Windows Metro patch process – take care

March 28th, 2013 by Stephen Jones Leave a reply »

■ There is no advance warning of when a patch is coming. Metro app security patches can appear at any time on any day. That’s a very significant departure from the Windows Update cycle, on the Thursday prior to a Black Tuesday, Microsoft releases a Security Bulletin Advance Notification with a list of coming security bulletins. On Black Tuesday itself, in addition to individual security bulletins, Microsoft releases a summary with details of each bulletin and a risk assessment for each patch.

For the Metro side, there is a cumualtive running Knowledge Base article that’s supposed to list all Metro security patches as they happen. That seems to be Security Advisory 2832006. If there was any advance warning for the patch, I didn’t see it.
■ There’s no warning when you install the patch. The latest patch to Metro Mail didn’t look different from any other Windows Store update. Unless you had read that particular Security Advisory, or the KB 2819682 description of the Metro Mail patch prior to installing the Mail/People/Calendar update, there’s no way you would have known you were installing a security patch.
■You can’t roll back the patch – this is a disaster waiting to happen.
■There are no version numbers and no revision history so how. do you knwo iwhether a copy of Metro Mail — the one you’re running on your Windows 8 or Windows RT machine at this very moment — has this latest patch?
■. The details provided for the current Metro Mail patch are minimal. The vulnerability explanation in the KB 2819682 Security Advisory points to CVE-2013-1299, but there are no further details on the Mitre CVE website. Securelist describes the vulnerability in a couple of paragraphs, and there are other mentions on the Web, but nothing official. In the past, we were frequently inundated with detailed descriptions of the problems addressed by security bulletins and mitigations, often including blog posts and video discussions. Perhaps this Metro Mail patch is different — it is, after all, the first — but the lack of detail also seems ominous.

So take care!


Leave a Reply

You must be logged in to post a comment.