You’ve heard patching your systems is important, but what does that really mean? In the following, Innovative RMM Administrator Tallon DeHart explains Microsoft’s patching schedule and why your firm needs to regularly apply manufacturer updates. 

 

Starting in October 2016, Microsoft stopped releasing individual patches and began implementing the following monthly release cycle for servers and workstation operating systems:

 

  • Security-Only Update
    • This is a single patch that includes all security patches for the month.
  • Monthly Rollup
    • Includes the security updates mentioned above.
    • Includes every update, rollup, patch and security update for the month.
    • Includes previously shipped patches, making the monthly rollup cumulative in nature.
  • .Net Framework Security-Only Update
    • Includes security updates only.
  • .NET Framework Rollup
    • Includes the .NET security updates mentioned above.
    • Includes reliability updates.
  • Service Packs
    • Tested, cumulative set of all hotfixes, security updates, critical updates, and other updates
    • May contain additional fixes for problems that are found internally since the release of the product
    • May also contain a limited number of customer-requested design changes or features.
    • Windows 10 also releases Feature Updates twice per year. These feature updates are complete OS upgrades that contain additional features and capabilities while removing outdated ones.

This servicing model change eliminated the ability for IT departments to roll back individual patches. Instead, rolling back to the previous month’s patch baseline is the supported method.

A security-only rollup gets released on the second Tuesday of each month (“Patch Tuesday”).

A monthly “quality” rollup that fixes software flaws plus security flaws gets released on the same patch Tuesday schedule.

Lastly, there’s a monthly rollup preview containing quality and security fixes designed for testing by IT pros, which gets released on the third Tuesday of the month.

The above patch hierarchy also applies to Exchange and SQL servers from Microsoft, which receive additional patches separate in addition to the Microsoft OS patches identified above.

  • Security-Only Update
    • This is a single patch that includes all security patches for the month.
  • Monthly Rollup
    • Includes the security updates mentioned above.
    • Includes every update, rollup, patch and security update for the month.
    • Includes previously shipped patches, making the monthly rollup cumulative in nature.
  • CU Updates
    • Includes the security updates mentioned above.
    • Includes every update, rollup, patch and security update for the month.
    • Includes previously shipped patches, making the monthly rollup cumulative in nature.
    • Upgrades the Affected Software (Exchange, or SQL) the newest released version identified by the CU.

All of Microsoft’s current patching policies, regardless of type (software or OS) now treat everything as SaaS (Software as a service). Essentially, even operating systems are now only supported for a short and finite amount of time before they are marked as End of Life, and no longer receive support or patches. Feature Updates are released twice per year for Windows 10, once in spring and again in fall. Windows 10 Enterprise versions will receive 30 months of support and patching if they are on a fall release, while all over versions will receive only 18 months of support and patching. Windows 10 Home users will receive feature updates as they become available. The ability to defer feature updates is restricted to Pro and Enterprise users only.

It is critical to install updates to protect systems from malicious attacks. Moreover, it is important to install software updates, not only to access new features but also to be on the safe side in terms of security loopholes being discovered in outdated programs. Looking at the world’s largest ransomware attack in history details how absolutely critical patch management is for the survival of businesses:

The WannaCrypto (WannaCry) ransomware cyber-attack was the perfect storm against individuals and businesses with poor patch management policies. Even though Microsoft released a patch one month before WannaCry ransacked 200,000 computers across 150 countries causing damages estimated from hundreds of millions to billions of dollars in May 2017.

The cryptoware exploited a known vulnerability dubbed âExternalBlue allegedly developed by the U.S. National Security Agency. Unpatched computers were again targeted by the 2017 NotPetya cyberattacks for the same vulnerability. Now two years after the largest ransomware outbreak in history, attack attempts involving ExternalBlue continue to increase, reaching historic peaks according to ESET.

 

Patch Vuln Infographic

 

Patch Vulnerabilities by The Numbers (statistics)

Need help securing your firm? Contact an Innovative Account Executive at 1-800-541-0450 or [email protected].