Jump to content

Patch Tuesday

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by CiaPan (talk | contribs) at 21:59, 9 November 2022 (top: minor grammar fix). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Patch Tuesday[1] (also known as Update Tuesday[1][2]) is an unofficial term used to refer to when Microsoft, Adobe, Oracle and others regularly release software patches for their software products.[3] It is widely referred to in this way by the industry.[4][5][6] Microsoft formalized Patch Tuesday in October 2003.[1][7] Patch Tuesday is known within Microsoft also as the “B” release, to distinguish it from the “C” and “D” releases that occur in the third and fourth weeks of the month, respectively.[1]

Patch Tuesday occurs on the second Tuesday of each month[8] in North America. Critical security updates are occasionally released outside of the normal Patch Tuesday cycle; these are known as "Out-of-band" releases. As far as the integrated Windows Update (WU) function is concerned, Patch Tuesday begins at 10:00 a.m. PST.[9] Vulnerability information is immediately available in the Security Update Guide. The updates show up in Download Center before they are added to WU, and the KB articles are unlocked later.

Daily updates consist of malware database refreshes for Microsoft Defender and Microsoft Security Essentials, these updates are not part of the normal Patch Tuesday release cycle.

History

Starting with Windows 98, Microsoft included Windows Update that once installed and executed, would check for patches to Windows and its components, which Microsoft would release intermittently. With the release of Microsoft Update, this system also checks for updates for other Microsoft products, such as Microsoft Office, Visual Studio and SQL Server.

Earlier versions of Windows Update suffered from two problems:

  1. Less-experienced users often remained unaware of Windows Update and did not install it. Microsoft countered this issue in Windows ME with the Automatic Updates component, which displayed availability of updates, with the option of automatic installation.
  2. Customers with multiple copies of Windows, such as corporate users, not only had to update every Windows deployment in the company but also to uninstall patches issued by Microsoft that broke existing functionality.

Microsoft introduced "Patch Tuesday" in October 2003 to reduce the cost of distributing patches.[10] This system accumulates security patches over a month, and dispatches them all on the second Tuesday of each month, an event for which system administrators may prepare. The following day, informally known as "Exploit Wednesday",[11] marks the time when exploits may appear in the wild which take advantage on unpatched machines of the newly announced vulnerabilities.

Tuesday was chosen as the optimal day of the week to distribute software patches. This is done to maximize the amount of time available before the upcoming weekend to correct any issues that might arise with those patches, while leaving Monday free to address other unexpected issues that might have arisen over the preceding weekend[citation needed].

Security implications

An obvious security implication is that security problems that have a solution are withheld from the public for up to a month. This policy is adequate when the vulnerability is not widely known or is extremely obscure, but that is not always the case.

There have been cases where vulnerability information became public or actual worms were circulating prior to the next scheduled Patch Tuesday. In critical cases Microsoft issues corresponding patches as they become ready, alleviating the risk if updates are checked for and installed frequently.

At the Ignite 2015 event, Microsoft revealed a change in distributing security patches. They release security updates to home PCs, tablets and phones as soon as they are ready, while enterprise customers will stay on the monthly update cycle, which was reworked as Windows Update for Business.[12]

Exploit Wednesday

Many exploitation events are seen shortly after the release of a patch;[13] analysis of the patch helps exploit developers to immediately take advantage of the previously undisclosed vulnerability, which will remain in unpatched systems.[14] Therefore, the term "Exploit Wednesday" was coined.[15]

Discontinued Windows versions

Microsoft warned users that it discontinued support for Windows XP starting on April 8, 2014 – users running Windows XP afterwards would be at the risk of attacks. As security patches of newer Windows versions can reveal similar (or same) vulnerabilities present in both newer and older Windows versions, this can allow attacks on devices with unsupported Windows versions (cf. "zero-day attacks"). However Microsoft stopped fixing such (and other) vulnerabilities in unsupported Windows versions, regardless how widely known such vulnerabilities became, leaving these vulnerabilities unfixed and devices running these Windows versions vulnerable to attacks. Microsoft made a singular exception during the rapid spread of the WannaCry ransomware and released patches in May 2017 for the by then-unsupported Windows XP, Windows 8, and Windows Server 2003 (in addition to then supported Windows versions).[16]

