For more than 10 years, the second Tuesday of every month has been Patch Tuesday, the day that Microsoft releases security patches for its software products.
Microsoft Patch Tuesday was introduced to allow administrators to install multiple patches with a single reboot on a day of the week that would leave enough time so any problems could be dealt with before the weekend.
However, the threat landscape has changed a great deal since Patch Tuesday first became a fixture in every security team's schedule in 2003. Since system and application vulnerabilities are almost always featured somewhere in a data breach, Microsoft has decided to revise its software updates and security patch rollout processes in Windows 10 and join the ranks of Google and Apple in pushing out updates whenever they are ready.
The problem with monthly patching
A monthly patch release cycle creates a window of vulnerability that leaves enterprise systems and devices open to attack on a regular basis -- even if the patches are applied straight away.
Hackers regularly exploit new flaws within days of them being published. Verizon's 2015 Data Breach Investigations Report found half of the CVEs exploited in 2014 were exploited within two weeks of their being published.
Security patches do occasionally get released out-of-band -- that is, prior to the next Patch Tuesday -- if a security vulnerability is rated "critical" based on Microsoft's Security Bulletin Severity Rating System. (Confusingly, a "critical update" addresses a critical, non-security related bug.)
To reduce the gap between hackers learning of an exploit and a patch to fix it being released, Microsoft has started sending out patches for Windows 10 PCs, tablets and phones as soon as they are ready rather than delivering them all on a single day of the month.
Trading Patch Tuesday in for Windows Update for Business
It is important to note, however, that Microsoft's new release cycle only applies to consumers, not Windows 10 enterprise customers.
Windows 10 enterprise customers will stay on the monthly update Patch Tuesday cycle, which will be reworked as Windows Update for Business (WUB). While this means the same window of vulnerability exists for enterprise systems, patches -- when they do arrive -- will have already been heavily tested by the consumer user base. Microsoft patches have, on occasion, had their own bugs; this new timetable means they should be pretty stable with known issues documented prior to enterprise administrators having to install them. However, not many consumers are going to be running enterprise versions of common Microsoft applications or enterprise software such as Microsoft SQL Server or Microsoft Server Datacenter, so updates for these programs will still need to be thoroughly tested prior to installation.
One of the most significant features of Windows Update for Business is its update distribution rings -- different tracks that give administrators more control over how fast updates are delivered to their systems. The "Current Branch" is for groups of users at low risk of being affected by new features and changes. The "Current Branch for Business" group covers users who are more sensitive to new features, changes and behavior. The "Long Term Servicing Branch" offers updates that contain only security updates and no functional updates; this ring is for mission-critical deployments where reliability and control over what changes occur are paramount.
WUB also offers better control over branch offices and remote users, including those who may not have the broadband speeds most software developers seem to assume everyone has. These users will be able to set the timing of update installations to ensure downloads don't interfere with day-to-day operations. Patches can also be distributed peer-to-peer, so only one machine has to download the update from the Internet.
There are still more details to come from Microsoft as to exactly how the different rings will work, as well as how Windows Vista, Windows 7 and Windows 8 updates will be handled, but for now it's pretty much business as usual. Updates will still arrive on the second Tuesday of the month for enterprise IT managers and Windows Pro customers, but it will be easier to pick and choose which devices will receive what updates first, and which will wait for later on.
Releasing patches when they're ready and not according to a fixed timetable is a big step forward in protecting nonbusiness users; the best way to keep any device secure is to keep it up to date with the latest patches. By introducing different update rings, Microsoft has also taken steps to improve the patching and rollout process for enterprises that will always need additional time and a level of predictability to test updates on their myriad systems due to the different levels of criticality. Application developers will, however, have to be aware that selective updating creates platform fragmentation which is a problem many Android developers experience.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. He was also formerly a Microsoft Certified Database Manager and a registered consultant with the CESG Listed Advisor Scheme (CLAS). Cobb has a passion for making IT security best practices easier to understand and achievable. His website offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices.