Patch Tuesday's revisionist history from Microsoft
Microsoft has published an almost laughably revisionist version of how Patch Tuesday started and changed over 20 years.
Called Reflecting on 20 years of Windows Patch Tuesday, it’s a highly selective and self-serving version of events to put it mildly. Speaking of ‘reflecting‘, you can insert your own ‘cracked‘ or ‘warped‘ mirror 🪞 reference 😁.
In 2002 Microsoft announced the ‘Trustworthy Computing Initiative’ in which staff were told to “shift their thinking toward securing features themselves across the breadth of our products”.
Twenty years later and Windows/Office customers still endure a monthly dump of fixes for security bugs both new and old. Two decades after the “paradigm shift” paying customers are entitled to expect more from Microsoft than endless security patches.
Why did Patch Tuesday start?
We’re asked to believe that Microsoft “consolidated our security update process into a predictable cadence of monthly Patch Tuesday updates.”. Predictability had little to do with the change, it was a damage limitation exercise.
(Microsoft loves using the word ‘cadence’, presumably because it sounds more impressive than ‘schedule’ or ‘frequency’).
‘Patch Tuesday’ really started because Microsoft wanted to stop the constant flow of bad news each time they released another bug fix … almost a weekly event in the 90’s and early 00’s.
Patch Tuesday is a PR strategy to reduce the level of media attention to Microsoft’s ongoing security lapses. Instead of a drip feed of bad news, all the patches and any contrary media attention was bundled into one lot each month.
For fans of The West Wing, Patch Tuesday is Microsoft’s monthly equivalent of Take out the Trash Day.
Never mind that meant customers had to wait longer for any fixes to become available.
Known Issue Rollbacks
Known Issue Rollbacks KIR took far too long to implement. It took until 2021, 18 years AFTER the ‘Trustworthy Computing Initiative” for Microsoft to finally admit they needed an exit strategy from their mistakes.
Why did it take so long? For years MS lived under the delusion that their patching system was faultless and any patch failures were quickly forgotten inside the Microsoft Reality Bubble™. Because of that delusion, their various patching systems never included any rollback or ‘stop’ feature in their design. Having a rollback option would mean publicly admitting that Microsoft could make mistakes – can’t have that.
Until KIR came along, some faulty patches continued to be released after the fault was known because Microsoft had no way to stop or reverse the trouble they’d caused.
Customers still have the dilemma of when to patch. Why updating Office is like Star Trek’s Kobayashi Maru
Microsoft Office 365 – force to half-yearly feature updates
The revisionist history doesn’t mention the deep cost cutting at Microsoft which severely cut the staff monitoring customer reports and telemetry to detect bugs early and test patches. Instead, the company relied on ‘AI’ and automated testing which was a spectacular failure, not that Microsoft would ever admit it.
Secure Future Initiative
Microsoft’s November 2023 Secure Future Initiative is 2,700 words plus the separate email to Microsoft’s staff full of good intentions, corporate buzzwords and, frankly, platitudes.
The latest pronouncement would truly mean something if there was some acknowledgement of past mistakes and undertakings to learn / fix those errors.
Like the Trustworthy Computing Initiative, the 2023 highfalutin wording means little unless it’s backed up with constructive action. Too often these pronouncements from ‘on high’ at Microsoft are more about appearances than practical benefits for paying customers.
If Microsoft can reduce the number of security fixes necessary and put more effort into reliability of released patches, that will mean more than all the Initiatives they care to publish.
It’s simple – More Action – Less Words.