulative updates will consist of multiple patches rolled together into a single update and will replace individual patches that admins had been able to install a’ la carte. Businesses and users will not be able to select which patches to deploy, however they will be able to defer a cumulative update altogether until a later date.

Patches will include both reliability and security, but will not include updates for Service Stack – the subsystem within Windows that handles updates – and Adobe Flash.

Microsoft argues by eliminating update fragmentation and providing more proactive patches for known issues, machines will be safer. However, for Goettl, the jury is still out. He said that cumulative updates by Microsoft could break legacy mission critical apps business rely on.

“These type of breakage issues could mean less and less companies apply updates because they have to keep business critical applications up and running or risk going out of business,” Goettl said. “For companies where app compatibility is an issue, they are going to choose risk over killing off their business.”

Goettl said this is exactly the type of scenario that faced Citrix customers when a cumulative Windows 10 update created a VDA incompatibility. He said despite the fact Microsoft and Citrix worked hard to create a solution for the incompatible patch, the process left customers exposed to many vulnerabilities for about a week.

“Microsoft still has quality issues even with Windows 10,” Goettl said. With its cumulative update to Windows 10, called Anniversary Update, Microsoft broke PowerShell Desired State Configuration along with millions of webcams. Those bugs have since been fixed.

Larry Velez, CTO and founder of Sinu, a New York-based managed service provider, said that Microsoft has little choice other than adopt this new patching model.

“The move-fast-and-break-things model – popularized by Facebook – has been adopted by consumer technology and now is impacting business technology,” he said.

Microsoft and companies need to move fast to be secure, he said. “Companies – including Microsoft – need to move away from their legacy products as fast as possible. If Microsoft asked every sysadmin that gets in its way for permission to update, then Microsoft is never going to be able to secure its platform,” Velez said.

But Velez acknowledges the time needed to migrate from insecure applications to compatible applications necessitates a window of risk. “The question a business needs to ask itself is how secure are they in the first place deploying their own homebrew security fixes and declining Microsoft’s recommended patches?”

Patching issues will be more pronounced with less common products or vertical-specific products, such as healthcare devices or manufacturing systems that run on older Windows systems, Goettl said. “Home-grown applications, and applications developed by vendors who are no longer in business, may be less of a concern on Windows 10, but on older systems they are much more common.”

Goettl advice is to make sure that companies are working as closely with Microsoft as they can and to make sure that security admins have a pilot groups to test cumulative updates for compatibility issues with critical of applications.

Suggested articles