Patch Tuesday
Encyclopedia : P : PA : PAT : Patch Tuesday
Patch Tuesday is the second Tuesday of each month, the day that Microsoft releases security patches.
Starting with Windows 98, Microsoft included a "Windows Update" system, that would check for patches to Windows and its components which Microsoft would release intermittently. This system has since been upgraded to also check for updates to other Microsoft products, including Office.
Patch Deployment Costs
The Windows Update system suffered from two problems, affecting opposite ends of the users scale. On the one hand, less experienced users were not aware of it, and did not run it. Microsoft's solution was to introduce the concept of "Automatic Update", which would pro-actively inform the user that an update was available for its system.The second problem affected large deployments of Windows, such as can be found at large companies. Such large deployments found it increasingly difficult to make sure all systems across the company were all up to date. The problem was made worse by the fact that, occasionally, a patch issued by Microsoft would break existing functionality, and would have to be uninstalled.
In order to reduce the costs related to the deployment of patches, Microsoft introduced the concept of Patch Tuesday. The idea is that security patches are accumulated over a period of one month, and then dispatched all at once at a pre-known date that system administrators can prepare for. This date was set not too close to the beginning of the week, and yet far enough from the end of the week to allow any problems that may arise to be resolved before the weekend. System administrators can mark the second Tuesday of the month in advance as the "day in which machines are updated", and plan accordingly.
Security Implications of Patch Tuesday
The most obvious security implication is that security problems that have a solution are withheld from the public for a period of up to a month. Implicitly, this policy assumes that most attacks use information reverse engineered from the security patches that fix the vulnerability, rather than true zero day exploits.
It is unknown to what extent this assumption is true.
In the past, there were some cases where either vulnerability information or actual worms were released to the public a day or two before patch Tuesday. This does not leave Microsoft enough time to incorporate a fix for said vulnerabilities, and thus, theoretically, leave a one month window for attackers or the worm to exploit the hole, before a patch is available to formally fix it.
Strictness of Schedule
In most months Microsoft sticks to the "one patch set per month" schedule, and patches are only released on patch Tuesday. However, cases in which out of cycle patches are released are not rare, and happen, on average, several times a year.
Critics say that the correlation between the vulnerabilities that cause Microsoft to break the promised schedule and the severity of those vulnerabilities is not high enough. There have been cases where vulnerabilities deemed by many to be "highly critical", and that were actively being exploited by worms, were not issued out of cycle patches while vulnerabilities deemed by same parties less critical were.
Other names
Some system administrators have also been known to call this day "Black Tuesday."See also
External Links
- [Microsoft: Bulletins and Advisories]
- [Microsoft Support Website]
- [kbfind.com] - for browsing the Microsoft Support KB (Knowledge Base)
- [kbAlertz.com] - for tracking Microsoft KB updates
- [Bruce Schnier's blog] - Example of report about vulnerability found in the wild with timing seemingly coordinated with "Patch Tuesday".
From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.