Patch Tuesday may be dead, but Microsoft's not confessing to the crime

Redmondologists decide patches will ship as soon as they're ready, a big change from the practice of the past 12 years

patch internet explorer
CSO staff

Microsoft is set to upend a 12-year practice of providing security patches on the same day each month to everyone. Or not.

Is Patch Tuesday, the second Tuesday of each month -- the day since 2003 that Microsoft has painted on the calendar for distributing security updates -- dead? Mostly dead? More probable than not dead?

Or is it still alive and kicking?

Those questions began circulating Monday, after Microsoft announced its new update service, Windows Update for Business (WUB). As Terry Myerson, Microsoft's operating system chief, touted WUB, he suggested, or some thought he suggested, that Patch Tuesday was no more. "We're not going to be delivering all of the updates to all of these consumers on one day of the month," Myerson said of changes to Windows Update under Windows 10.

Those changes will be implemented when Windows 10 ships this summer, and are part of the radical overhaul of Microsoft's development and release regime. Rather than ploddingly roll out a new OS every three years, Microsoft will continually deliver new tools and functionality, new user interface (UI) and user experience (UX) features and enhancements.

Microsoft has long updated Windows on a regular basis, but only in the form of security patches and bug fixes. They will now be accompanied by more visible improvements. And those updates will, as Myerson said, not reach everyone simultaneously: Both consumers and business users will choose a "ring," or distribution track, from several offered. A "fast" ring may deliver updates as soon as they're available, while a "slow" ring may delay the same updates for days or even weeks.

"We've seen some people want the software right after it finishes our testing," Myerson said, citing the Windows 10 preview. "They don't want to wait a second. And then we have people that are stepping back and saying, 'Hey, work out some of those kinks, I want to make sure there are no app compatibility issues, I want to make sure there are no functional issues.'"

But does that mean Patch Tuesday will soon be passé?

Microsoft remains mum

Microsoft refused to say. When asked whether Patch Tuesday will continue after Windows 10's launch, and whether security updates will be delivered to Windows 10 PCs along with other updates, or separately, Microsoft largely ignored the queries. "Windows Update for Business can take responsibility for the timely distribution of security updates for customers for free [emphasis added]," a Microsoft spokesman said in an email. "Customers that choose to distribute updates themselves will continue to receive the updates on the 2nd Tuesday of the month."

Security experts tried to interpret Microsoft's message, the little information it's provided publicly, and the scuttlebutt circulating amongst their profession. Like 1960s Kremlinologists forced to gauge Soviet machinations by looking at photographs of those on the May Day reviewing stand -- who was there, who stood next to whom -- they parsed the obfuscated.

"There will be two distinct models," said Chris Goettl, product manager for patch management vendor Shavlik. "For consumers, Windows 10 will absolutely mean they will receive patches as they're released. And Microsoft will offer patches as soon as they're ready."

That last will be a major departure of past practice, since with some rare exceptions Microsoft now holds security patches and bug fixes until the next regularly-scheduled release date.

Goettl acknowledged that Microsoft has not said as much in plain English, but explained he "pieced together" his interpretation from comments the company has made since January; he combined that with conversations with other security professionals, including some who were at both the Build developers conference last week and at the inaugural Ignite confab this week.

More options for business

Business will have more options, including the existing Windows Server Update Services (WSUS), Microsoft's System Center Configuration Manager (SCCM) and third-party patch management platforms, which could all be used to maintain the ingrained monthly patch cycle. New, and only for Windows 10, will be WUB. Enterprises, like consumers, will set WUB "rings" for their PCs, and patches will be retrieved along with other updates on those tracks' schedules, said Goettl.

"What I don't see is that Patch Tuesday is going away, no one has said that at all," said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy. Storms clarified his take, noting that consumers will, for the most part, see Patch Tuesday disappear. Not that they paid attention to it, or even knew of it, before.

"At some point, Microsoft had to step up and release [patches] when they were ready," said Storms. Like Goettl and others, Storms cited Google's Chrome as an example of that update model.

"Chrome and Firefox browsers do just fine at enterprises with constant/random updates pushed out," echoed John Pescatore, director of emerging security trends at the SANS Institute, in an email.

The consensus among the trio was that Patch Tuesday would be moot for consumers on Windows 10 but still a factor for businesses, even though fixes will be available as soon as they're crafted by Redmond. Of course, Patch Tuesday may well continue to prevail for Windows Vista, Windows 7 and Windows 8/8.1 users, a fact many have ignored.

"WUB is providing more features and tools and options for businesses around how they consume and deploy patches," said Storms, trying to describe the change. "WUB sounds great, actually, with some nice features. Admins will be able to say, 'this class of computers takes everything when it's available,' or 'this class of computer is on a long-term servicing branch.' Those are great options, and go beyond what WSUS offers."

Resistance is futile?

Because Microsoft's new ship-patches-anytime system is inimical to the concept of Patch Tuesday, and because enterprise IT is by nature very conservative, there will be resistance to the changes, bet Goettl. "They can't walk away from enterprise customers who want control," he said. "I expect one of the reasons why they haven't clearly explained this is because they're afraid of backlash [from corporate customers], and they don't want to start that backlash this early."

However, for Storms the new model didn't sound all that different from how enterprises deal with patches now.

"We're kind of in 'surprise mode' anyway because we don't have ANS," said Storms, referring to the Advanced Notification Service that Microsoft junked in January. "There's no clue what's in there [on a Patch Tuesday] anyway, prep time now is zero, so you can't prepare."

His argument: Without the ANS heads-up, Microsoft might as well go to release-when-ready.

"Businesses can still choose to do everything on Patch Tuesday," Storms noted, "even if that's just getting everything released since the last one. And it takes enterprises at least 90 days to apply a Patch Tuesday, they're almost always three months behind."

That won't change, even if fixes appear irregularly.

IT is behind the times

Pescatore was even sterner in his evaluation of corporate IT shortcomings. "IT shops are clinging to outdated 'Everything must be on the same version' approach," Pescatore said. "Enterprises can stay with once-per-month patching if they choose to. For phones and tablets, Microsoft will join Google and Apple in just pushing out updates whenever they are ready -- which is how it should be. There is absolutely no good reason for IT to want to force every mobile device to be on the same OS version. Heck, most are BYOD, not managed by IT anyways and have been working just fine, apps and all, with random/constant updates being pushed out to the devices by the carriers!

Pescatore called the monthly patch cycle "silly" and "antiquated," among other things. "Ninety percent of everything could be patched immediately," Pescatore concluded.

But while Pescatore's, Storms' and Goettl's decoding arrived at the same general conclusions, there's no guarantee they will turn out to be right. For all they, and everyone else, knows, Microsoft means something completely different.

And that rubbed Storms, especially, the wrong way. "Microsoft's communications have gone to near zero," Storms complained. "To some degree, that's part of the reason why everyone is confused."

Storms didn't understand the lack of clarity. "They're the ones who brought this up," he said of WUB and its changes for enterprises. "The decisions are made, the code is probably dry. Why not just tell us?"

Copyright © 2015 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon