COVID-19 , Governance & Risk Management , Patch Management

Microsoft to Pause Non-Essential Software Updates

Move Comes as COVID-19 Drives Surge of Work-From-Home Employees That IT Must Support
Microsoft to Pause Non-Essential Software Updates

Microsoft has announced that it will pause all non-essential Windows updates. The move comes as IT teams are continuing to respond to the ongoing fallout caused by the COVID-19 pandemic. The rapid rise of the disease has led to numerous organizations instructing the vast majority - if not all - of their workers to work from home, leading to a rapid rise in IT support requirements.

See Also: VMDR: All-in-One Vulnerability Management, Detection & Response

"We have been evaluating the public health situation, and we understand this is impacting our customers. In response to these challenges we are prioritizing our focus on security updates," Microsof writes in a blog post.

The company's Windows announcement follows Google Chrome saying it would temporarily pause all future releases, after which Microsoft announced that its Edge browser would be following suit. But Microsoft says it will still issue essential security updates for Edge.

Apple, meanwhile, issued security updates on Tuesday for macOS Catalina, Safari, iTunes for Windows and various versions of iOS, iPadOS and watchOS, among other products.

Can't Stop Patch Tuesday

Microsoft says its monthly "Patch Tuesday" (or B releases) will continue as normal. These releases, which occur on the second Tuesday of every month, batch together "the primary and most important of all the monthly update events and are the only regular releases that include new security fixes," Microsoft says.

Also unchanged: Microsoft's plan to issue out-of-band releases as and when required. Out-of-band means "any update that does not follow the standard release schedule" and "are reserved for situations where devices must be updated immediately either to fix security vulnerabilities or to solve a quality issues impacting many devices," the company says.

One likely upcoming out-of-band update will be a fix for two zero-day flaws in the Adobe Type Manager Library, which allows Windows users to render different types of PostScript Type 1 fonts on their devices. Microsoft this week warned that it's seen "limited, targeted attacks" exploiting the flaw, and it doesn't expect to have a fix prepared in time for the next Patch Tuesday, scheduled for April 13 (see: Microsoft Alert: Fresh Zero-Day Flaws Found in Windows).

Starting in May, Microsoft says will pause all C and D releases, which happen during, respectively, the third and fourth weeks of the month.

"These preview releases contain only non-security updates and are intended to provide visibility and testing of the planned non-security fixes targeted for the next month’s Update Tuesday release," Microsoft says. "These updates are then shipped as part of the following month’s “B” or 'Update Tuesday' release."

Browser Makers: Security and Stability Updates Only

Microsoft's Windows patching announcement follows the Google Chrome development team announcing on March 18 that "due to adjusted work schedules at this time, we are pausing upcoming Chrome and Chrome OS releases."

Instead, the development team says it will continue to focus on improving the security and stability of the current version, Chrome 80, as well as "to prioritize any updates related to security."

Two days later, Microsoft's Edge development team announced that it would follow suit. The current version of Edge - all version 80, in sync with Chrome - will not be updated for the time being, meaning that version 81 will remain in beta.

"In light of current global circumstances, the Microsoft Edge team is pausing updates to the stable channel for Microsoft Edge. This means that Microsoft Edge 81 will not be promoted to 'stable' until we resume these updates," Microsoft said. "We are making this change to be consistent with the Chromium project, which recently announced a similar pause due to adjusted schedules, and out of a desire to minimize additional impact to web developers and organizations that are similarly impacted."

Apple Issues Security Updates

Apple has issued no such notices for its Safari browser. On Tuesday, meanwhile, Apple released its latest slew of security updates. The most serious of these updates fixes a bug in WebKit - a type-confusion flaw designated CVE-2020-3897 that could be abused by hackers to execute arbitrary code. While it can be remotely exploited, doing so would require some degree of user interaction, Apple says, noting that it's tweaked memory handling with the update to remove the flaw.

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple Safari,” Dustin Childs, a manager with the Zero Day Initiative, tells Threatpost. “The specific flaw exists within the object transition cache. By performing actions in JavaScript, an attacker can trigger a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process.”

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.