The triumph of Patch Tuesday

The triumph of Patch Tuesday

Summary: Microsoft's 10 year practice of scheduled updates on the second Tuesday of the month has been a great help to IT staffs and has improved the overall security of Windows systems worldwide.

SHARE:
54

One of the great, unappreciated inventions in security came from Microsoft almost 10 years ago in October, 2003: Patch Tuesday. Microsoft invented the process of regularly scheduled security updates. It was somewhat controversial at the time, but it was clearly the right thing to do and has eliminated what was becoming a regular series of crises, thus relieving a great deal of pressure from security admins.

2003 was a time of great technical crisis for Microsoft. The rise of the Internet had exposed the indifference the company had to the security of their software. Now that everyone was able to communicate with everyone else, they were able to attack everyone else remotely. Microsoft wasn't the only company caught with their pants down this way, but clearly they were the biggest problem because their software had the biggest footprint .

windows-update
Patch Tuesday and better update software have made it easier to keep your systems secure

Recovery began with a company-wide memo in January 2002 from Bill Gates

The memo admits that Microsoft had done a crappy job of providing secure products and puts the company on a mission to make security top priority:

… great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security.

Permission to proceed in this manner could only have come from Gates, so this was an important development, and it explains a number of version upgrades, particularly to Office, which appeared not to provide a lot of customer value.

In retrospect, it seems odd that the memo focused heavily on .NET as the basis for "Trustworthy Computing", as he called it. .NET is still important, but it's no longer the basis for Microsoft's OS efforts. If only it were; securing a VM should be a lot easier than securing native code platforms, but Microsoft insiders tell me that the Windows people at Microsoft hate .NET.

You can see all the major ingredients of Microsoft's security approach in the memo. What came to be called the SDL or Security Development Lifecycle, a set of software development processes to ensure secure code every step of the way, is in there. The importance of listening to customers and making security as easy as possible to achieve is in there.

That's where Patch Tuesday came in. It was a direct result of listening to large, enterprise customers. Emergency security updates are a big problem for IT departments. They may have to divert resources from and delay other important projects.

By having a regularly-scheduled update day, IT departments could plan to have resources available at the time and know not to schedule events, like some software installations, that might not be wise at a time of updating.  By adding the advance notice, such as the current one for today's updates, Microsoft gave customers more opportunity to plan just in advance, while still not spilling the beans on the vulnerabilities too much.

The major criticism at the time Patch Tuesday came out was that Microsoft was letting critical vulnerabilities go unpatched rather than deal with them immediately. The company left open the possibility of going "out of band" and patching a vulnerability off-schedule. They have done this, but it has been a rare event. I haven't counted the out-of-band updates, but I bet the number is in the single digits. Microsoft can and does provide guidance for mitigation techniques that customers can use when a patch is not available.

Despite all the work that Microsoft has put into security, there are still plenty of vulnerabilities patched (and sometimes they patch silently, without disclosure; whether this is a sneaky thing to do is debatable). It was obvious that the vulnerabilities would continue because modern software systems are just too complex for it to be otherwise. And there are still zero-day exploits at times, probably more than we know about, but this too is inevitable. Even "Exploit Wednesday", when an unpatched vulnerability is exploited the day after Patch Tuesday on the theory that the time until it is patched will be maximized, but I think this is an illusion; if the release had been the Monday before Patch Tuesday it's not like Microsoft could have had a patch ready.

On the whole, Patch Tuesday has been a huge benefit for customers and security. It has made it more practical for customers, large and small, to keep their systems up to date. It's such an obviously good idea that many companies, such as Oracle, have made their own update schedules. The vaguely-regular update schedules for Chrome and Firefox also come out of this tradition, and often you'll see companies like Adobe schedule their updates on Patch Tuesday because customers will be patching then anyway.

When's the last time you were seriously worried about an unpatched vulnerability? That's so 2003.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

54 comments
Log in or register to join the discussion
  • Update still sucks big time

    Once update is there for download does not mean you can get it. I still can not update MSO 2010 to SP2 - some weird error. Yes, and it bores me to hell that when after update you hit "restart now" in the update center, it tells you: windows is waiting for the program to close (update center). They could really make restart from within the update center more straightforward than that.
    polarcat
    • SP3

      Have you tried SP3 (http://www.microsoft.com/en-us/download/details.aspx?id=36768)? It's probably comprehensive
      larry@...
      • thats Exchange Server

        not Office ("MSO" usually stands for "Microsoft Office", aint it?)
        polarcat
        • I have never seen MSO used for office

          Just called "Office"
          ScanBack
    • Have you try download it and install

      if that still doesn't work you need to check what's the problem in %windir%\Windowsupdate.log
      Samic
    • I don't think that's the issue...

      ... The ACTUAL issue is the whole "PATCH" concept. Why can't they bloody make it work right the first time around!?? A new patch each month? How many holes does this bloody OS have?! I mean... I'm running XP. It's been here for like...10 years?!? More than that! And it STILL has patches! STILLL?!?? After over 10 years?!? Who are these guys?!? What if Ford would call their cars into service units each month? Or at least each year?!? For a "compulsory" update? And keep in mind! They sell a hell of a lot less cars than MS sells Windows based OS licenses...
      Kostaghus
      • I don't think that's the issue...