For Windows Vista "extended support" was ended April 11, 2017, which will leave vulnerabilities discovered afterwards unfixed, creating the same situation for Vista as for XP before.[17]

For Windows 7 (including Service Pack 1), support ended January 14, 2020,[17] and on January 10, 2023 for Windows 8.1;[17] this will cause the same "unfixed vulnerabilities" issue for users of these operating systems. Support for Windows 8 already ended January 12, 2016 (with users having to install Windows 8.1 or Windows 10 to continue to get support), and support for Windows 7 without SP1 was ended April 9, 2013 (with the ability to install SP1 to continue to get support until 2020, or having to install Windows 8.1 or Windows 10 to receive support after 2020).[17]

Windows 10

One major change with the introduction of Windows 10 was that Microsoft started to release a new version of Windows 10 twice per year, and with Microsoft's "modern lifecycle policy" a newly released Windows 10 version starts a "grace period" for the previous version with regard to support – unlike previous Windows products which received only infrequent updates via service packs, and support was governed by the "fixed lifecycle policy". With this new policy Home and Pro versions of Windows 10 will be provided with security and feature updates (so called "mainstream support") for up to 18 months after release, "enterprise" and education versions for 24 months.[17] To give an example: support for Windows 10 Home/Pro version 1703 (which was released in April 2017) was stopped by Microsoft in October 2018, and support for versions 1507 and 1511 (released in 2015) officially ended in 2017.[18] Microsoft announced that it would give "extended support" (security but not feature updates) for at least one "semi-annual channel" (SAC) Windows 10 version until October 14, 2025.[19]

According to Microsoft a "device needs to install the latest version (feature update) before [the] current version reaches end of service to help keep your device secure and have it remain supported by Microsoft".[17] As with previous Windows operating systems, any device running such an unsupported version of Windows (which no longer receives security patches) is potentially affected by the "unfixed vulnerabilities" issue beginning with the "end of support" date.[20] To counter this Microsoft has designed the update system for the Home and Pro editions of Windows 10 so that in most cases if technically possible the latest Windows version is downloaded and installed automatically – this has however drawn criticism due to other problems such forced upgrades can introduce.

Windows 10 versions
Version Codename Marketing name Build Release date Supported until (and support status by color)
GAC[a] LTSC[b] Mobile
  • Home, Pro,
  • Pro Education,
  • Pro for Workstations
  • Education,
  • Enterprise,
  • IoT Enterprise
Enterprise IoT Enterprise
1507 Threshold 10240 July 29, 2015 May 9, 2017 October 14, 2025[c]
1511 Threshold 2 November Update 10586 November 10, 2015 October 10, 2017 April 10, 2018[d] January 9, 2018
1607 Redstone Anniversary Update 14393 August 2, 2016 April 10, 2018[e] April 9, 2019[e] October 13, 2026[f] October 9, 2018
1703 Redstone 2 Creators Update 15063 April 5, 2017[g] October 9, 2018 October 8, 2019[h] June 11, 2019
1709 Redstone 3 Fall Creators Update 16299[i] October 17, 2017 April 9, 2019 October 13, 2020[j] January 14, 2020
1803 Redstone 4 April 2018 Update 17134 April 30, 2018 November 12, 2019 May 11, 2021[k]
1809 Redstone 5 October 2018 Update 17763 November 13, 2018[l] November 10, 2020[m] January 9, 2029[n]
1903 19H1 May 2019 Update 18362 May 21, 2019 December 8, 2020
1909 19H2 November 2019 Update 18363 November 12, 2019 May 11, 2021 May 10, 2022
2004 20H1 May 2020 Update 19041 May 27, 2020 December 14, 2021
20H2 20H2 October 2020 Update 19042 October 20, 2020 May 10, 2022 May 9, 2023
21H1 21H1 May 2021 Update 19043 May 18, 2021 December 13, 2022
21H2 21H2 November 2021 Update 19044 November 16, 2021 June 13, 2023 June 11, 2024 January 12, 2027 January 13, 2032[o]
22H2 22H2 2022 Update 19045 October 18, 2022 October 14, 2025
Legend:   Old version[p]   Older version, still maintained[q]   Latest version[r]
Notes:
  1. ^ General Availability Channel, formerly Semi-Annual Channel (SAC) and Current Branch (CB).
  2. ^ Long-Term Servicing Channel, formerly Long-Term Servicing Branch (LTSB).
  3. ^ Mainstream support ended on October 13, 2020.
  4. ^ Supplemental servicing for Enterprise and Education editions.
  5. ^ a b January 10, 2023 for Intel Clover Trail based systems.
  6. ^ Mainstream support ended on October 12, 2021.
  7. ^ April 11, 2017 for Education, Enterprise, and IoT Enterprise editions.
  8. ^ March 9, 2021 for Surface Hub devices.
  9. ^ Windows 10 Mobile: 15254.
  10. ^ Originally EOS by April 14, 2020, but postponed due to COVID-19 pandemic.
  11. ^ Originally EOS by November 10, 2020, but postponed due to COVID-19 pandemic.
  12. ^ Originally released on October 2, 2018, but was pushed back due to bugs.
  13. ^ Originally EOS by May 12, 2020, but postponed due to COVID-19 pandemic.
  14. ^ Mainstream support ended on January 9, 2024.
  15. ^ Mainstream support until January 12, 2027.
  16. ^ Windows 10 builds that have this color have reached their expiration dates and are no longer supported by Microsoft.
  17. ^ Windows 10 builds that have this color are no longer the latest version of Windows 10, but are still supported by Microsoft.
  18. ^ Windows 10 builds that have this color are the latest (by SKU) public version of Windows 10.

