Microsoft's new security patching routine raises concerns

Microsoft just released its first acknowledged security update for a Metro app -- and the new patching method is a disaster waiting to happen

For those of us accustomed to Windows Automatic Update kicking in on Black Tuesdays, Microsoft's new method for applying security patches to Metro apps seems a bit awkward. Microsoft conveniently provided a real, live Metro (or should I say Windows Store?) security patch to look at yesterday, and there are a few changes in the patching routine that send a shiver down my spine.

Earlier this month, the Microsoft Trustworthy Computing team gave us an overview of how the Metro security patching routine should work, and a concommitant policy statement fleshes out a few more details. Here's how it actually works in practice:

  • There's no advance warning a patch is coming. Metro app security patches can appear at any time on any day. That's a very significant departure from the Windows Update cycle we've known for many years. With Windows Update, on the Thursday prior to a Black Tuesday, Microsoft releases an eagerly anticipated Security Bulletin Advance Notification with a list of coming security bulletins. On Black Tuesday itself, in addition to individual security bulletins, Microsoft releases a summary with details of each bulletin and a risk assessment for each patch.

Over on the Metro side, there is one running Knowledge Base article that's supposed to list all Metro security patches as they happen. In the case of yesterday's Metro Mail patch, it appears as if that's Security Advisory 2832006. If there was any advance warning for the patch, I didn't see it.

  • There's no warning when you install the patch. This particular patch to Metro Mail didn't look different from any other Windows Store update. In fact, it looks like it was bundled with the combined upgrade to Microsoft's Metro Mail, People, Calendar and Messaging apps. Unless you had read that particular Security Advisory, or the KB 2819682 description of the Metro Mail patch prior to installing the Mail/People/Calendar update, there's no way you would have known you were installing a security patch.
  • You can't roll the patch back. Given Microsoft's history with patching Windows, this is a disaster waiting to happen.
  • There are no version numbers and no revision history. Quick, can you tell me right now if your copy of Metro Mail -- the one you're running on your Windows 8 or Windows RT machine at this very moment -- has this latest patch?
  • There are precious few details about the patch. The details about the current Metro Mail patch are minimalist to the point of being inscrutable. The vulnerability explanation in the KB 2819682 Security Advisory points to CVE-2013-1299, but there are no further details on the Mitre CVE website. Securelist describes the vulnerability in a couple of paragraphs, and there are other mentions on the Web, but nothing official. In the past, we were frequently inundated with detailed descriptions of the problems addressed by security bulletins and mitigations, often including blog posts and video discussions. Perhaps this Metro Mail patch is different -- it is, after all, the first -- but the lack of detail seems ominous.

Microsoft is treading a very fine line here. On the desktop side, legions of beleaguered network admins labor feverishly with every wave of Windows Update patches, testing, begging, and praying that nothing will break when each patch goes out. Their (quite legitimate) concerns and bloodied noses have led to the very structured way that Microsoft now releases patches for the old-fashioned desktop.

So far, I don't know of any network admins who are fretting over Metro security patches, but that's bound to change. It remains to be seen how Microsoft will accommodate their problems -- and how many botched patches it will take to bring back some of the old precautions.

This story, "Microsoft's new security patching routine raises concerns," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform