Microsoft’s Patch Tuesday has been a reliable source of sysadmin stress and security blog-posts for the past 12 years now – but that’s seemingly all set to change with the release of Windows 10 in the next few months.
At the Ignite conference this week Microsoft announced that, for home users at least, they’ll be moving away from that strict schedule based approach to a delivery method that will be more familiar to users of Chrome or Office 365, with updates (both security and functionality) delivered silently in the background as and when they become available. This should be good news all around – simultaneously making it impossible for users to avoid security patching and narrowing the gap between vulnerability detection and protection.
On the enterprise side, there’s something called Windows Update for Business coming, with a few interesting aspects. There’s the concept of ‘Distribution Rings’ for one – allowing organisations to stage update waves in a more straightforward manner than was possible with the old WSUS approach. Support for-per device maintenance windows has also finally been added – allowing more granular control over which machines will reboot when. We’ve also seen mention of ‘Long Term Servicing Branches’ of Windows that will only get pushed security updates without the crud of feature packs and whatnot – though right now we’re a bit unclear whether this will actually apply to the desktop Windows or just the server side.
We’ll be taking a closer look at these changes to see what, if any, impact they’ll have on how we deliver our NetSure360° Vulnerability Intelligence service but we’d be surprised if many organisations will want to move away from their monthly patch/reporting cycles any time soon – albeit with the benefit that there might now be a slightly longer testing window available for some patches.
On an unrelated note – over in the world of networking there’s been a security bulletin from Cisco that’s worth a mention. If you’re using UCS Central to manage your datacentre then you’ll want to check out and patch ‘cisco-sa-20150506-ucsc’ – a rather nasty remote code execution vulnerability that sounds like it could allow an unauthenticated remote attacker to play Datacentre Manager for the day. Cisco – you really need to sort out your web apps – being horrible to use is one thing but being horribly insecure on top of that is pushing things.
As ever, if you want to talk to us about vulnerability management then please do get in touch on 0207 517 3900 or email [email protected]