Patch Tuesday (also known as Update Tuesday) is an unofficial term used to refer to when Microsoft regularly releases security patches for its software products. It is widely referred to in this way by the industry. Microsoft formalized Patch Tuesday in October 2003.
Patch Tuesday occurs on the second, and sometimes fourth, Tuesday of each month in North America. As far as the integrated Windows Update (WU) function is concerned, Patch Tuesday begins at 18:00 or 17:00 UTC (10:00 PST (UTC-8) or 10:00 PDT (UTC-7). The updates show up in Download Center before they are added to WU, and the KB articles and the Technet bulletin are unlocked later.
Microsoft has a pattern of releasing a larger number of updates in even-numbered months, and fewer in odd-numbered months. Minor updates are also released outside Patch Tuesday. Daily updates consist of malware database refreshes for Windows Defender and Microsoft Security Essentials. Sometimes there is an extraordinary Patch Tuesday, two weeks after the regular Patch Tuesday. Some updates could be released at any time.
Video Patch Tuesday
History
Starting with Windows 98, Microsoft included Windows Update that once installed and executed, would check for patches to Windows and its components, which Microsoft would release intermittently. With the release of Microsoft Update, this system also checks for updates for other Microsoft products, such as Microsoft Office, Visual Studio and SQL Server.
Earlier versions of Windows Update suffered from two problems:
- Less-experienced users often remained unaware of Windows Update and did not install it. Microsoft countered this issue, in Windows ME with the Automatic Updates component, which displayed availability of updates, with the option of automatic installation.
- Customers with multiple copies of Windows, such as corporate users, not only had to update every Windows deployment in the company but also to uninstall patches issued by Microsoft that broke existing functionality.
Microsoft introduced "Patch Tuesday" in October 2003 to reduce the cost of distributing patches. This system accumulates security patches over a month, and dispatches them all on the second Tuesday of each month, an event for which system administrators may prepare. The following day, informally known as "Exploit Wednesday", marks the time when exploits may appear in the wild which take advantage on unpatched machines of the newly announced vulnerabilities.
Tuesday was chosen as the optimal day of the week to distribute software patches. This is done to maximize the amount of time available before the upcoming weekend to correct any issues that might arise with those patches, while leaving Monday free to address other unanticipated issues that might have arisen over the preceding weekend.
Maps Patch Tuesday
Security implications
An obvious security implication is that security problems that have a solution are withheld from the public for up to a month. This policy is adequate when the vulnerability is not widely known or is extremely obscure, but that is not always the case.
There have been cases where vulnerability information became public or actual worms were circulating prior to the next scheduled Patch Tuesday. In critical cases Microsoft issues corresponding patches as they become ready, alleviating the risk if updates are checked for and installed frequently.
At the Ignite 2015 event, Microsoft revealed a change in distributing security patches. They release security updates to home PCs, tablets and phones as soon as they are ready, while enterprise customers will stay on the monthly update cycle, which was reworked as Windows Update for Business.
Exploit Wednesday
Many exploitation events are seen shortly after the release of a patch; analysis of the patch helps exploitation developers to immediately exploit the previously unknown underlying vulnerability, which will remain in unpatched systems. Therefore, the term "Exploit Wednesday" was coined.
Microsoft warned users that after it discontinued support for Windows XP starting on April 8, 2014, users running Windows XP would be at the risk of zero-day attacks forever because of reverse-engineered security patches for newer Windows versions. Microsoft continued to provide updates for Microsoft Security Essentials and Malicious Software Removal Tool on Windows XP until July 14, 2015. However, security vulnerabilities in the OS itself were no longer fixed. Windows Vista has the same "zero day" issue since April 11, 2017, the end of its extended support.
The "zero day" issue for Windows 7 will occur starting January 14, 2020, for Windows 8.1 starting January 10, 2023, and for Windows 10 starting October 14, 2025.
Adoption by other companies
SAP's "Security Patch Day", when the company advises users to install security updates, was chosen to coincide with Patch Tuesdays. Adobe Systems' update schedule for Flash Player since November 2012 also coincides with Patch Tuesday. One of the reasons for this is that Flash Player comes as part of Windows starting with Windows 8 and Flash Player updates for the built-in and the plugin based version both need to be published at the same time in order to prevent reverse-engineering threats.
Bandwidth impact
Windows Update uses the Background Intelligent Transfer Service, which, allegedly, uses only spare bandwidth left by other applications to download the updates.
Microsoft's download servers do not honor the TCP's slow-start congestion control strategy. As a result, other users on the same network may experience significantly slower connections from machines actively retrieving updates. This can be particularly noticeable in environments where many machines individually retrieve updates over a shared, bandwidth-constrained link such as those found in many multi-PC homes and small to medium-sized businesses. Bandwidth demands of patching large numbers of computers can be reduced significantly by deploying Windows Server Update Services to distribute the updates locally.
Starting with Windows 10, updates are first downloaded from other Windows 10 machines on the local network. This can potentially distribute updates faster while reducing usage for networks with a metered connection. If no computer has the requested updates, they will be downloaded from Microsoft's servers.
See also
- History of Microsoft Windows
- Full disclosure (computer security)
References
Further reading
- Evers, Joris (2005-09-09). "Microsoft pulls 'critical' Windows update". CNET News.com. Retrieved 2006-12-12.
- Schneier, Bruce (17 July 2006). "Zero-Day Microsoft PowerPoint Vulnerability". Schneier on Security. Example of report about vulnerability found in the wild with timing seemingly coordinated with "Patch Tuesday"
- Schneier, Bruce (7 September 2006). "Microsoft and FairUse4WM". Schneier on Security. Example of a quick patch response, not due to a security issue but for DRM-related reasons.
External links
- Microsoft Security Bulletin
Source of the article : Wikipedia