The debacle of two botched Windows 7 patches in the past six weeks raises all sorts of red flags about Microsoft's new patching policy, the one that controls how and when patches are deployed on the Metro side of Windows 8, as well as on Windows RT. If you look at what actually happened with KB 2823324 and compare it to the processes in place for Metro patches, there's an inescapable conclusion: Microsoft had better not mess up Win8 the way it's been messing up Win7.
Here's a rough timeline of last week's debacle: KB 2823324 was released on Black Tuesday. Complaints about blue screens of death (BSODs) and odd behavior with Kaspersky Antivirus surfaced on the forums -- including the Microsoft forums -- on Tuesday evening. Microsoft didn't say anything about it until Thursday.
For example, Microsoft Answer forum poster RogueLeader said on Tuesday, "I honestly do not even know how to describe my situation, other than: Today's update literally destroyed my computer." Later, after Microsoft MVP PA Bear pointed RogueLeader to Microsoft's documentation about the botched patch, RogueLeader responded, "I checked out the link PA Bear provided. Microsoft posted that three days too late, with no significant explanation of what they did wrong, no apologies ever."
That's precisely what happened. Microsoft apparently "pulled" the patch -- in the sense that it unchecked the box in Windows Update that selects the patch for automatic installation -- on Wednesday. There was no official confirmation of the problem or the pulled patch until late Thursday, when a brief explanation appeared on the MSRC blog, stating, "All customers who have installed security update 2823324 should follow the guidance that we have provided in KB 2839011 to uninstall it."
In other words, if you were gullible enough to have Automatic Update enabled on Tuesday, Microsoft advised you in an obscure security blog post on Thursday that you should manually uninstall the patch that was automatically applied, whether your machine got toasted or not. If you were running the Brazilian version of Win7 on Tuesday, there's a fair chance that the patch would've sent you into an endless cycle of BSODs.
If Microsoft ever pulls that kind of stunt on a Windows RT PC or the Metro side of Windows 8, there'll be hell to pay. Why? Because the rules over in Metro land are completely different.
For starters, there's no way to uninstall a Windows patch in the Metro world. None. Zip. Yes, you can uninstall patches made to the old-fashioned desktop in Windows 8. But the Metro side is completely locked down.
Sure, it's possible that all updates to the WinRT API will go through flawlessly. But I need point no further than the patching mess that is .Net to provide copious examples of Microsoft API patching gone amok. At least with .Net we get fair warning about the patches coming down and (if Automatic Updates is turned off) we can keep our collective ears to the ground to see whether the patches are any good or not. But on the Metro side, that doesn't seem to be the case. I say "doesn't seem to be the case" because it still isn't clear to me exactly how patches to the WinRT API will be implemented.
So far, we've had two well-publicized patches to Metro.
One of them -- a complete reversal of the way Internet Explorer 10 handles sites with Flash, from whitelisting to blacklisting -- was implemented without a single notification about which patch included the changes. If you wanted to hold off and implement the switch at your own speed, you were completely out of luck because Microsoft didn't even mention which patch to watch. To this day, other than the announcement that Flash would go from whitelist to blacklist, there hasn't been any discussion of how the switch was implemented. Digging into the details, it now appears to me that Microsoft didn't change Internet Explorer itself; the switch was implemented by changing the contents of an HTML file that controls Flash filtering in IE 10. But given Microsoft's promise:
Our goal is to have a quick, transparent, and painless security update process. With this in mind, we will deliver high-quality security updates for Windows Store [Metro] apps as they become available. This applies to Microsoft apps that are installed using the Windows Store and to apps like Mail, which are preinstalled with Windows 8 but updated using the Windows Store.
You'd think there would be some sort of announcement about when and how the change was implemented.
The second well-publicized patch on the Metro side involved a security patch to Metro Mail. We were given detailed information about the patch -- issued on the day the patch appeared -- but there was no advance warning that it was coming down the pike. Eagle-eyed Metro users saw a number on the Windows Store tile, clicked or tapped on it, then clicked or tapped on the Updates link and received a list of the apps to be updated. Mail was on the list. There was absolutely no notification that the Mail update was a security patch, and once the patch was installed, there's no indication which version of Metro Mail -- patched or unpatched -- is running. Of course, it's impossible to uninstall the patch once it's in.
Don't get me started on the silent pushing of firmware updates to Surface machines. Silent firmware -- the mind boggles.
People like to say that this is standard behavior for mobile apps, but that's simply not true. For example, if I go into the Settings section of my Android smartphone, tap on App Info, then tap on, oh, Gmail, I can see immediately that I'm running Gmail version 4.3.1. A quick check on the Web shows me that 4.3.1 is a minor update to 4.3, and a changelog is readily available. Apple's iOS doesn't have a changelog in its Settings app, but most apps display their current version number in Settings or in the app's own Info area, depending on how the developer decided to show this data. And the iTunes App Store's description for each app provides a changelog for each app.
Try finding the changelog for your copy of Metro Mail. Heck, just tell me which version of Metro Mail you're running right now. Good luck.
When Apple started having big-time problems with viruses and general malware, it became fashionable to say that Apple was playing catch-up in the antivirus field, running 10 years behind Microsoft. There's a great deal of truth in that observation. But I would submit that when it comes to patching mobile programs, Microsoft's playing catch-up, running at least three years behind Apple and Google.
Let's hope Microsoft doesn't release a Metro patch like last week's Win7 patch and brick a whole bunch of Metro screens.
This article, "There's no way out of a bad Windows 8 Metro patch," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.