Patch Tuesday

Patch Tuesday is the second Tuesday of each month, on which Microsoft releases security patches.^[1] Starting with Windows 98, Microsoft included a "Windows Update" system that would check for patches to Windows and its components, which Microsoft would release intermittently. With the release of Microsoft Update, this system also checks for updates to other Microsoft products, including Office, Visual Studio, SQL Server, and others.

Microsoft approach

Patch deployment costs

The Windows Update system suffered from two problems, affecting opposite ends of the users scale. The first was that less experienced users were not aware of Windows Update, and did not run it. Microsoft's solution was to introduce the concept of "Automatic Update", which would pro-actively inform the user that an update was available for their system.

The second problem affected large deployments of Windows, such as can be found at large companies. Such large deployments found it increasingly difficult to make sure all systems across the company were all up to date. The problem was made worse by the fact that, occasionally, a patch issued by Microsoft would break existing functionality, and would have to be uninstalled.

In order to reduce the costs related to the deployment of patches, Microsoft introduced the concept of Patch Tuesday in October 2003^[2]. The idea is that security patches are accumulated over a period of one month, and then dispatched all at once on an anticipated date which system administrators can prepare for. This date was set not too close to the beginning of the week, and yet far enough from the end of the week to allow any problems that may arise to be resolved before the weekend. System administrators can mark the second Tuesday of the month as the "day in which machines are updated", and plan accordingly. The name "Patch Tuesday" has been in use since the third quarter of 2004.^{[citation needed]} It is becoming synonymous for the day any software vendor issues a vulnerability patch.^{[citation needed]} Some editors/analysts^{[clarification needed]} talk about "Exploit Wednesday" as the day after, or even "Day Zero" immediately following the update, when hackers can launch attacks against the newly announced vulnerabilities.

Impact on Internet

Security implications of Patch Tuesday

The most obvious security implication is that security problems that have a solution are withheld from the public for a period of up to a month. This policy is adequate when the vulnerability is not widely known or extremely obscure ^{[citation needed]}, but that is not always the case.

In the past, there were some cases where either vulnerability information or actual worms were released to the public a day or two before patch Tuesday.^{[citation needed]} This does not leave Microsoft enough time to incorporate a fix for said vulnerabilities, and thus, theoretically, leaves a one month window for attackers to exploit the hole, before a patch is available to formally fix it. Microsoft issues critical patches as they become ready, however, so this is not generally a problem.

Exploit Wednesday

Many exploitation events are seen shortly after the release of a patch. ^{[citation needed]} By analyzing the patch, exploitation developers can more easily figure out how to exploit the underlying vulnerability,^[3] and attack systems that have not been patched.^{[citation needed]} Therefore the term "Exploit Wednesday" was coined.^[4]

Also, starting to abuse an unpatched exploitation entry point on this day gives malicious code writers the longest period of time before a fix is supplied to users.^{[citation needed]} Malware authors can sit on the vulnerablility of a new exploitation entry point until after a given patch Tuesday, knowing that there will be an entire month before Microsoft releases any patch to fix it.^{[citation needed]}

Other consequences

Immediately following Patch Tuesday, millions of computers are rebooted within a short period of time.

This rebooting causes an exceptional strain on Internet servers and databases as client software logs off and back on.

For example, in August 2007, Skype experienced a two-day outage following Patch Tuesday; according to Skype this was caused by a previously unidentified software bug exposed by the abnormally high number of restarts. ^[5]

References

^ "Security updates". Microsoft. 2007-10-09. Retrieved 2007-11-02.
^ http://news.cnet.com/Microsoft-details-new-security-plan/2100-1002_3-5088846.html
^ Kurtz, George (2010-01-14). "Operation "Aurora" Hit Google, Others". Retrieved 2010-01-14. {{cite web}}: Unknown parameter |published= ignored (help)
^ Leffall, Jabulani (2007-10-12). "Are Patches Leading to Exploits?". The Register. Retrieved 2009-02-25.
^ Layden, John (2007-08-20). "Patch Tuesday update triggered Skype outage". The Register. Retrieved 2007-08-28.

Evers, Joris (2005-09-09). "Microsoft pulls 'critical' Windows update". CNET News.com. Retrieved 2006-12-12.

External links

Microsoft: Bulletins and Advisories (Security Bulletin List and Search)
Microsoft Support Website
Bruce Schneier's blog - Example of report about vulnerability found in the wild with timing seemingly coordinated with "Patch Tuesday".
Bruce Schneier's blog - Example of a quick patch response, not due to a security issue but for DRM-related reasons.

[1] "Security updates". Microsoft. 2007-10-09. Retrieved 2007-11-02.

[2] ttp://news.cnet.com/Microsoft-details-new-security-plan/2100-1002_3-5088846.html

[3] Kurtz, George (2010-01-14). "Operation "Aurora" Hit Google, Others". Retrieved 2010-01-14. {{cite web}}: Unknown parameter |published= ignored (help)

[4] Leffall, Jabulani (2007-10-12). "Are Patches Leading to Exploits?". The Register. Retrieved 2009-02-25.

[5] Layden, John (2007-08-20). "Patch Tuesday update triggered Skype outage". The Register. Retrieved 2007-08-28.

[1]

[2]

[3]

[4]

[5]