Risk Management , Technology

Windows 10: No More Monthly Patches

Microsoft Outlines New Features, Including 24/7 Updates
Windows 10: No More Monthly Patches

For its soon-to-be-released Windows 10 operating system, Microsoft will abandon its longtime practice of issuing a batch of "Patch Tuesday" product and security updates once per month. Instead, the company will begin offering 24/7, cloud-based patching, which will become the new default for consumers. For the enterprise market, a new Windows Update for Business will enable IT managers to take advantage of these anytime updates or define their own patch-release schedules.

See Also: Managing Identity, Security and Device Compliance in an IT World

Those are just some of the new Windows 10 features announced this week at Microsoft's Ignite conference in Chicago. Windows 10 could ship as early as summer 2015 for PCs, the company says, but the OS will launch later for smartphones, tablets, the Xbox and other devices. The operating system is the successor to Windows 8 - Microsoft skipped "Windows 9" - which was released in late 2012.

"Windows 10 follows the path first taken by the smartphone sector where iPhones, versions of Android and Windows Phones pioneered getting updates delivered to users as soon as they become available," says Wolfgang Kandek, CTO of security firm Qualys. "This strategy has worked out exceptionally well when it comes to security." Indeed, Verizon's 2015 Data Breach Investigations Report found that a scant 0.03 percent of smartphones get infected with "higher-grade" malicious code, which is orders of magnitude below PC infection rates.

But some notable Windows 10 security questions as yet remain unanswered. Microsoft has yet to reveal if its cloud-based approach to updating devices will work with just Windows 10, or also with Windows 7 and Windows 8. It's also unclear whether Windows Update for Business will replace the widely used Windows Server Update Services.

Windows 10 Security Overview

Ahead of the new operating system's debut, Terry Myerson, executive vice president of Microsoft's operating systems group, took to the stage in Chicago to describe four key information security areas that are being addressed in Windows 10:

  • Device protection: Hardware-based Secure Boot can restrict the types of software that load when the device is powered on. A new Device Guard can be set to only allow a "white list" of approved applications to run, backed by Hyper-V, a native hypervisor that creates virtual machines. And Microsoft is touting a "new device health capability" that ensures endpoints are free from malware and bugs, and fully updated, before they're allowed to connect to enterprise resources.
  • Identity protection: Microsoft says the Windows 10 Passport - which also uses Hyper-V - can protect credentials and handle secure authentication with networks and websites without sending passwords, thus providing a defense against phishing attacks. The new Windows Hello feature, meanwhile, allows for biometric access controls via faces or fingerprints.
  • Application protection: Microsoft will certify the security of applications purchased via its Windows Store for Business. Businesses can also set Device Guard to only allow those certified applications to run on a device. All applications will also be restricted to only using kernel-level drivers that are digitally signed by Microsoft. "Windows 10 will not allow older drivers to run unless fully compatible with Windows 10," says Sean Sullivan, security adviser at anti-virus vendor F-Secure. "Microsoft expects developers to tighten up their old code ... which is better for both security and the user experience."
  • Information protection: Enterprise Data Protection can be set to automatically encrypt all corporate data, including files, emails and website content, as it arrives on the device from online or corporate networks.

Security-Only Patching

With the introduction of Windows 10, Microsoft is also planning big changes to how Windows devices can be updated.

One notable change centers on updates for mission-critical systems - such as medical equipment or the supervisory control and data acquisition systems that power factories and refineries - that must never be allowed to crash, and for which IT managers thus often never install any Windows updates. As a result, such devices are often at risk from exploits that target known vulnerabilities.

With Windows 10, however, Microsoft will now issue "Long Term Servicing Branches" that will "contain only security updates, without any functional updates," Microsoft's Myerson says. That way, businesses should be able to keep these mission-critical systems patched against attacks that target known flaws, without worrying that various feature changes or upgrades will crash the system.

Windows Update for Business

With Windows 10, businesses will also have new types of patch-distribution capabilities, via Windows Update for Business, which Myerson says will be a free service for business-focused Windows Pro and Windows Enterprise devices. Windows Update for Business will offer four options that are designed to make updates easier and less expensive to manage, while also enabling IT managers to get security and functionality updates into users' hands more quickly:

  • Distribution waves: IT managers can specify update waves, so critical devices get untested patches first. Others could be set to still receive monthly patch updates. F-Secure's Sullivan says that this "looks like good stuff," because it will allow businesses to reduce the time they need to patch enterprise systems.
  • Maintenance windows: Patch managers can specify when updates should - or should not - occur.
  • Peer-to-peer delivery: P2P can be used to get updates to remote offices or workers. "The peer-to-peer distribution model for these updates will help with connectivity bottlenecks," Kandek says. "It's an attestation to the power of this networking technology which has been well tested in gaming and video distribution."
  • Integration: Microsoft says the new patching capabilities will work with existing systems management tools that handle patching, such as System Center and the Enterprise Mobility Suite.

Goodbye, Patch Tuesday

Windows 10 marks a big change to Microsoft's policy of releasing patches in monthly batches, which dates back to 2003. The rise of agile programming has changed businesses' and consumers' expectations about how - and how quickly - their software should receive updates.

Some vendors now patch and release fixes for flaws in a matter of days, or less. At the annual Pwn2Own hacking contest, for example, after security researchers demonstrate new flaws in widely used software products, Google and Mozilla regularly issue patches for those vulnerabilities in their Chrome and Firefox browsers in less than 24 hours.

Recent versions of those browsers have been built using agile development techniques - including rapid development "sprints" - that might see new versions of an application get released at least every few weeks. Coupled with those browsers having the ability to automatically receive and install updates, these more frequent releases allow developers to patch products more frequently, and that's led some companies, including Google, to adopt more rapid patching as the norm (see Google's Psychological Patch Warfare).

With Windows 10, Microsoft is positioning itself to embrace these techniques too, in part via its new "Microsoft Edge" browser, known previously by its "Project Spartan" code name.

"For enterprises, IT teams there do have the option to continue with tighter patch control and testing," Kandek says. "However, I don't doubt that most IT teams will see the advantages of shifting over to the new model, as it supports fast patching on the desktop level. More and more, our desktop PCs and laptops have become pure Internet-connected workstations that will have no dependencies on legacy applications that force the use of outdated software versions, so the old model for patching becomes less relevant over time."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network