What Is Patch Tuesday?
Patch Tuesday, a.k.a., Black Tuesday (or Update Tuesday), is an unofficial term used to refer to the scheduled updates rolled out on Tuesdays by Microsoft to fix for known bugs in the Windows operating system and the other Microsoft products.
It was introduced in 2003 to provide a routine schedule for the system administrators to plan for updates for Microsoft products. The idea was to simplify the patch management by regular schedules and save the network administrators from the hassle of unpredictable updates. With predetermined update schedules, system administrators could arrange compatibility and deployment tests before installing the updates.
Background Information on Used Terminology
What Is a Security Vulnerability?
In cyber security, a vulnerability is a flaw or weakness in a system that could be exploited by a threat vector and lets the adversary bypass the implemented protection mechanisms with respect to confidentiality, integrity and availability. Vulnerabilities can allow attackers to gain unauthorized access to resources, steal, modify or destroy data, install malware etc.
What Is a Zero-Day Vulnerability?
A zero-day (a.k.a. 0-day) vulnerability is a flaw or weakness in a system that has been identified by hackers (Either white hat or black hat) but it is unknown to, or unaddressed by the system owners, developers, or the general community. Thus
Which Tuesday Is Patch Tuesday?
There are four different Tuesdays on Microsoft’s update schedule. These Tuesdays are known within Microsoft as A, B, C and D releases to refer to the first, second, third and the fourth Tuesday of each month respectively, when security updates released.
Among these, the second Tuesday of each month is the one most commonly called as Patch Tuesday. That is when security fixes are released for Microsoft products. The other weeks are reserved for non-security related updates, such as firmware updates being released third Tuesday of every month.
While Patch Tuesdays are reserved for standard updates, urgent security patches can be released at any time in between Patch Tuesdays. Such updates are also called as out-of-band updates.
With out-of-band updates, only extremely serious security vulnerabilities get fixed. Such vulnerabilities are the ones either known to be exploited widely in the wild or the bugs that are commonly known by the public. In other words, out-of-band updates are rare and not used for all critical vulnerabilities.
The scheduled updates idea has become widely accepted among the network administrator as it allows for planning system maintenance and reduces the likelihood of undesired system crashes after the patches are installed. However, it is still a topic of discussion among the security community due to some security concerns about it.
The first criticism over Patch Tuesday is that it allows the attackers an opportunity window to exploit known bugs until they get patched at scheduled updates. For instance, if an attacker finds a zero-day vulnerability on a Microsoft product, the attacker can estimate how long time they have to exploit the vulnerability before it gets patched (if it is discovered by Microsoft too).
Secondly, it turns out that it is not only the system administrators but also the attackers that get prepared for the scheduled updates, but rather in a different way. Before Patch Tuesdays, attackers prepare to develop exploits by making use of the clues provided with the security update guidance and reverse engineering the patches. This phenomenon of attacking unpatched systems after Patch Tuesdays is also known as “Exploit Wednesday”.
The third and maybe the most important criticism about Patch Tuesday is that it leaves systems vulnerable to attacks until the next update cycle. As a counter argument, one can assert that urgent patches are released with out-of-band updates due to their criticality level. However, Microsoft tend to prevent out-of-band updates as much as possible to stick to the scheduled updates. For this reason, only the most critical vulnerabilities get updated in between Patch Tuesdays.
The latest Patch Tuesday (as of this post’s date) provides a good examples regarding this discussion. In July 2021 Patch Tuesday, 9 of the vulnerabilities, from a total of 97, turned out to be zero-days, and 4 of these zero-day vulnerabilities were actively exploited in the wild, according to the Microsoft update guide. Among these 4 zero-days, only PrintNightmare vulnerability (CVE-2021-34527) was patched prior to the Patch Tuesday as an urgent vulnerability. And this urgency was mostly due to the Chinese researchers’ accidental share of the PrintNightmare vulnerability publicly on GitHub rather than its criticality or being a zero-day exploited actively in the wild.
This will surprise some of your readers, but my primary interest is not with computer security. I am primarily interested in writing software that works as intended.Wietse Venema
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?