Patch Tuesday

Patch Tuesday is usually the second Tuesday of each month, on which Microsoft releases security patches.^[1][2][3] Starting with Windows 98, Microsoft included a "Windows Update" system that would check for patches to Windows and its components, which Microsoft would release intermittently. With the release of Microsoft Update, this system also checks for updates to other Microsoft products, such as Office, Visual Studio and SQL Server.

The Patch Tuesday begins at 17:00 or 18:00 UTC. Sometimes there is an extraordinary Patch Tuesday, 14 days after the regular Patch Tuesday. There are also updates which are published daily (e.g. definitions for Windows Defender and Microsoft Security Essentials) or irregularly.

Seemingly Microsoft has a pattern of releasing a larger number of updates in even-numbered months, and fewer in odd-numbered months.^[4][5][6]

Patch-deployment costs

Earlier versions of the Windows Update system suffered from two problems. The first was that less-experienced users were often unaware of Windows Update and did not install it; Microsoft's solution was the "Automatic Update," which notified each user that an update was available for their system. The second problem was that customers, such as corporate users, with many copies of Windows not only had to update every Windows deployment in the company but also uninstall patches issued by Microsoft that broke existing functionality.

In order to reduce the costs related to the deployment of patches, Microsoft introduced "Patch Tuesday" in October 2003.^[7] In this system, security patches are accumulated over a period of one month and then dispatched all at once on the second Tuesday of the month, an event for which system administrators may prepare. Some^[who?] speculate that Tuesday was selected so that post-patch problems could be discovered and resolved before the weekend, but, certainly, not every patch-induced problem may be cured in that time. The non-Microsoft terms for the following day are "Exploit Wednesday" and "Day Zero," when attacks may be launched against the newly announced vulnerabilities.

Security implications

The most obvious security implication is that security problems that have a solution are withheld from the public for a period of up to a month. This policy is adequate when the vulnerability is not widely known or extremely obscure, but that is not always the case.

There have been cases where either vulnerability information or actual worms were released to the public a day or two before patch Tuesday.^{[citation needed]} This did not leave Microsoft enough time to incorporate a fix for said vulnerabilities, and thus, theoretically, left a one month window for attackers to exploit the hole, before a patch is available to formally fix it. Microsoft issues critical patches as they become ready, however, so this is not generally a problem.

Exploit Wednesday

Many exploitation events are seen shortly after the release of a patch.^{[citation needed]} By analyzing the patch, exploitation developers can more easily figure out how to exploit the underlying vulnerability,^[8] and attack systems that have not been patched. Therefore the term "Exploit Wednesday" was coined.^[9]

Also, starting to abuse an unpatched exploitation entry point on this day gives malicious code writers the longest period of time before a fix is supplied to users. Malware authors can sit on the vulnerability of a new exploitation entry point until after a given patch Tuesday, knowing that there will be an entire month before Microsoft releases any patch to fix it.

Bandwidth impact

Microsoft's download servers do not honor the TCP slow-start congestion control strategy.^[10] As a result, other uses of the Internet may be significantly slowed from machines actively retrieving updates. This can be particularly noticeable in environments where many machines individually retrieve updates over a shared, bandwidth constrained link such as those found in many small to medium sized businesses. To some extent the bandwidth demands of patching a group of computers can be alleviated by deploying Windows Server Update Services.

See also

• History of Microsoft Windows
• Windows Update
• Full disclosure

References

1. ^ Microsoft rarely refer to it as 'Patch Tuesday'; here's one reference. "Patch Tuesday: WM 6.1 SMTP fix released!". Microsoft - Outlook Mobile Team Blog. November 11, 2008. http://blogs.msdn.com/b/outlook_mobile/archive/2008/11/12/wm-6-1-smtp-fix-released.aspx. Retrieved November 9, 2011. 
2. ^ It is widely referred to it this way by the industry. "Microsoft Patch Tuesday to target Windows, IE". CNet. October 10, 2011. http://news.cnet.com/8301-10805_3-20118106-75/microsoft-patch-tuesday-to-target-windows-ie/. Retrieved November 9, 2011. 
3. ^ Showing Microsoft referring to the 'second Tuesday of every month' ".NET Framework 1.1 Servicing Releases on Windows Update for 64-bit Systems". Microsoft. March 28, 2006. http://blogs.technet.com/b/blairn/archive/2006/03/28/netfx1164annc.aspx. Retrieved November 8, 2011. 
4. ^ ComputerWorld: Microsoft slates hefty Patch Tuesday, to fix 34 flaws next week
5. ^ ItProPortal: Microsoft Ready To Patch 34 Security Vulnerabilities
6. ^ TechWorld: Microsoft to patch critical Windows Server vulnerability
7. ^ http://news.cnet.com/Microsoft-details-new-security-plan/2100-1002_3-5088846.html
8. ^ Kurtz, George (2010-01-14). "Operation “Aurora” Hit Google, Others". mcafee.com. http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/. Retrieved 2010-01-14. 
9. ^ Leffall, Jabulani (2007-10-12). "Are Patches Leading to Exploits?". The Register. http://redmondmag.com/news/article.asp?editorialsid=9143. Retrieved 2009-02-25. 
10. ^ Strong, Ben (2010-11-25). "Google and Microsoft Cheat on Slow Start" (blog). benstrong.com. http://blog.benstrong.com/2010/11/google-and-microsoft-cheat-on-slow.html. 

• Evers, Joris (2005-09-09). "Microsoft pulls 'critical' Windows update". CNET News.com. http://news.com.com/Microsoft+pulls+critical+Windows+update/2100-7349_3-5857338.html. Retrieved 2006-12-12. 

External links

• Microsoft: Bulletins and Advisories (Security Bulletin List and Search)
• Microsoft Support Website
• Bruce Schneier's blog - Example of report about vulnerability found in the wild with timing seemingly coordinated with "Patch Tuesday".
• HD Moore: Exploiting DLL Hijacking Flaws HD Moore's blog - Report on DLL Hijacking vulnerability and exploit that led to many patches on Patch Tuesday in August 2010
• Bruce Schneier's blog - Example of a quick patch response, not due to a security issue but for DRM-related reasons.