Reflecting on 10 years of Microsoft’s Patch Tuesday

A decade after it started, Microsoft excels at addressing security concerns when compared with its competitors

Today marks the 10th anniversary of the debut of Microsoft’s Patch Tuesday program, through which it would regularly issue fixes to its software on the second Tuesday of every month. It had been possible to check for updates via the Windows Update application in Windows XP, but now Microsoft was actually going to push out fixes.

Steve Ballmer introduced Patch Tuesday at the Worldwide Partner Conference in New Orleans in October 2003. “Our goal is simple: Get our customers secure and keep them secure,” Ballmer said in a statement. “Our commitment is to protect our customers from the growing wave of criminal attacks.”

RELATED: Microsoft finally patches gaping IE exploit with Patch Tuesday update

Patch Tuesday brought order to the patching process but allows network administrators to plan for network-wide upgrades ahead of time, since Microsoft would put out an alert the Thursday before Patch Tuesday to say what was coming. Microsoft always had to be judicious in how much information it released ahead of time because it didn’t want to tell the bad guys where it found a problem.

The day after the patches are pushed out, Microsoft holds a live chat, usually at 11 am Pacific time, to discuss the fixes.

In addition to Patch Tuesday, there has been the occasional Super Patch Tuesday, where Microsoft issues optional and non-security updates. Plus, if a really bad exploit is found, Microsoft has been known to ship what are called out-of-band patches.

It’s also had to issue patches of patches, because sometimes things get fouled up. Just this past August Microsoft had to recall six patches because they introduced new problems that, in some cases, rendered the PC unusable.

In 2008, Microsoft introduced the Microsoft Exploitability Index, which told people how severe the exploit was and whether or not an IT manager should rush out the fix. While most of us just update on patch day without a second thought, some people do actually have to be careful that the fix doesn’t break their existing apps.

At the same time, Microsoft introduced security-related programs to share early information with partners to help coordinate efforts to protect them from attacks in the wild before they become widely known. The program also provides additional information and guidance to help customers evaluate risks and prioritize the deployment of Microsoft security updates.

Critics have accused Patch Tuesday of being a gift to hackers, because if they have an exploit that isn’t fixed in one month, they have a full month to exploit it with their malware. Also, by issuing so many fixes at once, Microsoft tells the bad guys where the bugs are. They very well might rush out malware to exploit the hole in PCs that are slow to patch. This led to the term “Exploit Wednesday.”

All of this is true; and Microsoft has on a few occasions let Patch Tuesdays go by with big exploits unpatched. But compared to the track record of other firms, Microsoft is on top of things. Apple has had several instances in the last few years where exploits went for many months before being fixed. It doesn’t have a structured patch cycle like Microsoft does.

And then there’s Oracle. Since inheriting a complex and often-buggy piece of software in Java when it acquired Sun Microsystems, Oracle has been very sluggish in responding to Java problems. The result of Oracle’s flat-footed responses is that Java is the top target for hackers, according to a report from security software developer F-Secure (PDF).

Java is so insecure that 95 percent of all exploit attacks can be found in five security flaws, four of which are in Java (the fifth is a Microsoft True Type font exploit). The best thing you can do to secure your infrastructure is turn off Java, F-Secure says. That’s sad, especially given that Oracle has a huge investment in Java-based products. You’d think it would move heaven and earth to secure Java.

You can see by the fact that most exploits are in apps, browsers and Java that the company has hardened the OS significantly. Patch Tuesday isn’t flawless or without its share of problems, but it did force Microsoft to move a lot faster in addressing its problems, certainly faster than Apple and Oracle.

---

Best Microsoft MCTS Certification,
Microsoft MCITP Training at certkingdom.com