A respected Windows patching admin, Susan Bradley, who manages Windows PCs and servers in business has a major gripe with Microsoft’s recent uptick in patches with “known issues”, otherwise known as patches that cause problems for PCs when they’re installed.
Bradley this week posted an open letter to Microsoft CEO Satya Nadella, Microsoft corporate VP of Windows Servicing and Delivery, and the company’s head of Azure, Scott Guthrie, highlighting a spate of recent Windows patches with known issues.
Her open letter was published on IDG Network's US "Woody on Windows" column, and takes the execs to task for forcing people like her to choose to installing patches that can break production machines or leave them un-patched and vulnerable to publicly aired flaws.
That's a serious consideration for admins who know that a disclosed vulnerability is more likely to be exploited with every day that passes. Microsoft acknowledges this on its blog.
She posted the letter three years after Microsoft switched to its Windows-as-a-service model where it releases new versions of Windows 10 multiple times a year. Clearly she’s not satisfied with how Microsoft is handling the transition.
“I am writing to you to ensure that you are aware of the dissatisfaction your customers have with the updates released for Windows desktops and servers in recent months,” wrote Bradley.
She emphasizes the 47 known issues in Microsoft's July Patch Tuesday, which pushed a Microsoft problem on people like her and presumably millions of others who are responsible for protecting businesses from attackers.
“Install updates and face issues with applications, or don't install updates and leave machines subject to attack,” she noted.
July 2018’s Patch Tuesday contained 47 bulletins with known issues, some of them critical, but mostly “important” rated bugs that responsible admins would be concerned about not acting upon. Among the buggy patches include a .NET remote code injection flaw, and the CPU Lazy State bug.
Members of the patchmanagement.org site she moderates have noticed Microsoft’s have aired complaints about the frequency of its features updates buggy patches.
Since Microsoft’s Windows 10 shift in 2015, beginning with Windows 10 version 1507, it’s released two feature updates per year. That’s not so different to Linux-based Ubuntu’s 6 monthly release schedule, but is a deviation from Apple’s and Google’s annual mobile releases, and a major departure from Microsoft’s history of up to three years between new Windows releases.
The survey asked admins about their attitudes to Microsoft’s Windows 10 patches. Respondents commented that the Windows Insider program isn’t helping iron out issues before their public release.
The overall responses, she says, “showcases that your customers who are in charge of patching and maintaining systems are not happy with the quality of updates and the cadence of feature releases, and feel that it cannot go on as is.”
Read more: How Microsoft helped neuter ‘double zero-day exploit’ before anyone was infected
The Windows 10 April 2018 Update was Microsoft’s fastest Windows 10 rollout ever, reaching 250 million PCs in two months. Microsoft defended its rollout as responsible.
Bradley said Windows 10 consumer users shared the same complaints as patching admins over Windows 10 feature upgrades.
“The majority thought that the feature updates occurred too many times during the year, and the[y] said that they were overall not happy with the quality of updates from Microsoft," she wrote.
Microsoft's faster Windows 10 service model could be be creating a future security problem for users too, given last year’s massive malware NotPetya and WannaCry outbreaks, which affected mostly Windows 7 machines according to Microsoft and Kaspersky. There were also the leaked NSA-developed exploits that helped them spread across corporate networks at breakneck speeds.
While Microsoft has used these malware outbreaks to argue enterprise organizations should upgrade to Widows 10, Bradley said some admins are “disabling Windows Update as a drastic measure to ensure that updates do not reboot systems when they are not wanted.”
Microsoft is responding to unexpected reboots with a new AI-based predictive modeling is rolling out eventually.
“We want Microsoft software to be such that we can indeed install all updates and patches immediately without reservation. As it stands right now, we do not trust the software and the patching quality enough to do so,” she wote.
CSO Online has asked Microsoft for a response and will update the story if it receives one.
Read more: WannaCry-proof Windows 10 grows in business, but remote workers with iPhones drive macOS