Amidst all the fuss surrounding Windows XP going end-of-life for most users on the 8th of April, Microsoft has quietly buried the news that, if users of Windows 8.1 fail to update their operating system from May of this year onwards, other security updates will not be applied.
This apparently draconian move is designed to stop Win 8.1 users getting `left behind' but is already causing a stir in developer circles, since it effectively makes the update process mandatory if companies and end users want their computers to remain secure.
In its TechNet security advisory of last Saturday, Microsoft says:
"Since Microsoft wants to ensure that customers benefit from the best support and servicing experience and to coordinate and simplify servicing across both Windows Server 2012 R2, Windows 8.1 RT and Windows 8.1, this update will be considered a new servicing/support baseline. What this means is those users who have elected to install updates manually will have 30 days to install Windows 8.1 Update on Windows 8.1 devices; after this 30-day window - and beginning with the May Patch Tuesday, Windows 8.1 user's devices without the update installed will no longer receive security updates."
"This means that Windows 8.1 users - starting patch Tuesday in May 2014 and beyond - will require this update to be installed. If the Windows 8.1 Update is not installed, those newer updates will be considered not applicable,” it adds.
Graham Cluley, an independent security analyst, told SCMagazineUK.com that he is not particularly surprised to see Microsoft moving towards mandatory security updates.
The software giant, he explained, does not want a repeat of Windows XP and to find itself having to support ageing decades-old operating systems in the future.
"Unless you have turned off automatic updates in your settings, Windows 8.1 Update will probably already have downloaded and installed itself onto your devices. But if you don't like the changes Microsoft is making in Windows 8.1 Update - which could well be the case for some users resistant to change - there is no option to skip the update and still receive the most basic security patches," he said.
This means, says Cluley, that Microsoft has only given its users one month - until the next round of security patches in May - to update their Windows 8.1 devices.
"It's worth underlining that Windows 8 users will still receive security patches - as will users of Windows 7 and Vista - but Windows 8.1 users have to submit to Microsoft's pressure and install Windows 8.1 Update if they want to keep their systems secure," he explained.
The security analyst went on to say that, whether users like Microsoft's high-pressure tactics or not, they are swimming against the tide if they want to skip the Windows 8.1 Update.
"You cannot afford to miss out on receiving your Windows security updates, so you'll just have to adjust to the new world order – and hopefully find Microsoft's changes to the way Windows 8.1 works a positive step," he concluded.
Tim Keanini, CTO of Lancope, agreed with Cluley's observations, noting that, we - as an industry - have seen how the threat has stepped up its game and this is what it looks like when defenders do the same.
"It is a bold move but it is also leadership to get people to behave in a more secure manner," he said, adding that being able to stay current and run the latest software is critical these days and by not doing so, you put everyone at risk because we are all connected.
"No one likes this, everyone will complain, but it is the right thing to do. Stay current and apply updates, it's what you must do on every computing platform including your tablets and phones," he explained.
According to Laurie Mercer, senior consultant with Context Information Security, if organisations wish to apply Windows patches manually, they need to make sure their patch management strategies are capable of a 30-day turnaround on new software patches.
"If they do not update within 30 days, new security patches will not be applied to their Windows 8.1 installations - and organisations run the risk of being left defenceless against attackers,” he warned.