Windows 10 security is going to be unfamiliar on a number of levels (see recent article on Device Guard whitelisting) and one of the most important has turned out to be the way it will be patched. The famous – or infamous – monthly First Tuesday event will now be consigned to history for most users Microsoft has announced, replaced for all but opt-ins by continuous patching more in keeping with the way most other consumer software products are fixed.
Unofficially, Adobe already does this as do all major browser vendors. As a security flaw is discovered, a fix follows, urgently if the flaw is a zero day and being exploited. To do anything else would be irresponsible. Ironically, what used to be called ‘out of band’ patching of flaws by Microsoft has also become more common in recent times than the adherence to Patch Tuesday would imply and for a good reason – this underlined that periodic patching on a defined cycle was completely obsolete, not only for consumers but for businesses too.
Consider the last time you experienced Patch Tuesday. Over time, the number of security fixes has grown sometimes to a scale that was starting to impede users. For consumers, the First Tuesday patches would download in the background and then initiate installation as the machine was turned off. Depending on how this was configured, the reboot process could even happen automatically while the user was in the middle of using the PC, after which there would be a delay as updates were applied. Many minutes could easily pass.
For business, how and when patches were applied, or even if they were applied, would depend on a range of factors that have led to fragmentation and complexity. Microsoft plans to overhaul this with something called Windows Update for Business that will be able to use the System Center console to specify distribution ‘rings’ that will allow the scheduling of updates for different devices be they desktop, mobile or server.
Admins will also be able to specify maintenance windows during which updates are not applied for operational reasons, and even peer-to-peer updating designed to make distribution to branch offices more efficient (we assume this means downloading updates once to a peer rather than having every machine update from a central server). Patch Tuesday will still be available for those businesses that want it but it will no longer be the sole mechanism.
What this represents for departments is a new set of patching regimes that will require some working out. Admins will take time to get used to this new way of working, unpicking their current procedures. This will be a big change and let's remember that this new regime applies to Windows 10. Its precise effect on Windows 7 and 8 has yet to be explained although it looks as if the same process will apply.
Introduced in 2003, the end of the regular monthly Patch Tuesday cycle won’t be mourned. What once upon a time looked like a helpful task quickly turned into a chore, a necessary evil that barely kept pace with the real demands of patching. Continuous patching is the new reality of a security world defined in hours not days or months.
In a predictable snipe, Microsoft’s executive vice president of operating systems Terry Myerson used the Ignite conference to contrast his firm’s approach with that of Google.
“This level of commitment and support is far different than Android, for example, where Google refuses to take responsibility for updating their customers’ devices, leaving end-users and business increasingly exposed every day they use the device,” he said, acidly.
Of course despite Android having turned into a fragmented handful, even Google doesn’t have Windows desktops to manage so it’s a comment that misses the point. Nothing patches well these days unless it’s happening all the time.