For those of us accustomed to
Windows Automatic Update kicking in on Black Tuesdays, Microsoft's new method for applying security patches to Metro apps seems a bit awkward. Microsoft conveniently provided a real, live Metro (or should I say Windows Store?) security patch to look at yesterday, and there are a few changes in the patching routine that send a shiver down my spine.
Earlier this month, the Microsoft Trustworthy Computing team gave us
an overview of how the Metro security patching routine should work, and a concommitant
policy statement fleshes out a few more details. Here's how it actually works in practice:
There's no advance warning a patch is coming. Metro app security patches can appear at any time on any day. That's a very significant departure from the Windows Update cycle we've known for many years. With Windows Update, on the Thursday prior to a Black Tuesday, Microsoft releases an eagerly anticipated
Security Bulletin Advance Notification with a list of coming security bulletins. On Black Tuesday itself, in addition to individual security bulletins, Microsoft releases a
summary with details of each bulletin and a
risk assessment for each patch