In addition to the commonly used editions like Home and Pro, Microsoft offers specialized "Long-Term Servicing Branch" (LTSB) or "Long-Term Servicing Channel" (LTSC) versions of Windows 10 with longer support timelines, governed by Microsoft's "fixed lifecycle policy", e.g. "Windows 10 Enterprise 2016 LTSB" will receive extended support until October 13, 2026,[21] and "Windows 10 LTSC 2019" will receive extended support until January 9, 2029.[22]

Adoption by other companies

SAP's "Security Patch Day", when the company advises users to install security updates, was chosen to coincide with Patch Tuesdays.[23] Adobe Systems' update schedule for Flash Player since November 2012 also coincides with Patch Tuesday.[24] One of the reasons for this is that Flash Player comes as part of Windows starting with Windows 8 and Flash Player updates for the built-in and the plugin based version both need to be published at the same time in order to prevent reverse-engineering threats. Oracle's quarterly updates coincide with Patch Tuesday.[25]

Bandwidth impact

Windows Update uses the Background Intelligent Transfer Service (BITS) to download the updates, using idle network bandwidth.[26] However BITS will use the speed as reported by the network interface (NIC) to calculate bandwidth. This can lead to bandwidth calculation errors, for example when a fast network adapter (e.g. 10 Mbit/s) is connected to the network via a slow link (e.g. 56 kbit/s) – according to Microsoft "BITS will compete for the full bandwidth [of the NIC] ... BITS has no visibility of the network traffic beyond the client."[27]

Furthermore, the Windows Update servers of Microsoft do not honor the TCP's slow start congestion control strategy.[28] As a result, other users on the same network may experience significantly slower connections from machines actively retrieving updates. This can be particularly noticeable in environments where many machines individually retrieve updates over a shared, bandwidth-constrained link such as those found in many multi-PC homes and small to medium-sized businesses. Bandwidth demands of patching large numbers of computers can be reduced significantly by deploying Windows Server Update Services (WSUS) to distribute the updates locally.

