Microsoft to Pause Non-Essential Software UpdatesMove Comes as COVID-19 Drives Surge of Work-From-Home Employees That IT Must Support
Microsoft has announced that it will pause all non-essential Windows updates. The move comes as IT teams are continuing to respond to the ongoing fallout caused by the COVID-19 pandemic. The rapid rise of the disease has led to numerous organizations instructing the vast majority - if not all - of their workers to work from home, leading to a rapid rise in IT support requirements.
"We have been evaluating the public health situation, and we understand this is impacting our customers. In response to these challenges we are prioritizing our focus on security updates," Microsof writes in a blog post.
The company's Windows announcement follows Google Chrome saying it would temporarily pause all future releases, after which Microsoft announced that its Edge browser would be following suit. But Microsoft says it will still issue essential security updates for Edge.
Apple, meanwhile, issued security updates on Tuesday for macOS Catalina, Safari, iTunes for Windows and various versions of iOS, iPadOS and watchOS, among other products.
Can't Stop Patch Tuesday
Microsoft says its monthly "Patch Tuesday" (or B releases) will continue as normal. These releases, which occur on the second Tuesday of every month, batch together "the primary and most important of all the monthly update events and are the only regular releases that include new security fixes," Microsoft says.
Also unchanged: Microsoft's plan to issue out-of-band releases as and when required. Out-of-band means "any update that does not follow the standard release schedule" and "are reserved for situations where devices must be updated immediately either to fix security vulnerabilities or to solve a quality issues impacting many devices," the company says.
Starting in May 2020, we are pausing all optional non-security releases (C and D updates) for all supported versions of Windows client and server products to prioritize security and keep customers protected and productive. More information here: https://t.co/G5NcWtIiEQ.— Windows Update (@WindowsUpdate) March 24, 2020
One likely upcoming out-of-band update will be a fix for two zero-day flaws in the Adobe Type Manager Library, which allows Windows users to render different types of PostScript Type 1 fonts on their devices. Microsoft this week warned that it's seen "limited, targeted attacks" exploiting the flaw, and it doesn't expect to have a fix prepared in time for the next Patch Tuesday, scheduled for April 13 (see: Microsoft Alert: Fresh Zero-Day Flaws Found in Windows).
Starting in May, Microsoft says will pause all C and D releases, which happen during, respectively, the third and fourth weeks of the month.
"These preview releases contain only non-security updates and are intended to provide visibility and testing of the planned non-security fixes targeted for the next month’s Update Tuesday release," Microsoft says. "These updates are then shipped as part of the following month’s “B” or 'Update Tuesday' release."
Browser Makers: Security and Stability Updates Only
Microsoft's Windows patching announcement follows the Google Chrome development team announcing on March 18 that "due to adjusted work schedules at this time, we are pausing upcoming Chrome and Chrome OS releases."
Instead, the development team says it will continue to focus on improving the security and stability of the current version, Chrome 80, as well as "to prioritize any updates related to security."
Two days later, Microsoft's Edge development team announced that it would follow suit. The current version of Edge - all version 80, in sync with Chrome - will not be updated for the time being, meaning that version 81 will remain in beta.
"In light of current global circumstances, the Microsoft Edge team is pausing updates to the stable channel for Microsoft Edge. This means that Microsoft Edge 81 will not be promoted to 'stable' until we resume these updates," Microsoft said. "We are making this change to be consistent with the Chromium project, which recently announced a similar pause due to adjusted schedules, and out of a desire to minimize additional impact to web developers and organizations that are similarly impacted."
Apple Issues Security Updates
Apple has issued no such notices for its Safari browser. On Tuesday, meanwhile, Apple released its latest slew of security updates. The most serious of these updates fixes a bug in WebKit - a type-confusion flaw designated CVE-2020-3897 that could be abused by hackers to execute arbitrary code. While it can be remotely exploited, doing so would require some degree of user interaction, Apple says, noting that it's tweaked memory handling with the update to remove the flaw.