Celebrating 10 years of Patch Tuesday

10 years ago Microsoft's first regularly-scheduled patch day included updates for Windows XP and Windows Server 2003. Today's patches do as well. But things are much better now than then, thanks in part to Patch Tuesday.
Written by Larry Seltzer, Contributor

Prior to October 2003, Microsoft released security updates on an as-needed basis. On a weekly schedule, but with no prior warning, we would get an announcement that a security patch was available for a vulnerability, which we may or may not have known existed, in a Microsoft product.

If the vulnerability were severe, which affected products on which a company relied, IT departments would be pressured (from both inside and outside) to drop whatever they were doing and apply the patch.

This is no way to run a railroad, and Microsoft's customers told them so.

This changed in October 2003. Microsoft announced it would only release updates on the second Tuesday of the month, and would provide limited advance warning of the contents.

The first such patch and disclosure release was on Tuesday, October 14, 2003. The ZDNet story on the release quotes Microsoft chief executive Steve Ballmer telling a recent Microsoft Worldwide Partner Conference that the company was listening:

"That predictability is something you and our customers have highlighted to us we need to do, because people are feeling like they have to drop everything and deploy every patch at all times."

The situation is much better now. The biggest reason for this is that the security quality of Microsoft products (and most software in general) is so much better than it used to be, in spite of some recent problems. But the predictability of the update schedule and the improved information that comes with security bulletins these days, as well as improvements in patch management systems, were also a big part in making IT life more normal.

Though derided by some at first, Patch Tuesday set the standard for the software industry. Many other large companies, including Adobe and Oracle, set up regular patch schedules. Others made a point of releasing their own patches on Patch Tuesday, partly to hide behind Microsoft's skirts while IT and users were in a bad mood.

In the last 10 years, Microsoft has added improvements to the process. One of the most important is the Exploitability Index. Many vulnerabilities sound scary based on their descriptions, but in fact they are low-priority because it would be difficult, if at all possible, to write functioning exploit code.

When disclosing vulnerabilities as it patches them on Patch Tuesday, Microsoft assigns an Exploitability Index score of 1, 2 or 3. Rating 1 index means "Exploit code likely" and may in fact mean that exploit code is already out in the wild; Microsoft notes when this is the case. Rating 2 means "Exploit code would be difficult to build" — this means that exploit code is possible, but it would be difficult to get it to work correctly, or there may be a random element which means it would only trigger (for example) one in ten times. Rating 3 means "Exploit code unlikely" which, in Microsoft's definition, means that "…it is unlikely that an attacker would be able to create an exploit that could successfully exercise the full impact of the vulnerability."

Like Patch Tuesday itself, the Exploitability Index is designed to help IT prioritize patch deployments.

Even consumers who can't be expected to know what and when to patch software are much better covered now, as Windows applies updates automatically. This would have been unacceptable ten years ago, but as Microsoft demonstrated reliability in patching it became acceptable to set this capability as the default. Most consumers running current versions of Windows are all patched up and don't even know. This is a very good thing for everyone.

Perhaps the most remarkable thing about the Microsoft Security Bulletin Summary for October, 2003 — the very first Patch Tuesday — is that some of the products listed in it are still being supported.

Microsoft would dispute this, with some justification. The bulletin lists three critical vulnerabilities in Windows Server 2003 and Windows XP, but Microsoft only supports these products with services packs 3 and 2, respectively. Both service packs came out long after 2003.

It's easy these days to claim that security is out of control and things only ever get worse, but a comparison of life before Patch Tuesday to where things stand now shows how much better off we are. Prior to October 2003, there was a real sense in IT that vulnerabilities were out of control and Microsoft might not be able to address the problem.

It did, and Patch Tuesday was a big part of it.

Editorial standards