Patch Tuesday: Difference between revisions

Patch Tuesday (a.k.a. Update Tuesday) is an unofficial term used to refer to when Microsoft regularly releases security patches for its software products. It is widely referred to in this way by the industry.^[1][2][3]

Patch Tuesday occurs on the second, and sometimes fourth, Tuesday of each month in North America. As far as the integrated Windows Update (WU) function is concerned, Patch Tuesday begins at 18:00 or 17:00 UTC (10:00 PST (UTC−8) or 10:00 PDT (UTC−7)).^[4] The updates show up in Download Center before they are added to WU, and the KB articles and the Technet bulletin get unlocked even later.

Microsoft has an apparent pattern of releasing a larger number of updates in even-numbered months, and fewer in odd-numbered months.^[5][6][7] Minor updates are also released outside Patch Tuesday. Daily updates consist of malware database refreshes for Windows Defender and Microsoft Security Essentials. Sometimes there is an extraordinary Patch Tuesday, two weeks after the regular Patch Tuesday. Some updates could be released at any time.^[8]

At the Ignite 2015 event Microsoft revealed a change in distributing security patches: while it will release security updates to home PCs, tablets and phones 24/7, Windows 10 enterprise customers will stay on the monthly update cycle, which will be reworked as Windows Update for Business.^[9]

Microsoft sometimes refers to this Tuesday as "Update Tuesday".^[10]

Patch-deployment costs

Starting with Windows 98, Microsoft included a "Windows Update" system that would check for patches to Windows and its components, which Microsoft would release intermittently. With the release of Microsoft Update, this system also checks for updates to other Microsoft products, such as Office, Visual Studio and SQL Server.

Earlier versions of the Windows Update system suffered from two problems:

1. less-experienced users often remained unaware of Windows Update and did not install it; Microsoft countered this issue with the "Automatic Update", which displayed availability of updates, with the option of automatic installation
2. customers with many copies of Windows, such as corporate users, not only had to update every Windows deployment in the company but also to uninstall patches issued by Microsoft that broke existing functionality.

In order to reduce the costs related to the deployment of patches, Microsoft introduced "Patch Tuesday" in October 2003.^[11] This system accumulates security patches over a month, and dispatches them all on the second Tuesday of each month, an event for which system administrators may prepare. The following day, informally known as "Exploit Wednesday",^{[citation needed]} marks the time when exploits may appear in the wild which take advantage on unpatched machines of the newly announced vulnerabilities.

Security implications

An obvious security implication is that security problems that have a solution are withheld from the public for up to a month. This policy is adequate when the vulnerability is not widely known or is extremely obscure, but that is not always the case.

There have been cases where either vulnerability information or actual worms were released prior to the next scheduled Patch Tuesday. In critical cases Microsoft issues according patches as they become ready, alleviating the risk if updates are checked for and installed frequently.

"Exploit Wednesday"

Many exploitation events are seen shortly after the release of a patch;^{[citation needed]} analysis of the patch helps exploitation developers to immediately exploit the previously unknown underlying vulnerability, which will remain in unpatched systems.^[12] Therefore the term "Exploit Wednesday" was coined.^[13]

Windows XP

Microsoft warned users that after it discontinues support for Windows XP starting on April 8, 2014, users running Windows XP would risk 'zero day forever' because of reverse-engineered security patches for newer Windows versions. The Malicious Software Removal Tool and updates to Microsoft Security Essentials will continue to be provided for Windows XP until July 14, 2015,^[14][15][16] however, security vulnerabilities in the OS itself will no longer be fixed.

Windows Vista and later

Windows Vista will have the same "zero day" issue on April 11, 2017, the end of its extended support. Similarly, the "zero day" issue for Windows 7 will occur starting January 14, 2020, and for Windows 8.1 starting January 10, 2023.

Adoption by other companies

SAP's "Security Patch Day", when the company advises users to install security updates, was chosen to coincide with Patch Tuesdays.^[17] Adobe Systems' update schedule for Flash Player since November 2012 also coincides with Patch Tuesday.^[18] One of the reasons for this is that Flash Player comes as part of Windows starting with Windows 8 and Flash Player updates for the built-in and the plugin based version both need to be published at the same time in order to prevent reverse-engineering threats.

