Patch Tuesday
Patch Tuesday is the second Tuesday of each month, the day that
Microsoft releases security patches.
Starting with
Windows 98, Microsoft included a "
Windows Update" system, that would check for
patches to Windows and its components which Microsoft would release intermittently. This system has since been upgraded to also check for updates to other Microsoft products, including
Office.
The Windows Update system suffered from two problems, affecting opposite ends of the users scale. On the one hand, less experienced users were not aware of it, and did not run it. Microsoft's solution was to introduce the concept of "Automatic Update", which would pro-actively inform the user that an update was available for its system.
The second problem affected large deployments of Windows, such as can be found at large companies. Such large deployments found it increasingly difficult to make sure all systems across the company were all up to date. The problem was made worse by the fact that, occasionally, a patch issued by Microsoft would break existing functionality, and would have to be uninstalled.
In order to reduce the costs related to the deployment of patches, Microsoft introduced the concept of
Patch Tuesday. The idea is that security patches are accumulated over a period of one month, and then dispatched all at once on an anticipated date which system administrators can prepare for. This date was set not too close to the beginning of the week, and yet far enough from the end of the week to allow any problems that may arise to be resolved before the weekend. System administrators can mark the second Tuesday of the month in advance as the "day in which machines are updated", and plan accordingly.
The most obvious security implication is that security problems that have a solution are withheld from the public for a period of up to a month. Implicitly, this policy assumes that most attacks use information reverse engineered from the security patches that fix the vulnerability, rather than true
zero day exploits.
It is unknown to what extent this assumption is true.
In the past, there were some cases where either vulnerability information or actual worms were released to the public a day or two before patch Tuesday. This does not leave Microsoft enough time to incorporate a fix for said vulnerabilities, and thus, theoretically, leave a one month window for attackers or the worm to exploit the hole, before a patch is available to formally fix it.
In most months Microsoft sticks to the "one patch set per month" schedule, and patches are only released on patch Tuesday. However, cases in which out of cycle patches are released are not rare, and happen, on average, several times a year.
Critics say that the correlation between the vulnerabilities that cause Microsoft to break the promised schedule and the severity of those vulnerabilities is not high enough. There have been cases where vulnerabilities deemed by many to be "highly critical", and that were actively being exploited by worms, were not issued out of cycle patches while vulnerabilities deemed by same parties less critical were.
Some
system administrators have also been known to call this day "
Black Tuesday."
*
Windows Update*
Full disclosure*
Microsoft: Bulletins and Advisories*
Microsoft Support Website*
kbfind.com - for browsing the Microsoft Support KB (Knowledge Base)
*
kbAlertz.com - for tracking Microsoft KB updates
*
Bruce Schnier's blog - Example of report about vulnerability found in the wild with timing seemingly coordinated with "Patch Tuesday".
*
Security Patch - A list of all Microsoft patches since 2003.
