One of the most critical aspects of cybersecurity is ensuring that all software is kept up to date with the latest patches. This is necessary to cover any vulnerabilities that cybercriminals could take advantage of in order to infiltrate an organization and launch an attack. With the volume of updates and the effort needed to install and configure them, it is good to know precisely when patches will be released.
“Patch Tuesday”, a monthly event where Microsoft releases software patches, started 20 years ago and is still going strong today. Since then, there has been a considerable shift in how Patch Tuesday is seen, what information is prioritized, and the way that these patches are released. The history of Patch Tuesday is important, and tells us a lot about potential future developments.
When Patch Tuesday Began
Patch Tuesday started in 2003 in an effort to standardize the release schedule of software updates. The regularity of this schedule was a boon for users and companies, and it changed how people handle updates. Its reliability made it possible to plan the necessary time to install and configure any modifications to the software. Some companies followed in Microsoft’s footsteps, such as Adobe, while others adopted their own regular patch schedules, like Cisco’s updates in March and September. Most companies still released critical updates outside of the scheduled time, ensuring that important security patches did not have to wait until the vulnerabilities were actively exploited.
In the beginning, remote services were often the focal point of patches, with updates patching vulnerabilities like unauthenticated remote code executions. This reflected the threat landscape and types of attacks that were favored by bad actors. Once patches are released, IT teams have to take the time to analyze the updates in order to understand what vulnerabilities are being patched and how the updates would change the software or the user experience. With the advent of Patch Tuesday, this process can be planned for and scheduled rather than simply occurring whenever a patch is released.
How Patch Tuesday Has Changed Over Time
In 20 years, there have been a number of changes to Patch Tuesday due to a shifting threat landscape, developing technology, industry trends, and structural changes in how patches are released. Today, vulnerabilities are more commonly found in browser exploits, local privilege escalations, and Microsoft Office-related vulnerabilities. Attackers are less likely to exploit gaps in network security and more likely to use phishing and other tactics to take advantage of the human element, and patches reflect these changes.
One of Microsoft's biggest changes occurred in 2017, when Microsoft eliminated the security bulletin accompanying updates, replacing it with security guidance. This provides far less information about the specifics of the vulnerabilities and patches. This is potentially due to Microsoft’s cumulative update strategy; fewer details are provided when updates are bundled together. Patch Tuesday updates contain a CVSS score, which gives some context, but not as much as the security bulletins did.
A few years later, Microsoft reintroduced FAQs to supplement updates. This feature was included in security bulletins, and it gives much-needed context and information about patches. However, the FAQs still lack the detailed information that the security bulletins provided.
Looking Ahead
Back in April, 2022, Microsoft announced the release of their new “Autopatch service,” which triggered rumors that Patch Tuesday was coming to an end. It is understandable why some assume that Patch Tuesday is no longer necessary, but it remains crucial and beneficial. Microsoft responded, stating that “Patch Tuesday will continue to be an important part of our strategy to keep users secure”, as well as clarifying any doubts on their FAQ page. This makes sense, as without automatic update capabilities or a regular patching cadence, users are forced to install updates on demand, and many users do not have the necessary permissions, so updates have to wait until an administrator is available. Keeping software up to date is one of the first and most important tenets of a good cybersecurity strategy.
As every SysAdmin has lamented at one time or another, there are factors that make Patch Tuesday currently less effective than it could be, however, the solution is not to get rid of it entirely. When organizations and their IT teams have demands that clash with the current state of Patch Tuesday, many of their difficulties can be traced back to the need for post-update configurations that are not properly highlighted by the security guidance.
In the future, it would be useful for Patch Tuesday to include more information, moving back toward the retired “security bulletin” approach. Microsoft's transition to cumulative updates removes much of the control that system administrators have over the patch management process. There have been instances in the past where cumulative updates are incompatible with certain system configurations, requiring that administrators choose whether to patch, or notate the justification for not patching. It would be nice to see the return of non-cumulative updates, especially for critical items, or, at the very least, cumulative updates that allow administrators to disable certain fixes during installation. This would avoid forcing users to remain in vulnerable states when these incompatible updates are released.
Conclusion
Since its origins in 2003, Patch Tuesday has become an important feature that IT teams rely upon to provide a regular schedule of updates. While there have been changes in how the updates are released and what sort of information accompanies the patches, the event retains its usefulness in many ways. It effectively changed how updates are handled and set a precedent for other organizations to follow. Patch Tuesday is likely to stick around for a while, making software patches a smoother process with less total disruption.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.