Celebrating 10 years of Patch Tuesday

Celebrating 10 years of Patch Tuesday

Summary: 10 years ago Microsoft's first regularly-scheduled patch day included updates for Windows XP and Windows Server 2003. Today's patches do as well. But things are much better now than then, thanks in part to Patch Tuesday.

TOPICS: Security, Microsoft

Prior to October 2003, Microsoft released security updates on an as-needed basis. On a weekly schedule, but with no prior warning, we would get an announcement that a security patch was available for a vulnerability, which we may or may not have known existed, in a Microsoft product.

If the vulnerability were severe, which affected products on which a company relied, IT departments would be pressured (from both inside and outside) to drop whatever they were doing and apply the patch.

This is no way to run a railroad, and Microsoft's customers told them so.

This changed in October 2003. Microsoft announced it would only release updates on the second Tuesday of the month, and would provide limited advance warning of the contents.

The first such patch and disclosure release was on Tuesday, October 14, 2003. The ZDNet story on the release quotes Microsoft chief executive Steve Ballmer telling a recent Microsoft Worldwide Partner Conference that the company was listening:

"That predictability is something you and our customers have highlighted to us we need to do, because people are feeling like they have to drop everything and deploy every patch at all times."

The situation is much better now. The biggest reason for this is that the security quality of Microsoft products (and most software in general) is so much better than it used to be, in spite of some recent problems. But the predictability of the update schedule and the improved information that comes with security bulletins these days, as well as improvements in patch management systems, were also a big part in making IT life more normal.

Though derided by some at first, Patch Tuesday set the standard for the software industry. Many other large companies, including Adobe and Oracle, set up regular patch schedules. Others made a point of releasing their own patches on Patch Tuesday, partly to hide behind Microsoft's skirts while IT and users were in a bad mood.

In the last 10 years, Microsoft has added improvements to the process. One of the most important is the Exploitability Index. Many vulnerabilities sound scary based on their descriptions, but in fact they are low-priority because it would be difficult, if at all possible, to write functioning exploit code.

When disclosing vulnerabilities as it patches them on Patch Tuesday, Microsoft assigns an Exploitability Index score of 1, 2 or 3. Rating 1 index means "Exploit code likely" and may in fact mean that exploit code is already out in the wild; Microsoft notes when this is the case. Rating 2 means "Exploit code would be difficult to build" — this means that exploit code is possible, but it would be difficult to get it to work correctly, or there may be a random element which means it would only trigger (for example) one in ten times. Rating 3 means "Exploit code unlikely" which, in Microsoft's definition, means that "…it is unlikely that an attacker would be able to create an exploit that could successfully exercise the full impact of the vulnerability."

Like Patch Tuesday itself, the Exploitability Index is designed to help IT prioritize patch deployments.

Even consumers who can't be expected to know what and when to patch software are much better covered now, as Windows applies updates automatically. This would have been unacceptable ten years ago, but as Microsoft demonstrated reliability in patching it became acceptable to set this capability as the default. Most consumers running current versions of Windows are all patched up and don't even know. This is a very good thing for everyone.

Perhaps the most remarkable thing about the Microsoft Security Bulletin Summary for October, 2003 — the very first Patch Tuesday — is that some of the products listed in it are still being supported.

Microsoft would dispute this, with some justification. The bulletin lists three critical vulnerabilities in Windows Server 2003 and Windows XP, but Microsoft only supports these products with services packs 3 and 2, respectively. Both service packs came out long after 2003.

It's easy these days to claim that security is out of control and things only ever get worse, but a comparison of life before Patch Tuesday to where things stand now shows how much better off we are. Prior to October 2003, there was a real sense in IT that vulnerabilities were out of control and Microsoft might not be able to address the problem.

It did, and Patch Tuesday was a big part of it.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Microsoft gets this half right

    While I totally agree a lot of updates can easily wait for a scheduled update event each month. I don't agree and never will that everything can wait. But considering the fast business users of Windows I think its clear that ever decision that is made is considering business and IT. That is much different then what a Google or Apple deals with at customer level. Consumers are much more tolerant of updates and patches that might possibly cause issues. I do find less and less issues with Windows updates but they still occur. The forced auto updates in many apps and operating systems came about because users failed at doing it themselves. So for many having it scheduled and done with little or no input from the user is a good thing.
    • Not everything has to wait.

      Microsoft can, and has, release out-of-cycle patches if they feel it warranted. It's the best of both worlds.
  • Not everything does wait

    Microsoft just recently released an "out of band" update
  • 10 years is nothing!

    I've been celebrating patch Tuesday for 32 years! ..... Snake Plissken :)
  • Celebrating 10 years of Patch Tuesday

    10 years of making administration of Microsoft Windows based PCs and servers a lot easier. It really did simplify things and made patching so much easier. I know when to expect patches and can let others know.
  • There are Greats...

    ...and there are ingrates. The Greats appreciate the power and magnitude of what Microsoft provides for them! The scope of what must be contended with in the wild is ginormous, such that it should really be recognized for the Herculean effort that it is, to provide the World's Best OS (TM, Mike Cox, reusable with permission), and have it up and running day after day, restart after restart! Do some people even realize the number of OSs out there that don't start up cleanly? I can count on two hands, maybe three tops, the number of times that Windows has failed to boot up for me. That is sheerly awesome over 20 years time. It is a sad world when so many abuse the features provided by this company, and force labor to rectify so-called security issues, when those man-hours could be so much better spent on providing even more OS Awesome Sauce (TM, Mike Cox, reusable with permission). I applaud Microsoft for its moves in putting customers first. They have made me a Great, and I am grateful!!!
  • IT people

    More IT people should comment on this and I will put my two cents here. I'm glad to see updates on Tuesday, but real work updates are made on Saturday or Sunday. Big company's cannot stop servers, unless in clusters, just to patch. And usually it requires a change ticket and approval.
    So we got to read about the updates and choose the important ones and update later on. Also if the update has any kind of problem, you won't be the first to update, and probably will not update and mess up the servers.
    • updates on quality

      Also updates are done first in pre-production servers (quality) to minimize risk.