Software companies begin to pause updates
Editor's note: The prediction in this story that tech companies would slow or stop software updates while work was disrupted by the pandemic has proved false. For a longer explanation and more analysis of the challenges of patching software in the current environment, read Patch management in a work-at-home world.
Google just announced that it will be pausing any changes to its Chrome browser and Chrome OS as the COVID-19 crisis continues.
The company attributed the policy "to adjusted work schedules at this time," but there are plenty of other good reasons for the move. With so many users working in environments and on equipment they don't usually work on, the implications of a problematic update are more significant than they were in the past.
Such a policy makes sense for other software vendors as well, at least with respect to feature updates. Security updates, however—especially critical ones—probably need to proceed, at least partially, because it's dangerous to leave vulnerabilities unpatched.
We checked with many other vendors and found no similar announcements, but it is reasonable to expect others will adopt similar policies.
Just recently, on March 13, Microsoft released an update to a highly critical vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol, the existence of which had leaked out through other vendors. This update is an excellent example of one that could not be delayed.
Some other major vendors released updates recently, including Adobe, to Adobe Genuine Integrity Service, Adobe Acrobat and Reader, Adobe Photoshop, Adobe Experience Manager, Adobe ColdFusion, and Adobe Bridge.
The company also announced that it would provide, at no additional cost, at-home access to Creative Cloud until May 31, 2020, for schools and universities that currently have only lab access for students and educators.
VMware released two security updates, one to VMware Horizon Client, VMRC, VMware Workstation, and VMware Fusion and the other to VMware Workstation, VMware Fusion, VMware Remote Console, and VMware Horizon Client.
In addition to software updates, it would be reasonable for network operators, particularly large ones running critical infrastructure—such as major clouds, ISPs, and telcos—to pause any nonessential changes to their networks. It is established practice at some such large operators to pause changes to the network during specified times of the year, particularly around major holidays.
Much of the logic for these policies applies today, but there is a big difference: A pause for a few days around Christmas is one thing, but the current coronavirus-related crisis is open-ended. Network operators probably need to reexamine their procedures in light of the current remote work situation, and in the meantime, a pause would not be surprising.
Pausing updates during the COVID-19 crisis: Lessons for leaders
- Consider pausing any changes to your IT infrastructure while the coronavirus has people working at home.
- Absent a compelling need, such as a critical security patch, put off all updates to your software.
- Closely follow security feeds and other technical guidance from the vendors and operators you depend on.
- Welcome to the Windows 7 Extended Security Updates era
- How to keep up with open source updates
- What to do when equipment is old, in the way, and yet still functional
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.