Patch Tuesday. We’ve all heard this phrase and cringed at one time or another. While it doesn’t necessarily mean you’re about to go crazy patching your entire Windows environment, it does mean that the monthly cycle of evaluating the patches you plan on deploying in your environment begins once again. Recently, Microsoft has fundamentally changed the way this process works.
All or Nothing
Starting in October, Microsoft has moved to a All or Nothing deployment patching model they are calling a “Convenience Rollup”. Now, Microsoft will be offering two flavors of patches monthly, the Monthly Rollup, which will have both security and reliability patches, and the Security-only updates, which will only contain security updates. The big change here is that you will only be able to deploy these rollup packages, you will no longer be able deploy one patch at a time.
What It Means for Response Time
It has always been a calculated risk to quickly deploy a critical security patch. If you wanted to quickly deploy a single patch in your environment, often times you could do a reasonable amount of testing on that single patch before deployment. With this move, Microsoft is fundamentally changing this. While, yes, there is a Security-only update, it includes all of the security patches for the month. There is still a chance there could be a patch in that rollup with the potential to impact how a web based application operates.
The Greater Impact
Since this process is so new, it has yet to be revealed how organizations will adapt to this. I think chances are good that some organizations may be less likely to patch as often with the new model. Many organizations pick and choose their patches based on the particular applications in their environment and how they operate. While there is generally a higher adoption of security patches vs enhancement patches, that doesn’t mean a neglected enhancement patch won’t lead to a security issue in the future.
Let’s take a look at a fresh new vulnerability bulletin from November 8, 2016. MS16-141, KB Number 3202790 is a critical security update for Adobe Flash Player. This vulnerability is rated critical since it lends itself to remote code execution. While many organizations have Group Policies which all out block Flash in Internet Explorer, I can think of several instances where the use of Flash may be required for a specific application. While critical, organizations may have elected to do extensive application testing, previously for the patch that only fixed this issue. Now, organizations will need to to test and apply the complete Security rollup, or be faced with this critical vulnerability.
More Than What you Bargained For
There have also been instances where a security patch contained a bonus for Windows users. For example, MS16-023. Buried in this update is a “non security-related fix”, or Updated Internet Explorer 11 capabilities to upgrade Windows 8.1 and Windows 7. In short, this security patch also adds the ability to update to Windows 10. Why? Good question. Is Windows 10 inherently more secure than its predecessors? It does not seem to be by looking at the list of available updates. I know many people who have, after installing this updated, been bombarded asking if they want to upgrade to Windows 10. For many power users, this is not a big deal, but for the general public, this caused many un-wanted upgrades to the latest Windows 10 when people were not ready or trained in the new OS.
The Bottom Line
At the end of the day, this will impact the patching process for many organizations. It has the potential to bring great benefits, and streamline thing for many organizations. The patching operation has been greatly simplified with the move to the rollup mod, but will still impact organizations which have been picking and choosing their patches. Cases can easily be made for and against the new patch deployment method, but at the end of the day it it is up to Microsoft. Microsoft has spoken, and for better or for worse, Windows patching has changed.