Patch Lady – 31 days of paranoia – day 10

Patch Lady here – I wasn’t going to do a post on Patching with a paranoid theme in mind until later in the month but several articles and the fact that this week is the 15 year anniversary of when we moved to a second Tuesday of the month routine prompted me to write this now.

Today two more tech journalists have joined myself, Woody and others in tilting at the windmill, better known as Microsoft.

Ed Bott and Mary Jo Foley added to the choir of voices asking Microsoft to slow down and focus on quality, not quantity.  I remember a time years ago that patches came out at any time, any hour and I had to review if I was at risk of attack and consider installing updates during lunchtime and rebooting our office server to ensure that I was protected.  Now we are at a point in time that no prudent person alive would install updates on the day they come out.  Even worst, most prudent folks are waiting at least a week or longer.  That’s making me very paranoid that we are going to have a very bad security issue arise because we aren’t patching.

Make no mistake I strongly still believe that there are good people that work inside of Microsoft that care about consumers, that care about patch quality, that care about feature release quality.  But if I let my paranoia take over, and look at the focus on Azure, and know that once everything is packaged in a format that will run in a browser, then the desktop becomes irrelevant.

In patching there is a point in time where the risk of installing the patch and the resulting side effects is less than the risk of the attack that the patch is protecting you from.  It’s that point in the middle where the scale tips away from patch pain to risk of attack that is the perfect point of installing updates.  Microsoft tries to be the system administrator for all home users and any small (or even medium) business that is looking to Microsoft update for their updates.  Right now I’m paranoid enough to say publicly that they are failing badly.

I don’t even have to wrap my head with aluminum foil to know that the worse thing that can happen to a computer user is to reboot their computer after an update and have it not boot.  Yet that’s what happened to some in January of this year.  I don’t have to add to my paranoia of lack of backups to be concerned when users lose data during a process that should them bring excitement to their computing experience.  Once upon a time I knew people that camped out overnight at Best Buy to get the latest version of Windows.  Now we have people losing data when they get a feature release.  The fact that the amount of people impacted was not a material amount was just luck.  The second of the two data loss bugs (the one they fixed in KB4464330) had the potential to hit a lot of Enterprises if they hadn’t found that bug.

My biggest paranoia about patching today is that all of this paranoia about patching is no longer irrational paranoia over immaterial corner cases that the vast majority of people would never hit.  My biggest paranoia is that more and more people will stop updating because of the reality that we are seeing.

I’m also paranoid that folks in the insider program will overstate the severity of their bugs to the point that adding a severity rating to every bug will make no difference and once again we will have bugs that hurt lost in the firehose of feedback and upvoting.

Microsoft needs to take a severe action like moving feature release cadence to once a year to showcase that they too want to stop the paranoia over patching and make us feel comfortable again.

I remember when we had horrible patch quality.  I remember when we had patches released without a solid release schedule.  I remember when patches were pulled back, had to be redone.  And I feel paranoid that we are back to where we started 15 years ago.