Patch Tuesday: Not dead yet

24.07.2015
Patch Tuesday is not dead.

That's what experts have now concluded, even though Microsoft will not say straight out if it plans on upending the 12-year practice of providing security patches on the same day each month to everyone.

With Windows 10's launch only five days away -- the new operating system will debut July 29 on previewers' PCs -- the question of whether Patch Tuesday lives and breathes, or will die a sure death, maybe quickly, maybe slowly, still remains officially unanswered.

But security professionals and industry analysts have come to the conclusion that Patch Tuesday will continue, possibly in the same form it has since 2003.

"Patch Tuesday is not going away any time soon," said Chris Goettl, product manager for patch management vendor Shavlik. "It's been blown out of proportion."

"Patch Tuesday" is the label that's been stuck to the second Tuesday of each month, the day Microsoft has issued its security updates since 2003. (Microsoft prefers the more upbeat "Update Tuesday.") The practice was begun to make patching more predictable, especially for businesses -- the Redmond, Wash. company's biggest and best customers -- who generate the bulk of the firm's revenue.

Two months ago, Patch Tuesday's survivability seemed in doubt after Windows chief Terry Myerson said, "We're not going to be delivering all of the updates to all of these consumers on one day of the month," when talking about changes to Windows Update under Windows 10.

Observers used that comment to conclude that Microsoft was killing Patch Tuesday and would instead roll out security fixes as soon as they were ready, returning to its pre-2003 practice. Two weeks ago, when Microsoft shipped its July batch, some marked it as the last-ever Patch Tuesday.

Hold the phone, security experts said. While they agreed that Patch Tuesday would be moot for consumers on Windows 10, even in May they were certain it would remain a factor for businesses, although fixes would be available as they exited Microsoft's testing.

Microsoft hasn't been any help. This week, it again declined to answer questions about when and how security updates would be distributed to Windows 10 devices.

When asked whether security updates would be offered to all Windows 10 users on the second Tuesday of each month, or issued to all users as the fixes are completed and approved by Microsoft, a spokesman would not address the question. Instead, he said, "With Windows 10, we will deliver ongoing innovations and security updates. Frequency and delivery of updates may vary based upon the update."

That varied delivery he mentioned would not be any different than the company's current policy, which at times steps outside the Patch Tuesday schedule to ship rush fixes, or so-called "out-of-bound" updates. It did that just this week when it released an emergency update to all Windows editions.

Asked whether security updates would be packaged within Windows 10's expected regular tempo of feature and functionality updates -- as was an emergency Windows 10 patch distributed July 15 and several more since then -- and released to users via the OS's multiple cadences, dubbed "branches" and "rings," the spokesman declined to comment. "Microsoft has nothing to share on that at this time," the spokesman said in an email, using one of the company's standard lines.

Two months ago, some security pros criticized Microsoft for not being more forthcoming. "Microsoft's communications have gone to near zero," said Andrew Storms, vice president of security services at consultancy New Context, in a May interview. "To some degree, that's part of the reason why everyone is confused."

Microsoft's reticence may have exacerbated the confusion, but it largely stemmed from the radical overhaul of the Windows update, upgrade and servicing model. Rather than ploddingly roll out a new OS every three years, Microsoft will continually deliver new tools and functionality, new user interface (UI) and user experience (UX) features and enhancements over the life of Windows 10.

Microsoft has long updated Windows on a regular basis, but only in the form of security patches and bug fixes. They will now be accompanied by more visible improvements. But how the two categories -- in Microsoft's parlance, "non-security" and "security" updates, the former encompassing everything but patches -- interact, intersect and overlap, or even if they do at all, is the foundation of the mystery.

Because Microsoft has been feeding off-the-cuff security updates that also include non-security content to Windows Insiders -- the people who have opted in to the Windows 10 preview program -- many have concluded that that will be the norm for everyone, or at the least, consumers on the "Current Branch" (CB), the earliest-to-get-updates mainstream track that's the only one available to customers running Windows 10 Home.

"That's the only cadence that people are seeing right now," Goettl pointed out.

But there's no guarantee that how Microsoft ships security updates to the Insider group will be the way it treats the Current Branch. Gabriel Aul, engineering general manager for Microsoft's OS group, hinted at that possibility Tuesday. "The experience you're having is because you're in the Insider program. Not how the rest of the world will experience," Aul tweeted when a user griped about the barrage of updates to Insider build 10240.

Even with the muddy waters, Goettl remained convinced that consumers would no longer see Patch Tuesday, at least as it's been known in the past. "Consumers will get things as they come out," he said today, reiterating his position of May. "They'll have little choice on it, but that's okay. Consumers have the least knowledge [about patches] and they shouldn't be making the decision. Windows 10 will be like the Apple model [for Macs], and that's in [consumers'] best interest."

Again, Microsoft has not said as much. Nor has the company laid out how security updates will be presented to businesses. But there, people like Goettl and others were surer of what will happen.

Businesses that rely on the "Current Branch for Business" (CBB) and/or "Long-term Servicing Branch" (LTSB) for non-security updates will continue to see a Patch Tuesday, Goettl asserted. In fact, he argued that it was this critical part of Microsoft's customer mix that's calling the shots. "They have forced the course on Patch Tuesday," Goettl said.

Gartner's analysts were more aggressive in their belief that Patch Tuesday would remain intact, saying that it would exist for consumer and commercial Windows users. "[Current Branch] does not replace the current monthly security patch program, which will continue to deliver critical security fixes on the second Tuesday of each month," wrote Gartner analyst Steve Kleynhans in a recent report for clients. "Security fixes will continue to arrive each month on Patch Tuesday regardless of which branch you select, although they may arrive even more frequently for those on Windows Update."

In a follow-up email, Kleynhans said that although Gartner had no inside information, it expects Patch Tuesday to continue.

But Kleynhans, like everyone else, will just have to wait for Microsoft to say how it is. Or isn't.

(www.computerworld.com)

Gregg Keizer