October will mark a major shift in the way Microsoft structures its Patch Tuesday release for many users, and experts...
worry the new monthly Windows rollup will force companies to accept more risk in order to avoid compatibility issues.
Microsoft previously announced it would be changing the Patch Tuesday structure in October for Windows 7 and Windows 8.1 users to the so-called Monthly Rollup. With this change, fewer patch bulletins will be bundled into separate update packages for Internet Explorer, the Windows platform and the .NET platform, removing the ability to pick and choose individual patches to apply. Microsoft claimed this will create a simpler process and reduce update fragmentation.
The change is similar to the structure of patch updates for Windows 10, but according to Chris Goettl, product manager with Shavlik, based in New Brighton, Minn., the Windows rollup for older platforms will allow more flexibility for IT staff.
"Windows 10 has all updates in a cumulative bundle each month, which is more strict than the servicing change being implemented on pre-Windows 10 systems next month. At least on the earlier platforms, enterprises will be able to choose a security-only bundle instead of the cumulative rollup for Internet Explorer and OS each month," Goettl told SearchSecurity. ".NET is also a separate rollup, unlike on Windows 10, so this change levels the field a bit. But even with the change, Windows 10 is still more restrictive."
Microsoft has had a mixed history with patch releases, requiring IT administrators to test patches to ensure there are no issues with compatibility and to ensure patches don't introduce new problems in software.
Tyler Reguly, manager of security research at Tripwire Inc., based in Portland, Ore., pointed out that "administrators and security professionals have commented negatively on the Windows 10 model since it was released," and said the new Windows rollup for older platforms won't reduce the need for testing.
"Enterprises need to ensure they have large test labs set up, with a full cross-section of their production environment available for testing, as it is very unlikely that we'll see the remainder of the year pass without any negative interactions from these patches," Reguly told SearchSecurity.
However, Bobby Kuzma, system engineer at Core Security, based in Roswell, Ga., said he isn't "terribly fond of forced updates without enterprise approval," such as those on Windows 10, where enterprises need to pay in order to have the option to delay patch installs. But Kuzma admitted there's "a huge hygiene and herd immunity benefit to enforcing updates automatically."
"Instead of having hundreds of possible combinations to test, they only need to test the one rollup. Being able to rely on consistent states of software deployment will help simplify troubleshooting, as well as reducing the vulnerability management burden," Kuzma told SearchSecurity. "Yes, there may be compatibility issues with certain applications, but I look at that largely as a vendor problem. One of the reasons that Microsoft has vulnerabilities that tend to crop up across multiple operating system versions is that they go to huge lengths to maintain compatibility, which often means porting buggy code from version to version because that's expected behavior."
But experts worry it will leave users with a choice of updating and risking compatibility issues, or not updating at all. The Windows patch options for Windows 7 and 8.1 will allow users to delay a monthly rollup, but that rollup will stack onto the next month's package.
Goettl said the new structure could present more risk, because while there will be fewer bulletins, there will be more common vulnerabilities and exposures per bulletin once the change is made.
"The bottom line here is exceptions due to application compatibility issues will become more compounded from a risk perspective. Companies will have to do more rigorous application compatibility testing to ensure things don't break when these larger, bundled security updates are pushed to systems," Goettl said. "If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues. Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction."
Amol Sarwate, director of Vulnerability Labs at Qualys Inc., based in Redwood City, Calif., said it may not be bad for everyone.
"Monthly Rollup is a good idea for most users, as it removes the burden of keeping track of which patches are needed and which ones are installed. As every month's rollup supersedes the previous month's rollup, it should be easy to keep track of whether you are up to date," Sarwate said. "But the disadvantage of the all-or-nothing approach is that if one patch has a stability or usability issue, then it cannot be selectively forbidden. Another point to note is that previously shipped patches will not be included in the October rollup and will instead be eventually rolled up in the upcoming year or so. This may create more work in the short run for administrators to keep track of which past [knowledge base] is rolled up in each month's update."
Learn more about breaking bad patch management with Windows Update for Business.
Find out how crowdsourced vulnerability patching could save us all.