Patch Tuesday Sunset Will Be a Mixed Bag for Windows Security

Microsoft will phase out Patch Tuesday -- its monthly potpourri of software product fixes -- when it rolls out Windows 10, which could be a mixed bag for the operating system's security. Patches will be applied automatically as they're ready. That means users no longer will have to wait until the second Tuesday in the month to secure their systems from potentially troublesome vulnerabilities.

Microsoft will phase out Patch Tuesday — its monthly potpourri of software product fixes — when it rolls out Windows 10, which could be a mixed bag for the operating system’s security.

Patches will be applied automatically as they’re ready. That means users no longer will have to wait until the second Tuesday in the month to secure their systems from potentially troublesome vulnerabilities. However, there are a number of caveats to that scenario.

First, the scheme applies only to Windows 10. Other versions of Windows, as well as most of the company’s other software products, will be updated in the traditional way — at least for awhile.

Second, enterprises will have the option to determine when patches are applied. Microsoft is making that easier to do with its Windows Update for Business, which allows system administrators to choose machines to be updated, and to set maintenance windows to determine when updates should take place.

Because fixes may not be applied to enterprise equipment as fast as they’re applied to consumer and small business machines, a gap could occur, which hackers might exploit.

Window of Opportunity

Depending on the size of the organization, automatic updates will be a benefit or problem, noted Ashley Leonard, CEO of Verismic.

“Small organizations are generally going to benefit from the end of Patch Tuesday, because patches are going to be released more frequently, which means bugs and security vulnerabilities are going to get fixed more frequently,” he told TechNewsWorld.

“For larger organizations, it creates a significant challenge,” Leonard continued. “The reason for that is that larger companies have a more mature patch process.”

When Microsoft releases software patches, large enterprises test those patches against the operating system images and applications they use, he explained. Then, after an appropriate period time, they’ll push the patches to the whole organization.

That could open a window of mischief for system intruders.

“When Microsoft releases a patch, the hacking community looks at what it’s fixing, and they’ll target organizations that have not applied those patches,” Leonard said.

Resistance Expected

However, even with Patch Tuesday, Net rogues have been opportunistic.

“One of the terms that came out of Patch Tuesday was ‘Exploit Wednesday,’ because everyone developed exploits the day after the patches came out,” noted Tyler Reguly, manager of security research and analysis at Tripwire.

“Now you’re going to have a case where the patch is available to consumers, and it could be a month later before it’s installed on critical enterprise devices,” he told TechNewsWorld.

What Microsoft is aiming to do is laudable, but it remains to be seen if it can change enterprise behavior, suggested Morey Haber, vice president of technology for BeyondTrust.

“What they’re trying to get to is a model where everyone can get the patch now, and you’re at fault if you don’t do it in a timely way,” he told TechNewsWorld.

However, companies likely will continue to patch on a monthly cycle, no matter what the risks are, Haber said.

“Most businesses will say ‘you can stream whatever you want for three weeks — we’re still going to test them every month and deploy them every month like we normally do,'” he opined.

“Microsoft is pushing the envelope,” added Haber. “They’re trying to increase the speed at which people are patching, because it’s the No. 1 effective way to mitigate attacks.”

As for Patch Tuesday, it will remain a mainstay for the immediate future.

“The bigger installed base for a couple of years to come will be operating systems that need a Patch Tuesday, but we can see its end on the horizon,” said Qualys CTO Wolfgang Kandek.

“As those systems disappear, we’ll all migrate to something that is auto updating that requires a minimum of maintenance,” he told TechNewsWorld.

“With the increasing number of devices available, that will be very important,” Kandek added. “It will be impossible to manage all those machines otherwise.”

Crime Pays

If you approached members of a corporate board and asked them to make an investment that would return their company more than a thousand percent, you’d probably get their attention, which is why cybercrime, which increasingly is becoming a business, has allure for shady online operators.

Criminals receive a return on investment from their exploit kit and ransomware products of 1,425 percent, Trustwave estimated in a report released last week.

For example, an investment of US$5,900 in a one-month ransomware campaign could earn an extortionist $90,000, the report notes.

“But for the issues with morality and possible jail time, [cybercrime is] a pretty good gig,” said Charles Henderson, vice president of managed security testing at Trustwave.

One of the factors contributing to high ROI is the expectation of high margins.

“The reason margins are so high is it isn’t that expensive to compromise a system,” Henderson told TechNewsWorld. “You can do it fairly inexpensively, and you can get a good payout. Those two things make it a really attractive business plan for criminals.”

For years, the security industry has tried to sell its wares based on their ROI with mixed results.

