Microsoft Announces Windows Autopatch, Cybersecurity Experts Weigh In

Following the news that Microsoft announced the Windows Autopatch-Microsoft Autopatch feature to make Patch Tuesday ‘just another Tuesday’ for enterprises (computing.co.uk), IT security experts commented below.

Subscribe
Notify of
guest

4 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Boris Cipot
Boris Cipot , Senior Sales Engineer
InfoSec Expert
April 12, 2022 10:38 am

Microsoft has made patching more prominent in recent years, even tracing ransomware and patching the OS against such attacks. Additionally, through Windows Defender, Microsoft has made proactive efforts to make Windows more secure for users by forcing them to apply security patches and use up-to-date software. This ensures that outdated software isn’t endangering their customers.

While there is the potential that this forced patching process could break other aspects of software and systems within customer environments, I believe there will be controls in place in the near-term to aid with such considerations.

I would also say that running a vulnerable system without applying available patches (as it may lead to production downtime) holds more danger potential than implementing a process whereby the system will receive automatic updates. There are however cases where this isn’t possible – such as critical infrastructure.

Microsoft is aiming to ensure the systems of their customers are up-to-date and not exploitable by cyber-attack, and it is a very good move. IT personnel will not have to worry with general patching processes as they’ll now be handled automatically by Microsoft.

Last edited 7 months ago by Boris Cipot
Tyler Reguly
Tyler Reguly , Manager of security R&D
InfoSec Expert
April 12, 2022 10:36 am

Microsoft has provided automatic updates for a long time. In my view there isn’t much here, other than a progressive rollout, that really changes things. The idea is that patches are deployed across your enterprise in 4 different groups. Starting with a test group and then to an increasing number of systems until, on the fourth round of deployment, you have a completed rollout. In their blog post, Microsoft calls out three features that will benefit customers – Halt, Rollback, Selectivity – these are combined with reporting to provide peace of mind around the update process.

Halt and Rollback seem to go hand-in-hand with each other. They both enable stopping the patching process either manually or by not meeting stability thresholds. Until we see more specifics around stability thresholds it is impossible to know how beneficial this will be. Will it include only OS stability? Will it recognize application interactions? A lot of questions remain regarding how the process will work. Rollback gives you the ability to uninstall updates if performance targets are not met. I wouldn’t necessarily call this a “feature”, as the ability to uninstall updates is standard practice, it would be worrying if this was not available.

I am, however, curious to see how the selectivity feature works. Before Microsoft turned to cumulative patches, administrators could install fixes for specific vulnerabilities because patches were individual downloads. The introduction of cumulative patches changed this. Cumulative patches meant that if one fix had application interactions, all future patches had to be avoided until the interaction was resolved. We have actually seen a few instances in which users of specific software had to stop patching until an issue was resolved. Granted, there are only minimal details available, but Microsoft just seems to be bringing back the old way of patching for a few specific versions of Windows. Microsoft brought in cumulative patching as a way of making the patching process easier, it’s interesting, and perhaps understandable, that they now seem to be backtracking on that decision. 

Reporting is another issue. Is it just the application of patches that is reported? Patch Management tools that do just that are nothing new, and they all suffer from the same fatal flaw. Interestingly, Patch Management is why Vulnerability Management exists. It is often assumed that once a patch is applied, the job is done. However, a lot of patches, especially Microsoft patches, require additional configuration steps, often in the form of registry key settings. These settings are often missed by Patch Management tools. One of the most common conversations I have with customers is that we are reporting vulnerabilities due to lack of post-patch configuration. Sometimes these additional steps are made really clear, especially with the modern advisory format, and sometimes they are overlooked. Traditionally, however, Patch Management tools miss these steps. I’m interested to see whether Microsoft will address the post-patch registry keys or not. If they do, does that mean that they are also pushing out the registry key changes? What about registry keys with multiple values? How will they decide which value to set?

While there is the potential for this to be another tool in an admin’s toolbox, I don’t see this making the second Tuesday of every month “just another Tuesday” as Microsoft says in their blog post. Instead, I see a lot of questions, a lot of work, and a lot of research in the future for operations teams looking to consider deploying this. I also highly recommend a serious investment in a vulnerability management tool that understands post patching configuration if you do plan on adopting this solution.

Last edited 7 months ago by Tyler Reguly
Chris Hauk
Chris Hauk , Consumer Privacy Champion
InfoSec Expert
April 12, 2022 10:35 am

This is good news, as it will help keep systems and software up to date, meaning security vulnerabilities can be plugged before they\’re fully exploited by the bad actors of the world. At first I was a bit concerned that automatic updates could cause issues if the auto updates included system-affecting bugs. However, the \”deployment rings\” approach to auto updates will allow users to ensure all is well before rolling them out to production machines.

Last edited 7 months ago by Chris Hauk
Tim Erlin
Tim Erlin , VP of Product Management and Strategy
InfoSec Expert
April 12, 2022 10:34 am

Keeping software up-to-date is one of the most effective preventative measures that an organization can take. Cyberattacks aren’t magic, and by patching systems quickly, organizations can reduce the available attack surface.

Microsoft has long supported automatic updates, but that basic capability never addressed the myriad of potential issues of patching at scale. Autopatch aims to implement a more robust process for delivering updates, including testing and staged rollouts. For organizations that were already using automatic updates, Autopatch should make their lives easier. And for organizations that didn’t apply updates automatically, Autopatch should make it possible for them to do so.

Last edited 7 months ago by Tim Erlin
Information Security Buzz
4
0
Would love your thoughts, please comment.x
()
x