Patch management expert rejects single-broken-fix theory
Microsoft was closed-mouthed about why it postponed the month’s security updates, but a patch expert argued that it was probably due to one of more problems with the company’s update service infrastructure, not a single flawed fix.
“Something is broken in the infrastructure, in Windows Update or the [Microsoft Update] Catalog, is my guess,” said Chris Goettl, product manager at patch management vendor Ivanti, formerly Shavlik.
Goettl contended that a back-end snafu was the most likely cause for the unprecedented delay, which Microsoft announced yesterday, because other potential causes made less sense.
Asserting that one update, or one component of an update — say a single patch for Windows — had held up the entire month’s slate was unreasonable, Goettl suggested, because not every fix would be bundled into the Windows updates. Office patches, Goettl noted, were delivered separately from those addressing vulnerabilities in Windows, and fixes for Internet Explorer (IE) were to be spun off this month.
Likewise, an unfinished patch for Windows 7 would not have, on its own, blocked the release of February’s Windows 10 update: While both editions were to be served cumulative updates this month, each version would have received its own.
“[But] Microsoft didn’t release anything, which sounds more like an infrastructure issue,” Goettl emphasized in a follow-up email.
Goettl’s take was different than most on a Reddit thread, who like Computerworld yesterday, attributed the delay to a single buggy patch. But one Reddit commenter posited another explanation, that a recently-uncovered vulnerability may have triggered the stoppage. “They’re delaying the patch so that they can include an additional fix for an important issue that was just discovered,” opined adrientetar.
Others used the no-show to take a jab at Windows’ patching reputation. “No wonder nothing broke this morning,” said one Reddit user.
“Rebooted none-the-less, as a sign of solidarity,” added Wilksterman.
The patch postponement again brought attention to Microsoft’s decision last year to dump the decades-old practice of issuing multiple updates, one for each vulnerability, or in many cases, associated vulnerabilities, for Windows 7 and Windows 8.1. Instead, Microsoft duplicated the Windows 10 model — where only cumulative, unified updates are issued — for the older versions.
Under the previous policy, Microsoft could delay a single patch — when, for example, that patch had not been completed or properly tested in time — without impeding the company’s ability to release all other fixes. That occurrence, while uncommon, was not extraordinary.
But as soon as Microsoft began packaging all patches into a single item, it lost the power to postpone one fix while still releasing others. If, in the future, it needed to delay a patch for a Windows 7 vulnerability, it would have to hold the entire Windows 7 cumulative update (even if it could, as Goettl emphasized, release cumulative updates for other versions, such as Windows 8.1 or Windows 10).
“Going to the cumulative model has tied their hands somewhat,” said Goettl.