A new approach may be needed, Henderson suggested. “Maybe the answer isn’t trying to quantify the ROI of security, but show the ROI of criminal action that’s enabled by the lack of security.”

Breach Diary

  • June 1. Home Depot asks federal court to dismiss consumer lawsuit resulting from data breach in which 56 million customers’ credit and debit card numbers and 53 million email addresses were exposed. The company argues consumers suffered no actual or imminent economic harm from the breach.
  • June 1. Australian supermarket chain Woolworths cancels AU$13 million in gift cards that were emailed to its customers by hackers who breached the retailer’s computer systems.
  • June 1. Japan Pension Service reports its staff computers were accessed by an external email virus resulting in the exfiltration of personal data from some 1.25 million accounts.
  • June 1. Google introduces hub for managing user privacy settings, as well as a site where Frequently Asked Questions about privacy and security are answered.
  • June 2. Heartland Payment Systems reports personal information of some 2,200 individuals is at risk after four computers were stolen from its Santa Ana, California, payroll office. In 2008, Heartland suffered a breach exposing data of up to 100 million credit and debit cards issued by more than 650 financial services companies. The breach cost Heartland more than $32 million.
  • June 2. Check Point 2015 Security Report finds malware download rate increased in 2014 to 106 downloads per hour from 2.2 per hour in 2013. It also finds that 42 percent of businesses suffered mobile security incidents costing more than $250,000 to remediate.
  • June 3. Connecticut General Assembly approves and sends to governor amendments to state data breach law that requires that at least one year of identify-theft protection be provided for victims whose Social Security numbers have been compromised in a breach, and that the state Attorney General be notified within 90 days of the discovery of a breach.
  • June 3. Allot releases a cloud trends report finding that more than 20 percent of blocked malware files in 2Q15 were images, and 30 percent were JavaScript files.
  • June 4. Obama administration announces data breach at federal Office of Personal Management that compromised personal information of some 4 million current and former federal employees.
  • June 5. Chinese hackers who breached the federal Office of Personal Management, compromising personal information of some 4 million current and former federal workers, also were behind data breaches at healthcare providers Anthem and Premera, The New York Times reports.

Upcoming Security Events

  • June 13. B-Sides Charlotte. Sheraton Charlotte Airport, 3315 Scott Futrell Dr. Charlotte, North Carolina. Free.
  • June 16-17. Black Hat Mobile Security Summit. ExCel London, London, UK. Registration: before April 11, Pounds 400; before June 16, Pounds 500; after June 15, Pounds 600.
  • June 16-18. AFCEA Defensive Cyber Operations Symposium. Baltimore Convention Center,

  • Baltimore, Maryland. Registration: government-military, free; member, $575; nonmember, $695; small business, $445; other, $695.
  • June 17. SecureWorld Portland. DoubleTree by Hilton. 1000 NE Multnomah, Portland, Oregon. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • June 18. Bringing Incident Response and Data Breach Management Out of the Dark Ages. 2 p.m. ET. Webinar sponsored by ID Experts. Free.
  • June 19-20. Suits and Spooks NYC. Soho House, New York City. Registration: $595.
  • June 20. B-Sides Cleveland. B Side Liquor Lounge & The Grog Shop, 2785 Euclid Heights Blvd., Cleveland Heights, Ohio.
  • July 3. B-Sides Lisbon. Forum Picoas, 40 Avenida Fontes Pereira De Melo, Lisbon, Portugal. Free.
  • July 18. B-Sides Detroit. McGregor Memorial Conference Center, Wayne State University, Detroit. Free.
  • July 22-24. RSA Asia Pacific & Japan. Marina Bay Sands, Singapore. Registration: before June 21, SG$700; after June 20, SG$850.
  • July 25. B-Sides Cincinnati. Cincinnati Museum Center, 1301 Western Ave.,Cincinnati, Ohio. Free.
  • August 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1795; before July 25, $2,195; after July 24, $2,595.
  • August 4-5. B-Sides Las Vegas. Tuscany Hotel and Casino, 255 E. Flamingo Rd., Las Vegas, Nevada. Free.
  • August 6-9. Defcon 23. Paris Las Vegas, 3655 S. Las Vegas Blvd., Las Vegas, Nevada, and Bally’s, 3645 S. Las Vegas Blvd., Las Vegas, Nevada. $230, cash only at the door.
  • August 24-25. Gartner Security & Risk Management Summit. Hilton Hotel, 488 George St., Sydney, Australia. Registration: prior to June 27, AU$2,475; after June 26, AU$2,875; public sector, AU$2,375.
  • Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31: member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31: member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1: member, $1,095; nonmember, $1,350; government, $1,145; student, $400.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels