Patch Tuesday may be dead, but Microsoft's not confessing to the crime

Microsoft is set to upend a 12-year practice of providing security patches on the same day each month to everyone. Or not.

Microsoft is set to upend a 12-year practice of providing security patches on the same day each month to everyone. Or not.

Is Patch Tuesday -- the day since 2003 that Microsoft has painted on the calendar for distributing security updates -- dead? Mostly dead? More probable than not dead?

Or is it still alive and kicking?

Those questions began circulating Monday, after Microsoft announced its new update service, Windows Update for Business (WUB). As Terry Myerson, Microsoft's operating system chief, touted WUB, he suggested, or some thought he suggested, that Patch Tuesday was no more. "We're not going to be delivering all of the updates to all of these consumers on one day of the month," Myerson said of changes to Windows Update under Windows 10.

Those changes will be implemented when Windows 10 ships this summer, and are part of the radical overhaul of Microsoft's development and release regime. Rather than ploddingly roll out a new OS every three years, Microsoft will continually deliver new tools and functionality, new user interface (UI) and user experience (UX) features and enhancements.

Microsoft has long updated Windows on a regular basis, but only in the form of security patches and bug fixes. They will now be accompanied by more visible improvements. And those updates will, as Myerson said, not reach everyone simultaneously: Both consumers and business users will choose a "ring," or distribution track, from several offered. A "fast" ring may deliver updates as soon as they're available, while a "slow" ring may delay the same updates for days or even weeks.

"We've seen some people want the software right after it finishes our testing," Myerson said, citing the Windows 10 preview. "They don't want to wait a second. And then we have people that are stepping back and saying, 'Hey, work out some of those kinks, I want to make sure there are no app compatibility issues, I want to make sure there are no functional issues.'"

But does that mean Patch Tuesday will soon be passé?

Microsoft remains mum

Microsoft refused to say. When asked whether Patch Tuesday will continue after Windows 10's launch, and whether security updates will be delivered to Windows 10 PCs along with other updates, or separately, Microsoft largely ignored the queries. "Windows Update for Business can take responsibility for the timely distribution of security updates for customers for free [emphasis added]," a Microsoft spokesman said in an email. "Customers that choose to distribute updates themselves will continue to receive the updates on the 2nd Tuesday of the month."

Security experts tried to interpret Microsoft's message, the little information it's provided publicly, and the scuttlebutt circulating amongst their profession. Like 1960s Kremlinologists forced to gauge Soviet machinations by looking at photographs of those on the May Day reviewing stand -- who was there, who stood next to whom -- they parsed the obfuscated.

"There will be two distinct models," said Chris Goetti, product manager for patch management vendor Shavlik. "For consumers, Windows 10 will absolutely mean they will receive patches as they're released. And Microsoft will offer patches as soon as they're ready."

That last will be a major departure of past practice, since with some rare exceptions Microsoft now holds security patches and bug fixes until the next regularly-scheduled release date.

Goetti acknowledged that Microsoft has not said as much in plain English, but explained he "pieced together" his interpretation from comments the company has made since January; he combined that with conversations with other security professionals, including some who were at both the Build developers conference last week and at the inaugural Ignite confab this week.

More options for business

Business will have more options, including the existing Windows Server Update Services (WSUS), Microsoft's System Center Configuration Manager (SCCM) and third-party patch management platforms, which could all be used to maintain the ingrained monthly patch cycle. New, and only for Windows 10, will be WUB. Enterprises, like consumers, will set WUB "rings" for their PCs, and patches will be retrieved along with other updates on those tracks' schedules, said Goetti.

"What I don't see is that Patch Tuesday is going away, no one has said that at all," said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy. Storms clarified his take, noting that consumers will, for the most part, see Patch Tuesday disappear. Not that they paid attention to it, or even knew of it, before.

"At some point, Microsoft had to step up and release [patches] when they were ready," said Storms. Like Goetti and others, Storms cited Google's Chrome as an example of that update model.

"Chrome and Firefox browsers do just fine at enterprises with constant/random updates pushed out," echoed John Pescatore, director of emerging security trends at the SANS Institute, in an email.

The consensus among the trio was that Patch Tuesday would be moot for consumers on Windows 10 but still a factor for businesses, even though fixes will be available as soon as they're crafted by Redmond. Of course, Patch Tuesday may well continue to prevail for Windows Vista, Windows 7 and Windows 8/8.1 users, a fact many have ignored.

"WUB is providing more features and tools and options for businesses around how they consume and deploy patches," said Storms, trying to describe the change. "WUB sounds great, actually, with some nice features. Admins will be able to say, 'this class of computers takes everything when it's available,' or 'this class of computer is on a long-term servicing branch.' Those are great options, and go beyond what WSUS offers."

Resistance is futile?

Because Microsoft's new ship-patches-anytime system is inimical to the concept of Patch Tuesday, and because enterprise IT is by nature very conservative, there will be resistance to the changes, bet Goetti. "They can't walk away from enterprise customers who want control," he said. "I expect one of the reasons why they haven't clearly explained this is because they're afraid of backlash [from corporate customers], and they don't want to start that backlash this early."

However, for Storms the new model didn't sound all that different from how enterprises deal with patches now.

"We're kind of in 'surprise mode' anyway because we don't have ANS," said Storms, referring to the Advanced Notification Service that Microsoft junked in January. "There's no clue what's in there [on a Patch Tuesday] anyway, prep time now is zero, so you can't prepare."

His argument: Without the ANS heads-up, Microsoft might as well go to release-when-ready.

"Businesses can still choose to do everything on Patch Tuesday," Storms noted, "even if that's just getting everything released since the last one. And it takes enterprises at least 90 days to apply a Patch Tuesday, they're almost always three months behind."

That won't change, even if fixes appear irregularly.

IT is behind the times

Pescatore was even sterner in his evaluation of corporate IT shortcomings. "IT shops are clinging to outdated 'Everything must be on the same version' approach," Pescatore said. "Enterprises can stay with once-per-month patching if they choose to. For phones and tablets, Microsoft will join Google and Apple in just pushing out updates whenever they are ready -- which is how it should be. There is absolutely no good reason for IT to want to force every mobile device to be on the same OS version. Heck, most are BYOD, not managed by IT anyways and have been working just fine, apps and all, with random/constant updates being pushed out to the devices by the carriers!

Pescatore called the monthly patch cycle "silly" and "antiquated," among other things. "Ninety percent of everything could be patched immediately," Pescatore concluded.

But while Pescatore's, Storms' and Goetti's decoding arrived at the same general conclusions, there's no guarantee they will turn out to be right. For all they, and everyone else, knows, Microsoft means something completely different.

And that rubbed Storms, especially, the wrong way. "Microsoft's communications have gone to near zero," Storms complained. "To some degree, that's part of the reason why everyone is confused."

Storms didn't understand the lack of clarity. "They're the ones who brought this up," he said of WUB and its changes for enterprises. "The decisions are made, the code is probably dry. Why not just tell us?"

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecurity

More about AdvancedAppleCustomersGoogleMicrosoftSANS InstituteShavlik

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place