New Windows Patch Policy At Odds With Acceptable Risk

Microsoft’s switch to rollup patching for Windows 7/8.1 will have an impact on security, one expert says.

With Microsoft’s Patch Tuesday release tomorrow, the countdown begins for application developers to button down code ahead of Microsoft’s new servicing model starting in October that could present vulnerability issues for some businesses.

“Tomorrow it’s going to be business as usual, but it will also raise anxiety as we get closer to October,” said Chris Goettl, product manager at Shavlik Technologies.

Goettl said Microsoft’s spotty track record on delivering reliable updates coupled with vendors concerned about patch compatibility with mission-critical apps will present security issues leaving some businesses at risk.

In August, Microsoft announced it will begin delivering patches for Windows 7, 8.1, Windows Server 2008 and Server 2012 as single rollups starting in October. Nathan Mercer a senior product marketing manager at Microsoft, said it would end the long-held practice of letting customers choose which patches they want to apply for versions of Windows prior to Windows 10.

For Microsoft’s part, the move to cumulative updates was an attempt to ensure PCs are uniformly patched and to avoid a “fragmentation where different PCs could have a different set of updates installed leading to multiple potential problems,” Mercer wrote.

Under the new cumulative update guidelines, Microsoft will reduce the number of monthly security bulletins from 12 to fewer than six, Goettl said. A rollup of cumulative updates will consist of multiple patches rolled together into a single update and will replace individual patches that admins had been able to install a’ la carte. Businesses and users will not be able to select which patches to deploy, however they will be able to defer a cumulative update altogether until a later date.

Patches will include both reliability and security, but will not include updates for Service Stack – the subsystem within Windows that handles updates – and Adobe Flash.

Microsoft argues by eliminating update fragmentation and providing more proactive patches for known issues, machines will be safer. However, for Goettl, the jury is still out. He said that cumulative updates by Microsoft could break legacy mission critical apps business rely on.

“These type of breakage issues could mean less and less companies apply updates because they have to keep business critical applications up and running or risk going out of business,” Goettl said. “For companies where app compatibility is an issue, they are going to choose risk over killing off their business.”

Goettl said this is exactly the type of scenario that faced Citrix customers when a cumulative Windows 10 update created a VDA incompatibility. He said despite the fact Microsoft and Citrix worked hard to create a solution for the incompatible patch, the process left customers exposed to many vulnerabilities for about a week.

“Microsoft still has quality issues even with Windows 10,” Goettl said. With its cumulative update to Windows 10, called Anniversary Update, Microsoft broke PowerShell Desired State Configuration along with millions of webcams. Those bugs have since been fixed.

Larry Velez, CTO and founder of Sinu, a New York-based managed service provider, said that Microsoft has little choice other than adopt this new patching model.

“The move-fast-and-break-things model – popularized by Facebook – has been adopted by consumer technology and now is impacting business technology,” he said.

Microsoft and companies need to move fast to be secure, he said. “Companies – including Microsoft – need to move away from their legacy products as fast as possible. If Microsoft asked every sysadmin that gets in its way for permission to update, then Microsoft is never going to be able to secure its platform,” Velez said.

But Velez acknowledges the time needed to migrate from insecure applications to compatible applications necessitates a window of risk. “The question a business needs to ask itself is how secure are they in the first place deploying their own homebrew security fixes and declining Microsoft’s recommended patches?”

Patching issues will be more pronounced with less common products or vertical-specific products, such as healthcare devices or manufacturing systems that run on older Windows systems, Goettl said. “Home-grown applications, and applications developed by vendors who are no longer in business, may be less of a concern on Windows 10, but on older systems they are much more common.”

Goettl advice is to make sure that companies are working as closely with Microsoft as they can and to make sure that security admins have a pilot groups to test cumulative updates for compatibility issues with critical of applications.

Suggested articles


  • RsOrlando on

    Microsoft will NEVER get it's OS secured! It's a patched kludge right from day one. The bad guys are smarter than they are. Period.
  • Wayne Ruppersburg on

    Thanks for your article about September Patch Tuesday 2016ll updates installed successfully for me...using Win 10 1607, now build 14393.187. This update took 30 minutes to download and install .... seems longer than previous updates. All is stable though, with my reliability monitor at "10". Loving Windows 10.
  • twbradio on

    After the third unexpected reboot during an extended rendering session in only 6 months, I went to change my update settings on my Windows 10 laptop and found that I couldn't. I have been a Microsoft apologist for many years, but those days may well be coming to an end.
  • Anonymous on

    I have been a Windows admin for years. I am also a Nix admin, and, honestly, this is a very, very bad move on MS's part. You may be able to get away with doing this to consumer based systems, however, when a company that provides a product to another company, tries to dictate what that customer will and won't do; well let's just say, that is what many companies have found to be their end in the past. You just can't give unsolicited dictated rules to another company (especially when that company is your customer) without repercussions. Microsoft, you may be the number 1 desktop and server provider in the world, but that doesn't give you the right to tell the collective business world how to manage their systems. This is just a way for MS to cut costs and force customers to use their support contracts or pay to paly billable support. This will result in "forcing" more businesses to the cloud model (largest, most useless system ever for large industry). Not every business is a small business that can leverage the cloud. It is twice to three times as expensive as in house systems for large business. This may very well be the one decision that causes a backlash unlike any we have ever witnessed.
  • 30yearsMScustomer on

    Total "Jack In The Box" process; Drive through, scream in the clown, and eat whatever comes in the bag. Hope you don't get food poisoning in the process. Pretty fitting though, considering the clowns running things at MS these days...

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.