The case against knee-jerk installation of Windows patches

Credit to Author: Woody Leonhard| Date: Mon, 17 Jun 2019 03:10:00 -0700

Heresy. Yes, I know. Any way you slice it, from my point of view anyway, Windows Automatic Update is for chumps.

Just like the “users must be forced to change their passwords frequently” argument that’s no longer au courant, the “users must get patched immediately” argument is based on old, faulty, and totally unsubstantiated claims that make security people feel better — and little else.

With a few notable exceptions, in the real world, the risks of getting clobbered by a bad patch far, far outweigh the risks of getting hit with a just-patched exploit. Many security “experts” huff and puff at that assertion. The poohbahs preach Automatic Update for the unwashed masses, while frequently exempting themselves from the edict.

Yes, you need to get patched eventually. Yes, your Sainted Aunt Martha who’s afraid of playing mahjong because it’ll break her Microsoft something-or-another, needs to be on auto updates. Yes, there are highly unusual patches (e.g., for EternalBlue/WannaCry and BlueKeep) that need to be applied shortly after they’re released. But in the vast majority of cases, for the vast majority of reasonably coherent Windows customers, waiting a week or two or three to install the latest crop of Windows and Office patches just makes sense.

Conventional wisdom be damned.

To my mind, the parallels with the “users must be forced to change their passwords frequently” tripe are manifest. Back at the dawn of password time, some well-meaning security folks figured that forcing people to change passwords along a set schedule would make it harder for the bad guys to break in.

Sixty-day expiration periods reek of common sense, but they just don’t help. Microsoft studied the situation, dropped the preconceived notions, and recommended in late April that admins stop the practice, calling it “ancient and obsolete.”

Microsoft hasn’t, as best I know, studied the “wait a couple of weeks to apply updates” heresy. It’s hard for me to envision how to test it. But it has looked at something similar, which can be quantified. Back in February, a handful of Microsoft researchers did show that the chances of getting infected by just-patched malware is tiny, compared to all the other ways of getting infected.

Yes, you need to get patched eventually. Right now, for example, the old Equation Editor vulnerability  CVE-2017-11882 — which was fixed at the end of 2017 — is enjoying a resurgence. Patch it. The EternalBlue SMBv1 hole hasn’t gone away. Thank you, NSA. Patch it. BlueKeep hasn’t been cracked yet, but you definitely need to put a fork in it.

But in all of those high-profile cases, folks who waited a week or two or three to install the latest patches didn’t get bit. In fact, I struggle to come up with a recent example of a just-patched security hole that turned into genuine mass-market malware in just a couple of weeks. On the flip side, I can point to hundreds of recent patches that have brought down some Windows machines.

I’m not talking about organizations that guard state secrets, trade securities in real time, or calculate the meaning of life, the universe and everything. Those big organizations have their own security battalions that dig into the patches as soon as they’re out and — mirabile dictu! — they don’t patch right away either. Instead, they spend enormous amounts of effort and money making sure that new patches won’t break anything on their systems before they get rolled out.

If you don’t have a staff of security savants at your beck and call, you might want to consider doing the same thing they’re doing but, instead of spending millions for test equipment and droids, just sit and wait and listen for the howls of pain from people who install the buggy updates. Think of it as crowdsourced patch debugging.

If Microsoft’s patches were more than half-baked when released, this would be an academic exercise. The fact is that Windows patches keep screwing up, often in devastating ways. While it’s absolutely true that only a presumably small percentage of Windows users get hit by any one specific bug, the volume of bugs is enormous. Don’t believe it? Look at the past two years of patch whack-a-mole documented in my monthly columns.

Microsoft hasn’t yet ‘fessed up to the error of its ways — at least, not to the extent that it has sounded a “forced password change” caliber alarm. We may never get a definitive statement about “bugs as a service.” But we are seeing some progress.

Two months ago, Microsoft MVP Mike Fortin posted an announcement on the Windows blog that promises that Win10 1803 and 1809 customers will have a chance to delay forced upgrades to version 1903 using the so-called “Download and install” feature. Since then, we’ve heard that 1803 customers won’t be so lucky — they’ll be forced onto 1903 starting this month, even though 1803 doesn’t hit EOL until November. It’s not clear which push is going to meet what shove, but at least there’s an official opening for improvement.

We’ve also seen the Win10 1903 Windows Update settings sprout a new option, for both Pro and Home versions: As of this moment, anyway, you can click on a button in 1903 Windows Update that’ll delay all updates for seven days. Click the button again and you add seven more days. You can click up to five times, with each occasion adding seven more days. For the first time ever, Win10 1903 Home users have some control over forced updates. Bravo.

At the same time, the Win10 1903 Update options settings (Pro only, not in Home) have changed to eliminate the Current Branch for Business/Semi-Annual Channel bafflegab that’s gone through a dozen changes since Win10 arrived. Unfortunately, at this point, making any choices on the page to defer update results in all of your options going AWOL.

I’m guessing that behavior’s a bug — one of many in 1903 — and I’m not sure what behavior will ultimately shake out. Regardless, the easy availability of update/upgrade deferrals, even on Win10 1903 Home, is a sure sign that Microsoft is backing away from its hardline “users must get patched immediately” stance.

That’s progress. Too bad so many in the security community don’t see the writing on the wall.

If you want to follow the, ahem, “ancient and obsolete” advice to enable Automatic Update and get patches installed the minute they’re available, hey, I think that’s great.

When you hit problems with wayward patches — trust me, you will — be sure to tell us all about it on AskWoody.

http://www.computerworld.com/category/security/index.rss

Leave a Reply