Microsoft released its October patching update today and, as announced, it introduces a major change that has many system administrators wondering just what to do.
Microsoft began its system of regular monthly updates, Patch Tuesday as it became known, in 2003 to reduce the cost of distributing patches. All the security patches that accumulate during the period are released on the second Tuesday of each month. The patches covered vulnerabilities of varying severities and administrators could pick and choose which to install.
As of today, however, all of the security patches and bug fixes are contained in a single update – you must patch all or nothing. The purported reasons are sound – a rollup model should be more reliable, predictable and simpler to administrate. The Microsoft assumption is that this will push administrators to the direction of All, ensuring more organizations are constantly patched and updated, immune to the latest detected and patched security concerns. Many organizations, however, will be pushed towards Nothing.
Why is that? In the recent 18 months, numerous instances of patch problems have been reported. We have seen various patches breaking Office or the Windows operating system, at times leading to system crashes. Both IT departments and business users have become wary of allowing automatic installation of patches, even security-related ones, lest they disrupt business for days. “Recall Thursday” is now a known industry term. Many enterprises pick and choose only the high severity patches, testing them thoroughly in their labs. These tests can take weeks just for a carefully chosen set of applications – imagine what is needed for a full package. Small organizations can’t even consider taking on such an endeavor, and end up either waiting to hear industry feedback on a patch and installing at a delay, or postponing the patch indefinitely. Microsoft’s new format is likely to increase the number of indefinite delays.
Another thing to note is that Microsoft, when introducing the new security rollup scheme, explained that each month’s rollup will supersede the previous month, so there will always be only one update required to become fully current. i.e. the November 2016 monthly rollup will include October as well as November updates, and so on. This is meant to reduce the chance that an update fails due to a dependency on a prior update and simplify the patching procedure. But it may have the unintended effect of causing organizations to wait for the next update, always postponing their patching. For example, installing in October would mean patching in October then again in November, whereas postponing to November means patching only once in these two months. This logic may lead to patching activities that are few and far between.
This will leave many companies at even greater security risk, particularly because the release of the patch itself means that hackers can develop exploits for the previously unknown underlying vulnerabilities.
With numerous organizations likely choosing the “Nothing” option, Microsoft’s new update format could play right into the hands of cybercriminals. Much of their attack strategy is based on the fact that companies cannot keep up with patching vulnerabilities. One solution is to add a technology like Moving Target Defense to cover endpoint vulnerabilities exposed by gaps in patching cycles.