Patch Tuesday occurs on the second Tuesday of each month in North America, on which Microsoft regularly releases security patches. Starting with Windows 98, Microsoft included a "Windows Update" system that would check for patches to Windows and its components, which Microsoft would release intermittently. With the release of Microsoft Update, this system also checks for updates to other Microsoft products, such as Office, Visual Studio and SQL Server.
Patch Tuesday begins at 18:00 or 17:00 GMT (10:00 PST (GMT-8) or 10:00 PDT (GMT-7)). Sometimes there is an extraordinary Patch Tuesday, 14 days after the regular Patch Tuesday. There are also updates which are published daily (e.g. definitions for Windows Defender and Microsoft Security Essentials) or irregularly.
Earlier versions of the Windows Update system suffered from two problems:
- less-experienced users often remained unaware of Windows Update and did not install it; Microsoft countered this issue with the "Automatic Update", which notified each user that an update was available for their system
- customers, such as corporate users, with many copies of Windows not only had to update every Windows deployment in the company but also to uninstall patches issued by Microsoft that broke existing functionality.
In order to reduce the costs related to the deployment of patches, Microsoft introduced "Patch Tuesday" in October 2003. This system accumulates security patches over a period of one month and then dispatches them all at once on the second Tuesday of the month, an event for which system administrators may prepare. The non-Microsoft term for the following day, "Exploit Wednesday", marks the time when working exploits may appear in the wild which take advantage of the newly announced vulnerabilities.
An obvious security implication is that security problems that have a solution are withheld from the public for a period of up to a month. This policy is adequate when the vulnerability is not widely known or is extremely obscure, but that is not always the case.
There have been cases where either vulnerability information or actual worms were released to the public a day or two before Patch Tuesday. This did not leave Microsoft enough time to incorporate a fix for said vulnerabilities, and thus, theoretically, left a one-month window for attackers to exploit the hole, before a patch is available to formally fix it. Microsoft issues critical patches as they become ready, however, so this is not generally a problem.
Many exploitation events are seen shortly after the release of a patch. By analyzing the patch, exploitation developers can more easily figure out how to exploit the underlying vulnerability, and attack systems that have not been patched. Therefore the term "Exploit Wednesday" was coined.
Starting to abuse an unpatched exploitation entry point on this day gives malicious code writers the longest period of time before a fix is supplied to users. Malware authors can sit on the vulnerability of a new exploitation entry point until after a given Patch Tuesday, knowing there will be an entire month before Microsoft releases any patch to fix it.
The case of Windows XP
Microsoft is warning users that after it discontinues support for Windows XP starting on April 8, 2014, users running Windows XP will risk 'zero day forever' because of reverse engineered security patches for newer Windows versions.
Adoption by other companies
SAP's "Security Patch Day", when the company advises users to install security updates, was chosen to coincide with Patch Tuesdays. Adobe Systems' update schedule for Flash Player also coincides with Patch Tuesday since November 2012.
Locally the Windows Update service uses the Background Intelligent Transfer Service (BITS) to only use spare bandwidth left by other applications to download the updates.
Microsoft's download servers do not honor the TCP slow-start congestion control strategy. As a result, other users of the Internet may be significantly slowed from machines actively retrieving updates. This can be particularly noticeable in environments where many machines individually retrieve updates over a shared, bandwidth-constrained link such as those found in many multi-PC homes and small to medium sized businesses. Bandwidth demands of patching large numbers of computers can be reduced significantly by deploying Windows Server Update Services to distribute the updates locally.
In August 2007, Skype experienced a two-day outage following Patch Tuesday; according to Skype this was caused by a previously unidentified software bug exposed by an abnormally high number of restarts. Application of patches released on Patch Tuesday by a large number of users at the same time was identified as the cause of the high number of restarts.
- Microsoft rarely refers to it as 'Patch Tuesday'; here's one reference. "Patch Tuesday: WM 6.1 SMTP fix released!". Microsoft - Outlook Mobile Team Blog. November 11, 2008. Retrieved November 9, 2011.
- It is widely referred to it this way by the industry. "Microsoft Patch Tuesday to target Windows, IE". CNet. October 10, 2011. Retrieved November 9, 2011.
- Showing Microsoft referring to the 'second Tuesday of every month' ".NET Framework 1.1 Servicing Releases on Windows Update for 64-bit Systems". Microsoft. March 28, 2006. Retrieved November 8, 2011.
- ComputerWorld: Microsoft slates hefty Patch Tuesday, to fix 34 flaws next week
- ItProPortal: Microsoft Ready To Patch 34 Security Vulnerabilities
- TechWorld: Microsoft to patch critical Windows Server vulnerability
- "Microsoft details new security plan - CNET News". News.cnet.com. Retrieved 2013-02-12.
- Kurtz, George (2010-01-14). "Operation “Aurora” Hit Google, Others". mcafee.com. Retrieved 2010-01-14.
- Leffall, Jabulani (2007-10-12). "Are Patches Leading to Exploits?". Redmond Magazine. Retrieved 2009-02-25.
- Rains, Tim (2013-08-15). "The Risk of Running Windows XP After Support Ends April 2014". Microsoft Security Blog. Retrieved 2013-08-27.
- "Microsoft Warns of Permanent Zero-Day Exploits for Windows XP". InfoSecurity. 2013-08-20. Retrieved 2013-08-27.
- von Etizen, Chris (2010-09-15). "SAP introduces a patch day". The H Security. Archived from the original on 11 August 2011. Retrieved 2013-01-07.
- McAllister, Neil (2012-11-08). "Adobe switches Flash fix schedule to Patch Tuesdays". The Register. Retrieved 2013-01-07.
- Strong, Ben (2010-11-25). "Google and Microsoft Cheat on Slow Start" (blog). benstrong.com.
- Layden, John (2007-08-20). "Patch Tuesday update triggered Skype outage". The Register. Retrieved 2007-08-28.
- Evers, Joris (2005-09-09). "Microsoft pulls 'critical' Windows update". CNET News.com. Archived from the original on 2013-01-02. Retrieved 2006-12-12.
- Microsoft: Bulletins and Advisories (Security Bulletin List and Search)
- Microsoft Support Website
- Bruce Schneier's blog - Example of report about vulnerability found in the wild with timing seemingly coordinated with "Patch Tuesday".
- HD Moore: Exploiting DLL Hijacking Flaws HD Moore's blog - Report on DLL Hijacking vulnerability and exploit that led to many patches on Patch Tuesday in August 2010
- Bruce Schneier's blog - Example of a quick patch response, not due to a security issue but for DRM-related reasons.