Today Microsoft noted a change in the security update policy for several applications that it built and has deployed as part of its Windows 8 operating system. For its first-party apps that ship with Windows 8, Microsoft won’t update them in keeping with its normal, monthly pattern of security fixes.

Patch Tuesday, the second Tuesday of every month, is a ritual moment in which Microsoft releases a slew of updates across its product lines; Windows, Windows Server, Office, and other applications are given patches in a single push, helping IT bosses handle the update process with some order.

Most folks simply have Windows Update turned on, allowing for patches to flow without delay.

However, with Windows 8, Microsoft delivers a number of applications through its new Windows Store. Given that, how should it manage their security updates? The company has decided to follow what I call the pedestrian path, by simply releasing updates as they are ready, just as any third-party developer might.

Your Mail app, therefore, might pick up a security fix on a Thursday. Progressive. Here’s Microsoft today on the decision:

App security updates can be delivered on days other than the second Tuesday of the month.

App security updates will be documented in a standing security advisory that:

  • Provides additional information and notifies customers that an update is available for them to install.
  • Is accompanied by a unique Microsoft Knowledge Base (KB) article number for reference to details about the changes.

There is an exception to this, in that if a security bug affects software that would normally be fixed during Patch Tuesday, the update will go out to both at the same time. This limits the ability for hackers to note a fix in one piece of code, and exploit the same weakness in other software.

Microsoft’s decision to update these apps in a dynamic fashion is a sea shift from its old policies. It’s also the right choice.

Top Image Credit: Amit Chattopadhyay