WHAT IS CHANGING?
On August 15th, 2016, Microsoft announced some new changes for how they will offer updates for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Starting in October 2016, Microsoft will offer a single Monthly Rollup on the second Tuesday of each month that addresses all security and nonsecurity issues released for each operating system. This Monthly Rollup only addresses core operating system components, and does not cover other Microsoft software. This is the same update model that Microsoft currently uses for Windows 10. For customers that normally only install security updates, Microsoft will release a security-only rollup update on the same day.
At first, these Monthly Rollup updates will only contain fixes for the operating system released since October 2016, but over time Microsoft plans to add older updates to this rollup. Eventually, this will become a fully cumulative update, meaning that a completely unpatched system could apply a single rollup update (plus any prerequisites that rollup requires) and be fully up to date with everything the Monthly Rollup covers. In addition to these two rollups, per a comment from Nathan Mercer from Microsoft (in the discussion section of the article referenced above), there are plans to release an update rollup containing only new non-security fixes on the third Tuesday of each month.
In addition to the Monthly Rollup for the operating system itself, Microsoft plans to use the same model for .NET Framework updates. The .NET Framework Monthly Rollup will be offered as a full rollup with both security and non-security fixes, as well as a security-only version. This rollup will only install updates for the version of the .NET Framework installed on a system. It will not upgrade a system to higher versions of the .NET Framework.
Regardless of which type of rollup update is chosen, Microsoft no longer plans to offer individual security or non-security updates for Windows itself or the .NET Framework. This is further confirmed in another blog entry posted on August 30th. In this new blog entry, they address the question: “With the new Windows as a Service: Service Model, can we back out a single patch (KB) if it causes issues since they are all rolled up?” To summarize Microsoft’s answer, you can’t control which KB’s are applied, so you will need to back out the entire rollup. They justify this decision by stating that the rollups are designed to correct the fragmentation caused when users selectively install updates. They also state this new rollup model makes it easier to migrate to new versions of Windows without wiping and reloading an entire system.
Other Microsoft-provided updates, such as Adobe Flash Player updates for newer versions of Windows and Microsoft Office updates will still be delivered as individual updates and will not be included in the rollup. Another critical update type that will not be included in the rollups are Servicing Stack updates. These are updates to the way the operating system detects and installs updates. When a new Servicing Stack update comes out, it will be likely required before any future updates can be installed.
HOW DID UPDATES WORK BEFORE?
For Windows 7 and Windows 8.1, as well as their corresponding Windows Server variants, Microsoft releases multiple security bulletins each month on the second Tuesday of the month (commonly known as “Patch Tuesday”). Each security bulletin would address a single vulnerability (or multiple related vulnerabilities) in a Microsoft product, and would reference one or more patches for each affected product. In order to fully patch a system, users need to install each of the applicable updates released in a given month. If necessary, users can choose not to install one or more updates. According to Microsoft, this ability to pick and choose leads to multiple potential problems. Some examples they give are increased scan times, increased testing complexity, and various combinations of updates causing other errors, lowering update quality.
HOW WILL IT AFFECT CRITICAL INFRASTRUCTURE?
Moving to a rollup model does have some major benefits for those in critical infrastructure. A reduced number of updates each month greatly reduces the patch management burden, especially considering the June 2016 round of updates included 17 different security bulletins. This reduced update count also means less compliance documentation to deal with each month.
However, the loss of granular update selection means that when a critical application breaks due to a Windows rollup update, end users are left with difficult decisions. For example, what is the best way to get back up and running? Ideally, the offending update can be uninstalled. This would leave systems vulnerable, but operations would return back to normal. In some cases, there have been Windows updates that could not be uninstalled. One recent example is MS16-088. Certain updates within this security bulletin cannot be removed. The updates that can’t be removed here mainly deal with online Office products such as SharePoint and Microsoft Office Web Apps. However, MS14-024 was a security update released for Microsoft Office as a whole that cannot be uninstalled. While no recent examples of OS updates that could not be uninstalled could be found, if any future rollup updates behave that way, then it would be necessary to restore from a backup after applying an incompatible update.
In a situation where a rollup update is incompatible with a critical application, there are two options available: wait for Microsoft to release a new update that does not break the application, or wait for the application’s vendor to release an update that is compatible with the Microsoft rollup update. Microsoft has stated in their more recent blog entry on August 30th that “if there is a problem the partner will need to open up a case and provide business justification to drive the discussion with Microsoft.” Expecting a large entity like Microsoft to re-release an update to address issues that affect a very small number of applications, no matter how critical they are, is unlikely (but not improbable). In an industry where hardware and software is designed to run for decades, waiting for a vendor to update an application is not feasible in many cases. Until either the Microsoft rollup update no longer breaks the application, or the application is changed so that it won’t break, systems in critical infrastructure and other industries may have to remain unpatched for quite some time.
In situations where updates can’t be applied without breaking a critical application, Microsoft does provide documentation on mitigating factors and workarounds for some of their published security vulnerabilities. If this documentation exists for a given update, it can be found in the Microsoft Security Bulletin for that update. For updates with no mitigation documentation, other mitigation technologies would need to be utilized in order to protect systems where the underlying vulnerability can’t be patched without breaking other critical functionality.
While this new update model is great for many large enterprises with huge numbers of endpoints to manage, it fails to address the reason why businesses selectively installed updates in the first place: updates sometimes break critical applications. Unless Microsoft brings back some way of installing individual security updates, many systems may have to remain vulnerable until system owners can convince Microsoft to provide a workaround, or until vendors are forced to update applications across the entire deployed fleet. In some situations, a vendor for a critical application may no longer exist or is unwilling to change. In that case, entities may need to find a new vendor in order to remain secure against all of the latest vulnerabilities in Windows. Changing vendors in critical infrastructure is not to be taken lightly, as it often requires long, expensive upgrades that introduce unwanted downtime. In the meantime, systems in critical infrastructure that were staying up to date may start to fall behind and become vulnerable, with little recourse available.
FoxGuard Solutions will continue to watch for new developments regarding Microsoft’s servicing changes. Additionally, FoxGuard is working with other industry experts to analyze these changes and work with Microsoft on ways to mitigate risks for energy delivery industrial control systems. Expect more communications from us as new information is made available.
FOR A PDF VERSION OF THIS ARTICLE – CLICK HERE
To view this an other white papers, visit our Resources page.
 www.blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying servicing-model-for-windows-7-and-windows-8-1/
 www.blogs.msdn.microsoft.com/dotnet/2016/08/15/introducing-the-net framework-monthly-rollup/
 www.blogs.technet.microsoft.com/askpfeplat/2016/08/30/a-bit-about-the windows-servicing-model/