If you are a Windows computer user, you’re probably familiar with the usual pop-ups or notifications telling you that your device needs to restart to complete the installation of updates; or telling you to schedule the restart for a more convenient time. These updates are usually released by Microsoft on a special day that has come to be known as Patch Tuesday.
Microsoft doesn’t have a guaranteed time these patches will be released. But the pattern over the years is that the updates generally arrive around 10 a.m Pacific Standard Time (UTC−8), but they may be released later in the day. The updates show up in the Download Center before they are added to Windows Update (WU). These patches are released to fix bugs in its software application that might lead to vulnerabilities, and improve the security of Microsoft applications. Most of those vulnerabilities are found by external researchers who report them responsibly to Microsoft through the Microsoft bug bounty program. Microsoft Security Response Center investigates the reported vulnerabilities and provides solutions to help mitigate security risks.
The main idea behind Patch Tuesday is to make the update process as predictable as possible in order to keep Windows Administrators from having to struggle to deal with updates released on an irregular schedule. This enables them to make plans to test and install them. Other companies such as Adobe and Oracle have adopted the same Patch Tuesday schedule to make patch management easier for System Administrators.
Smaller updates are often released at other times (out-of-band), especially if they are urgent and critical.
Related post: Best Partch Management Tools
How it all Started
Windows 98 was the first Microsoft operating system that featured the option to check and install updates to the operating system. During that period, updates for Microsoft products were released irregularly and at random times until October 2003 when the second Tuesday of the month was chosen to be “update day”, which became what is now known in the industry as Patch Tuesday.
The process of releasing and distributing these software patches irregularly costs Microsoft and organizations a lot of money, time, and effort—especially organizations with large numbers of Windows machines. You can imagine how time-consuming it can be to manually update each Windows machine separately. Microsoft introduced “Patch Tuesday” to reduce the cost of distributing patches. The new approach allows security patches to accumulate over a month and dispatches them all on the second Tuesday of each month.
Before the advent of Patch Tuesday, updates were released whenever they were ready (ship-when-ready) with no prior warning or announcement. While this allowed fixes to go out almost immediately, it was a burden on Windows Administrators and users who sometimes had to reboot their computers several times to apply new updates, rather than just one reboot to apply a cumulative update.
Why is it important?
Patch Tuesday has become a big deal for Windows users and administrators. Getting the latest security updates for your desktops and servers should be something to look forward to each month. These updates are important and critical to the overall health of your systems and servers. Every organization is encouraged to apply patches on Patch Tuesday. Why is this important?
According to Microsoft, Tuesday was chosen for two reasons:
- To provide users with a day (Monday) to deal with unexpected issues that might have arisen over the preceding weekend.
- To give users plenty of time to test the updates and deploy them to devices, then respond to any issues that may arise during the rest of the week.
Software updates are important to the overall health of your systems. Strong security is vital for all organizations, particularly those using systems that store or have access to sensitive data such as personal information. Operating systems and other applications that are not updated are likely to become vulnerable to cyber-attacks. Attackers often exploit out-of-date systems—they exploit vulnerabilities for which patches are available but not applied. For this reason, Microsoft recommends that customers make patching a priority. Patches can fix potential bugs and security holes while increasing the efficiency of operating systems and the software applications that run on them.
The most important security updates and the patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Even zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability. Many exploitation events are seen shortly after the release of a patch. In fact, the day after Patch Tuesday is often known as Exploit Wednesday. Attackers have figured out a way to reverse-engineer patches to identify the underlying vulnerabilities and then create methods to exploit the vulnerability. They then use this opportunity to attack computers that haven’t updated the previous day’s patches.
It was lack of patching that enabled the WannaCry ransomware attack that took place in May 2017 to spread so quickly. While Microsoft had released patches previously to close the WannaCry vulnerability, much of its spread was from organizations that had not applied the patch or were using older Windows systems that were past their end-of-life. These patches are critical to an organization’s cyber-security but many were not applied because of the need to not interrupt operation.
How do You know what’s being released?
Microsoft releases security-related updates for Windows (desktop and server editions), Office, and related products on the second Tuesday of each month. The fourth Tuesday of each month is reserved for updates that aren’t related to security. Occasionally, Microsoft does release what is called an “out of band” update (update released on a day outside the normal Tuesday update routine) for critical security issues. Typically, this occurs only when a security issue is extremely serious and is being actively exploited in the wild.
Patch Tuesday is known within Microsoft also as the “B” release, to distinguish it from the “C” and “D” releases that occur in the third and fourth weeks of the month, respectively. The “C” and “D” releases contain only non-security updates and are intended to provide visibility and testing of the planned non-security fixes targeted for next month’s Update Tuesday release. These updates are then shipped as part of the following month’s “B” or Update Tuesday release.