In addition to updates being downloaded from Microsoft servers, Windows 10 devices can "share" updates in a peer-to-peer fashion with other Windows 10 devices on the local network, or even with Windows 10 devices on the internet. This can potentially distribute updates faster while reducing usage for networks with a metered connection.[29][30]

See also

References

  1. ^ a b c d Wilcox, John (2018). "Windows 10 update servicing cadence". Microsoft.
  2. ^ "August updates for Windows 8.1 and Windows Server 2012 R2". Windows Experience Blog. Retrieved 25 November 2015.
  3. ^ "April 2020 Patch Tuesday: Microsoft fixes three actively exploited vulnerabilities". Help Net Security. 2020-04-14. Retrieved 2020-10-12.
  4. ^ "Microsoft Patch Tuesday to target Windows, IE". CNet. October 10, 2011. Retrieved November 9, 2011.
  5. ^ ".NET Framework 1.1 Servicing Releases on Windows Update for 64-bit Systems". Microsoft. March 28, 2006. Archived from the original on March 27, 2012. Retrieved November 8, 2011.
  6. ^ "Understanding Windows automatic updating". Microsoft — Understanding Windows — Get Help. Retrieved July 3, 2014.
  7. ^ Budd, Christopher. "Ten Years of Patch Tuesdays: Why It's Time to Move On". GeekWire. Retrieved 28 July 2015.
  8. ^ "When does Microsoft release security updates". Microsoft MSRC.
  9. ^ "Patch Tuesday updates to Windows and Office: What you need to know". Hewlett Packard Enterprise. Retrieved 15 February 2022.
  10. ^ "Microsoft details new security plan". News.cnet.com. Retrieved 2013-02-12.
  11. ^ Paul Oliveria (Trend Micro Technical Communications) (4 October 2006). "Patch Tuesday… Exploit Wednesday". Blog.trendmicro.com. Retrieved 9 February 2016.
  12. ^ "Windows 10 bombshell: Microsoft to KILL OFF Patch Tuesday". theregister.co.uk. Retrieved 25 November 2015.
  13. ^ "Exploit Wednesday". afterdawn.com. Retrieved 25 November 2015.
  14. ^ Kurtz, George (2010-01-14). "Operation "Aurora" Hit Google, Others". mcafee.com. Archived from the original on 2012-01-17. Retrieved 2014-08-12.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  15. ^ Leffall, Jabulani (2007-10-12). "Are Patches Leading to Exploits?". Redmond Magazine. Retrieved 2009-02-25.
  16. ^ "Customer Guidance for WannaCrypt attacks". MSRC. Retrieved 2017-11-23.
  17. ^ a b c d e f "Windows lifecycle fact sheet". Microsoft. 2015-08-31. Retrieved 2015-08-31.
  18. ^ "Windows 10 v1507 End of Servicing for CB and CBB". support.microsoft.com. Retrieved 2019-08-04.
  19. ^ "Search product life cycle – Windows 10". support.microsoft.com. Retrieved 2019-08-04.
  20. ^ "Latest Windows 10 patches cause Critical Bugs in the Start Menu". Windows Call. Retrieved 2019-09-18.
  21. ^ "Windows 10 2016 LTSB - Microsoft Lifecycle". Microsoft Docs. Retrieved 2021-08-22.
  22. ^ "Windows 10 LTSC 2019 - Microsoft Lifecycle". Microsoft Docs. Retrieved 2021-08-22.
  23. ^ von Etizen, Chris (2010-09-15). "SAP introduces a patch day". The H Security. Archived from the original on 11 August 2011. Retrieved 2013-01-07.
  24. ^ McAllister, Neil (2012-11-08). "Adobe switches Flash fix schedule to Patch Tuesdays". The Register. Retrieved 2013-01-07.
  25. ^ "Oracle Tackles a Massive 405 Bugs for Its April Quarterly Patch Update". threatpost.com. Retrieved 2020-10-12.
  26. ^ "About BITS". MSDN. Microsoft. Retrieved 26 March 2016.
  27. ^ MSDN BITS Network Bandwidth
  28. ^ Strong, Ben (2010-11-25). "Google and Microsoft Cheat on Slow Start". benstrong.com. Archived from the original (blog) on December 7, 2013.
  29. ^ Warren, Tom (15 March 2015). "Microsoft to deliver Windows 10 updates using peer-to-peer technology". The Verge. Vox Media.
  30. ^ Chacos, Brad (3 August 2015). "How to stop Windows 10 from using your PC's bandwidth to update strangers' systems". PC World. IDG.

Further reading