Bandwidth impact

Locally the Windows Update service uses the Background Intelligent Transfer Service (BITS) to only use spare bandwidth left by other applications to download the updates.

Microsoft's download servers do not honor the TCP slow-start congestion control strategy.^[19] As a result, other users of the Internet may be significantly slowed from machines actively retrieving updates. This can be particularly noticeable in environments where many machines individually retrieve updates over a shared, bandwidth-constrained link such as those found in many multi-PC homes and small to medium-sized businesses. Bandwidth demands of patching large numbers of computers can be reduced significantly by deploying Windows Server Update Services to distribute the updates locally.

See also

• History of Microsoft Windows
• Full disclosure (computer security)

References

1. "Microsoft Patch Tuesday to target Windows, IE". CNet. October 10, 2011. Retrieved November 9, 2011.
2. ".NET Framework 1.1 Servicing Releases on Windows Update for 64-bit Systems". Microsoft. March 28, 2006. Retrieved November 8, 2011.
3. "Understanding Windows automatic updating". Microsoft — Understanding Windows — Get Help. Retrieved July 3, 2014.
4. Trent, Rod. The Administrator Shortcut Guide to Patch Management. p. 51. {{cite book}}: Cite has empty unknown parameters: |genre= and |passage= (help)
5. ComputerWorld: Microsoft slates hefty Patch Tuesday, to fix 34 flaws next week
6. ItProPortal: Microsoft Ready To Patch 34 Security Vulnerabilities
7. TechWorld: Microsoft to patch critical Windows Server vulnerability
8. "Patch Tuesday: WM 6.1 SMTP fix released!". Microsoft — Outlook Mobile Team Blog. November 11, 2008. Retrieved November 9, 2011.
9. The Register: Windows 10 bombshell: Microsoft to KILL OFF Patch Tuesday
10. Blogging Windows: August updates for Windows 8.1 and Windows Server 2012 R2
11. "Microsoft details new security plan". News.cnet.com. Retrieved 2013-02-12.
12. Kurtz, George (2010-01-14). "Operation "Aurora" Hit Google, Others". mcafee.com. Retrieved 2014-08-12.
13. Leffall, Jabulani (2007-10-12). "Are Patches Leading to Exploits?". Redmond Magazine. Retrieved 2009-02-25.
14. "Microsoft Security Essentials — Microsoft Windows". Retrieved July 3, 2014.
15. Rains, Tim (2013-08-15). "The Risk of Running Windows XP After Support Ends April 2014". Microsoft Security Blog. Retrieved 2013-08-27.
16. "Microsoft Warns of Permanent Zero-Day Exploits for Windows XP". InfoSecurity. 2013-08-20. Retrieved 2013-08-27.
17. von Etizen, Chris (2010-09-15). "SAP introduces a patch day". The H Security. Archived from the original on 11 August 2011. Retrieved 2013-01-07.
18. McAllister, Neil (2012-11-08). "Adobe switches Flash fix schedule to Patch Tuesdays". The Register. Retrieved 2013-01-07.
19. Strong, Ben (2010-11-25). "Google and Microsoft Cheat on Slow Start" (blog). benstrong.com.

External links

• Microsoft Security Bulletin
• Microsoft Support Website
• Bruce Schneier's blog - Example of report about vulnerability found in the wild with timing seemingly coordinated with "Patch Tuesday".
• HD Moore: Exploiting DLL Hijacking Flaws HD Moore's blog - Report on DLL Hijacking vulnerability and exploit that led to many patches on Patch Tuesday in August 2010
• Bruce Schneier's blog - Example of a quick patch response, not due to a security issue but for DRM-related reasons.
• Evers, Joris (2005-09-09). "Microsoft pulls 'critical' Windows update". CNET News.com. Archived from the original on 2013-01-02. Retrieved 2006-12-12.