Security news that informs and inspires
A pair of women's hands holding a wrench to repair a motorcycle.

Give IT a Break from Software Updates

Microsoft said it will pause non-security Windows updates beginning in May as part of its plan to reduce the update pressure on IT and security teams, as they are busy keeping organizations operational during the COVID-19 pandemic. Other software companies are adjusting their release schedules, recognizing that IT and security teams are currently stretched thin.

We have been evaluating the public health situation, and we understand this is impacting our customers," Microsoft wrote in a post to the Windows 10 messaging center. "In response to these challenges we are prioritizing our focus on security updates.

Organizations around the world are instructing employees to work from home in order to keep them from getting sick or spreading the disease to others, but this kind of a rapid shift to a remote workplace requires a tremendous amount of effort and speed. IT has had to field an increased volume of support requests—beginning with procuring the equipment, setting up users with new hardware and software, establishing new processes for users to follow, and assisting users who have trouble with the new procedures.

“Right now, we need to focus on keeping the lights on,” said Dave Lewis, an advisory CISO at Duo. “You do not want to mess with anything.”

Every operating system update and patch has the potential to cause unexpected issues for users and the vast amount of software across the Windows ecosystem, said Jack Mannino, the CEO of application security provider nVisium. IT and security teams have to prioritize what to work on in the current “resource-constrained and logistically challenging environment.

“Addressing security issues and critical bug fixes without interruption ensures that we're not building up significant security and technical debt while we're in the midst of the pandemic,” Mannino said.

It doesn’t make sense to divert the attention and energies of IT and security teams away from supporting users and monitoring for potential security issues to testing and deploying software updates. Installing updates could also inadvertently introduce a problem, such as conflicts with existing software or issue with specific types of hardware, which may not be easy to fix, Lewis said.

In a situation where everything is under a lot of stress, it makes sense to not make any changes. The ramifications may go far beyond just a software change—first responders may find that an option they always use has been moved elsewhere, or renamed to look like something else—and actually cause harm.

Pause Non-Security Updates

When Microsoft said it will pause non-security updates, it was referring to the optional Windows updates, the C and D updates which are released during the third and fourth week of each month. The C and D updates generally contain non-security fixes which are officially released in the cumulative update the following month and are not intended to be distributed to all Windows machines. These optional “preview” updates “contain only non-security updates and are intended to provide visibility and testing of the planned non-security fixes” Microsoft said. The fixes in the optional updates go into the following month’s Patch Tuesday (or as Microsoft prefers to call it, Update Tuesday) release as part of the cumulative update. The point of these updates is to give IT teams the opportunity to test the update earlier and give feedback before they are officially released.

Microsoft released a D update in March for Windows 10 1903 and Windows 10 1909. The C and D updates for April are still expected to happen on schedule.

The security updates, or the B updates, are released on the second Tuesday of the month and will continue its schedule. Microsoft will also continue to issue out-of-band security updates as needed. That should come as a relief for security teams, as Microsoft this week disclosed two zero-day vulnerabilities in the Adobe Type Manager Library, which allows Windows users to render different types of PostScript Type 1 fonts on their devices. Microsoft has seen “limited, targeted attacks” exploiting the vulnerability. The fix may not be part of the next Patch Tuesday (“Update” Tuesday) release in April.

If it is catastrophically necessary, you do it," Lewis said. "If there is an Internet worm going around, you patch it.

A Temporary Pause

Earlier this month, Google’s Chrome team said it would temporarily pause the release of Chrome version 81 and focus their efforts on improving the security and stability of the current version (version 80) of the web browser. Instead of March 17, the new version of the web browser is now expected April 7. Version 82 has been cancelled and its features rolled into version 83, whose release date has been bumped up three weeks, to mid-May.

Following Google’s lead, Microsoft suspended future releases of its Edge web browser. Edge is currently on version 80—and will remain on this version for the foreseeable future and keep version 81 in beta. Microsoft will keep rolling out security updates for version 80.

"We are making this change to be consistent with the Chromium project, which recently announced a similar pause due to adjusted schedules, and out of a desire to minimize additional impact to web developers and organizations that are similarly impacted," Microsoft said at the time.

Apple has not said if it will be making any changes to Safari’s release schedule, although it just rolled out a [hefty security and feature update for macOS Catalina, Safari, iTunes for Windows, iOS, iPadOS, macOS, watchOS, and tvOS. Mozilla has also not said if it plans to delay the release of the next version of Firefox, currently scheduled for April 7.

Challenging Times

While delaying updates and new releases would ease the current workload for IT, the decision to do so may also reflect the challenges the developers themselves were facing. Paul Kinlan, the lead for the developer relations team at Google, noted on Twitter that there were several reasons behind the original decision to not release Chrome version 81, including “lower productivity, worry about asking ecosystem to change, being able to respond quickly when there's an issue.”

Many companies are struggling with productivity and staffing. “Microsoft will be using the resources they have and focus on critical security updates such as zero day vulnerabilities,” said Ray Kelly, principal solutions architect and alliances at WhiteHat Security. “It’s a wise decision at the cost of a potential large update after they are staffed back up.”