The triumph of Patch Tuesday

Microsoft's 10 year practice of scheduled updates on the second Tuesday of the month has been a great help to IT staffs and has improved the overall security of Windows systems worldwide.
Written by Larry Seltzer, Contributor

One of the great, unappreciated inventions in security came from Microsoft almost 10 years ago in October, 2003: Patch Tuesday. Microsoft invented the process of regularly scheduled security updates. It was somewhat controversial at the time, but it was clearly the right thing to do and has eliminated what was becoming a regular series of crises, thus relieving a great deal of pressure from security admins.

2003 was a time of great technical crisis for Microsoft. The rise of the Internet had exposed the indifference the company had to the security of their software. Now that everyone was able to communicate with everyone else, they were able to attack everyone else remotely. Microsoft wasn't the only company caught with their pants down this way, but clearly they were the biggest problem because their software had the biggest footprint .

Patch Tuesday and better update software have made it easier to keep your systems secure

Recovery began with a company-wide memo in January 2002 from Bill Gates

The memo admits that Microsoft had done a crappy job of providing secure products and puts the company on a mission to make security top priority:

… great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security.

Permission to proceed in this manner could only have come from Gates, so this was an important development, and it explains a number of version upgrades, particularly to Office, which appeared not to provide a lot of customer value.

In retrospect, it seems odd that the memo focused heavily on .NET as the basis for "Trustworthy Computing", as he called it. .NET is still important, but it's no longer the basis for Microsoft's OS efforts. If only it were; securing a VM should be a lot easier than securing native code platforms, but Microsoft insiders tell me that the Windows people at Microsoft hate .NET.

You can see all the major ingredients of Microsoft's security approach in the memo. What came to be called the SDL or Security Development Lifecycle, a set of software development processes to ensure secure code every step of the way, is in there. The importance of listening to customers and making security as easy as possible to achieve is in there.

That's where Patch Tuesday came in. It was a direct result of listening to large, enterprise customers. Emergency security updates are a big problem for IT departments. They may have to divert resources from and delay other important projects.

By having a regularly-scheduled update day, IT departments could plan to have resources available at the time and know not to schedule events, like some software installations, that might not be wise at a time of updating.  By adding the advance notice, such as the current one for today's updates, Microsoft gave customers more opportunity to plan just in advance, while still not spilling the beans on the vulnerabilities too much.

The major criticism at the time Patch Tuesday came out was that Microsoft was letting critical vulnerabilities go unpatched rather than deal with them immediately. The company left open the possibility of going "out of band" and patching a vulnerability off-schedule. They have done this, but it has been a rare event. I haven't counted the out-of-band updates, but I bet the number is in the single digits. Microsoft can and does provide guidance for mitigation techniques that customers can use when a patch is not available.

Despite all the work that Microsoft has put into security, there are still plenty of vulnerabilities patched (and sometimes they patch silently, without disclosure; whether this is a sneaky thing to do is debatable). It was obvious that the vulnerabilities would continue because modern software systems are just too complex for it to be otherwise. And there are still zero-day exploits at times, probably more than we know about, but this too is inevitable. Even "Exploit Wednesday", when an unpatched vulnerability is exploited the day after Patch Tuesday on the theory that the time until it is patched will be maximized, but I think this is an illusion; if the release had been the Monday before Patch Tuesday it's not like Microsoft could have had a patch ready.

On the whole, Patch Tuesday has been a huge benefit for customers and security. It has made it more practical for customers, large and small, to keep their systems up to date. It's such an obviously good idea that many companies, such as Oracle, have made their own update schedules. The vaguely-regular update schedules for Chrome and Firefox also come out of this tradition, and often you'll see companies like Adobe schedule their updates on Patch Tuesday because customers will be patching then anyway.

When's the last time you were seriously worried about an unpatched vulnerability? That's so 2003.

Editorial standards