        Totally agree Kostaghus, but sadly even though MS don't pay peanuts, they do still seem to have some monkeys programming. I could say it is all about profit, and the pushing to get products out of the door without thorough testing, but alas even Linux software is often released with bugs. It must be something to do with programming itself, it is a task not suited to humans. No one could be expected to think of ALL the scenarios of how the software is used/abused, not even me. Perhaps the answer is to have all programming done by computers, but then who debugs the debuggers?
        I just want to make clear that I am neither a Microsoft or Linux geek. I love (and hate) them both equally :)

        SB
        steve@...
      • Comparing apples to oranges...

        I always find these arguments silly. I mean, do you really have people trying to 'break in to' the components of your vehicle? Oh no! Someone is trying to hack in to my windshield wipers!!! Argggh! They've gained control of my radio and keep changing the stations!!!
        james@...
      • Automobile Security

        So far, I am not aware of ANY car that can't be broken into or stolen. We are talking about security here, right? Security updates are intended to stop bad guys from "breaking into" your computer and stealing your data.

        Rick
        rick6612
      • If you want Windows to come out every 100 years.

        "Why can't they bloody make it work right the first time around!??"

        If you want Windows to come out every 100 years. That's how long it'll take to make a completely bug-free version of Windows (or any other major OS).

        Even Linux isn't bug-free out the gate - I get patches for that on a rather continuous basis as well.

        "What if Ford would call their cars into service units each month?"

        Not each month, but even cars aren't perfect out of the gate; I've had a couple of recalls on mine.
        CobraA1
  • right... a big improvement...

    And still the patches have to be VERIFIED before being installed or you STILL get a dead system.

    And making the customers reverify old problems to make sure the patches don't put the "fixed" bugs back into the system...

    It can easily take a month to verify the patches that are supposed to "fix" things.
    jessepollard
    • Patch validation takes about a half hour

      You put it on staging... does it blow up your stuff? No? Deploy.
      Mac_PC_FenceSitter
      • Sigh...

        Observing such "experiments" each and every day... this is just plain pathetic.

        What about bugs that don't blow everything up instantly, but for example silently corrupt data? What about security related bugs? Those certainly didn't blow any Windows system, but instead permitted unrestricted remote code execution by whoever so desired....

        I can only hope you are being sarcastic :)
        danbi
      • Give the man a break!

        It does, when you update you game system at home! Not so simple when updating thousands of PC's in a company's internal network, each with its own set of software, often custom designed... Not so easy... It's simple to be a wisecrack when your ass is not on the line! Otherwise... You'd think twice before acting. Or even trice...
        Kostaghus
    • I have been letting it go

      With Auto Updates for years. One time after cleaning my system using one of those free cleaners, a component (Microsoft .Net) would no longer update. So I re-installed it and after that it worked fine.

      Message is, tinker with the Weather and You will get Rained on.
      RayInLV
  • How can you call this improved?

    I guess you are a fanboy. If Microsoft Windows is improved, then why don't they do a better job of testing their software? If hackers can find their program errors, so should Microsoft software engineers. Had they completely checked the software before releasing to consumers, there would be very few updates - period!!!
    JackAdair
    • Nobody puts out bug-free software

      It's all just too complex. You need to make your expectations more reasonable.
      larry@...
      • Correct, nobody provides bug free software, BUT, eveerone other than MS

        does a good testing and fixing of issue prior to public release. Microsoft handle that by releasing it to the public then passing out patches for what gets the most complaints.
        Deadly Ernest
        • The evil MS empire!

          Wow, what open ended statements. You really endorse every other software company in the world and can state for a fact that they all do "a good testing and fixing of issue prior to public release."?

          You also have proof that Microsoft's corporate strategy is to release bug filled software to the public to patch "what gets the most complaints."

          Do you not realize how silly and unbelievable you sound?
          james@...
      • expectations

        absolutely right. The only bug free software is a line of code NOP (no op).

        Anyone with an Android phone or tablet will see an app patched most days. We are all between a rock and a hard place - if there were no bad guys, we wouldn't have to deal with most of this.

        Whilst there is always room for improvement, Microsoft probably do almost as good a job as it is possible to do, given the complexity and circumstances. There are a number of large companies (who shall remain nameless) who have a long way to go to catch Microsoft up on this one.

        Whatever Microsoft do, they are d*mned if they do and the same if they don't - if they are open and fix a load of things, people complain that it was their software being buggy (conveniently forgetting that mostly it is to counter the bad guys); if they don't, people think they are hiding things.

        Remember that we used to be able to take liquids onto planes ... until someone put something in them. Was this the fault of the plane makers? No. Was it the fault of security? No. There are still things that we currently take on planes, but one day, someone will abuse them. Whose fault is it - the plane makers, the airlines, security? No - the bad guys.

        It is about time we stood back to think about the reasons we have to patch - someone writing a piece of software cannot possibly imagine all the ways in which a bad guy might misuse it.
        tony@...