Every security update issued by Microsoft (whether it’s on Patch Tuesday or as an out-of-band release) is accompanied by Security Advisories and Bulletins that are published by the Microsoft Security Response Center (MSRC) at about the same time the updates are released. The MSRC releases these documents as part of the ongoing effort to help users manage security risks and keep their systems protected. The Security Advisories and Bulletins consists of the following key items:
- Security Bulletin Summaries: Provide a high-level overview of the security bulletins that are released by the MSRC each month. The summaries provide information to help users prioritize monthly security updates.
- Security Bulletins: Provide a description of the available mitigation as well as knowledge base (KB) articles that contain further information about the updates.
- Security Advisories: Address security changes that may not require a security bulletin but that may still affect users’ overall security. Each advisory is accompanied by a Microsoft KB article to provide additional information about updates being delivered with the advisory’s release.
- Microsoft Vulnerability Research (MSVR) Advisories: Describe security vulnerabilities that Microsoft or external researchers discovered in third-party products, and which Microsoft has disclosed to the affected vendors.
The vulnerabilities are described using an identification system known as the Common Vulnerabilities and Exposures (CVE). CVEs such as CVE-2021-31184 and CVE-2021-30540 are unique, common identifiers for publicly known information-security vulnerabilities in publicly released software packages. The specifics of each patch bundle will vary depending on the security issues being addressed—details of each patch bundle can be found by visiting Microsoft’s MSRC security update guide.
How do You know which updates are most critical?
Not all vulnerabilities are equal in terms of severity and associated risk level. To help users understand the risk associated with each patched vulnerability, Microsoft published a severity rating system that rates each vulnerability according to the worst theoretical outcome if that vulnerability were to be exploited. The severity ratings are described as follows:
- Critical: A vulnerability marked as “Critical” means that its exploitation could lead to code execution without user interaction. Examples include self-propagating malware such as worms. Microsoft recommends that users apply critical updates immediately when they are released.
- Important: A vulnerability marked as “Important” means that its exploitation could compromise the confidentiality, availability, or integrity (CIA) of user data. Examples include denial of service attacks such as ransomware and other malware that steal our data. Microsoft recommends that users apply Important updates at the earliest opportunity.
- Moderate: A vulnerability marked as “Moderate” means that its impact is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations. Microsoft recommends that users consider applying the security update.
- Low: A vulnerability marked as “Low” means that its impact is mitigated by the characteristics of the affected component. This type of vulnerability normally requires either extensive interaction or an unusual configuration. Microsoft recommends that users evaluate whether to apply the security update to the affected systems.
The rating of a vulnerability’s severity is different from its likelihood of occurrence. In order to assess the likelihood of occurrence, the Microsoft Exploitability Index provides additional information on the likelihood that a vulnerability addressed in a Microsoft security update will be exploited. Microsoft recommends that System Administrators evaluate their own environments and make decisions about which updates are required to keep their systems protected.
Risk Factors and Possible Mitigation
As important as applying patches on Patch Tuesday is to the overall health of computer systems and servers, it is not without challenges and risks—especially for organizations with a large number of Windows systems and customized applications. A lot of organizations resent applying patches on Patch Tuesdays because of the associated risks.
Patch Tuesday updates are seen as a source of headache for most Windows Administrators because of their potential to cause more problems and complications. The patches are sometimes incompatible with third-party software or even Microsoft’s own software, which can lead to system malfunction and downtimes. When you look at today’s threat landscape, zero-day attacks have increased exponentially in the last few years, both in speed and sophistication, as evidenced by the well-established “Exploit Wednesday” attacks.
According to Christopher Budd (former Microsoft Security Response Center employee), “when Microsoft started moving away from the ‘ship when ready’ model, there was a lot of criticism that we were leaving people vulnerable to attack longer than they needed to be”—especially when there is a zero-day situation and people clamor for an “out of band” release. “In those situations, the benefits of a structured process collide with the problem of the increased time a vulnerability is open to attack”. This usually results in a longer window of exposure—the time period between the release of a vulnerability and the availability of a patch.
Patch Tuesday can also impact an organization’s internet bandwidth if it’s not handled properly. This is especially noticeable in environments where many machines discretely retrieve updates over a shared, bandwidth-constrained connection such as those found in many workgroup networks, or in some small to medium-sized businesses. So how do we deal with these risk factors?
First and foremost, as a Windows Administrator, it is recommended that you test patches in a lab or sandbox environment and ensure that they are compatible with your systems before applying them to production systems. In addition, Microsoft provides a tool called Windows Server Update Services (WSUS) that can be used to provide a controlled rollout of patches. This makes it easier to manage the deployment of patches to your test and production environment.
To minimize the impact on an organization’s internet bandwidth, the WSUS tool can be used to distribute the updates locally. This will significantly reduce bandwidth demands for patching large numbers of computers. In addition to WSUS, Windows 10 computers can “share” updates in a peer-to-peer fashion with other Windows 10 computers on the local network, or even with Windows 10 computers on the internet. This helps to ensure that updates are distributed faster while reducing usage for networks with a metered connection.