Home Browsers A look at Microsoft’s patches and fixes in 2021 — the year...

A look at Microsoft’s patches and fixes in 2021 — the year of change


As we near the end of another year, I like to look back at the past 12 months in patching from MIcrosoft. What changed (a lot), what didn’t (patch-related problems). We began 2021 thinking Windows 10 would continue to be serviced and updated as usual, for instance. We end the year knowing different. (I’ll have some predictions for 2022 next week.)

We now know that Windows 10 will not receive updates indefinitely. Earlier this year, Microsoft unveiled Windows 11 and announced it would need certain hardware and Trusted Platform Module installed before machines would receive new OS. Given that most users only have hardware that will support Windows 10, many will be running the older OS until 2025. Microsoft already announced it will be providing security updates for Windows 10 until then and will move to an annual feature release model — matching the cadence for Windows 11. (My prediction for 2025: Microsoft will offer extended security patches for even consumer versions of Windows 10 because so many of us will have still usable machines unable to update to Windows 11. Come back in 2025 and we’ll see if I’m right.)

We started 2021 worrying about whether major companies were getting attacked with a back door vulnerability that entered systems through monitoring software called Solarwinds Orion. A security company called FireEye found unusual behavior in their systems and traced it back to third-party monitoring software it implanted in its updating software. This vulnerability was an eye-opener for businesses that rely on the security of our vendors.

January also saw Microsoft moving to disable Adobe Flash in Windows. I always felt that embedding flash into the operating system was a bad decision. Adobe Flash had a bad security rep and embedding it meant mandatory Flash patching for Windows systems. A month later, in February, Microsoft announced it would phase out the old Edge browser in favor of the new Chromium-based version as of April 2021.

In March, Microsoft released an out-of-band update for Exchange email servers. Initially it said the attacks were specifically targeted against certain businesses. But a few days later, it was clear that even small businesses were hit by attackers using the vulnerability. Microsoft customers stressed that servicing Exchange email was difficult for several reasons. First, taking a mail server offline for maintenance has to be planned. Second, ensuring that mail flow is not affected means many mail admins were woefully behind on patching. Microsoft had to release patches for versions that were long out of support just to ensure that firms were protected. Even the Federal Bureau of Investigation got into the act and proactively patched the web shells of affected servers to ensure all customers were protected. This unusual act set a precedent we’ve yet to see repeated.

In April, as promised, Microsoft released the Chromium-based Edge on Windows 10. The company also changed 20H1 and 20H2 to integrate Service Stack updates (SSUs) in the Cumulative update releases. Microsoft did so to make it easier for IT admins to always have the latest servicing stack update installed.

Copyright © 2021 IDG Communications, Inc.