Mondays are manic, Wednesday is Hump Day, Thursdays are thirsty, and TGIF. What about poor Tuesday? Well, for the past 20 years, Tuesday has been the responsible workday, thanks to Microsoft. In this edition of Tech Time Warp, we see how in 2003, Microsoft implemented the “Patch Tuesday” concept, a standardized day for general release of security patches from the Microsoft Security Response Center (MSRC).
The idea was meant to restore order to IT: By delivering security patches on a regular cadence, network administrators could plan ahead for installing updates. The previous “ship when ready” model meant that network admins had no warning when a patch would drop and would have to drop other tasks without warning to address a new update. In response to customer feedback, Microsoft announced in October 2003 it would only release updates on the second Tuesday of the month (reserving the right to address critical updates on the former “ship when ready” model). Only limited advance warning would be provided about the security patch. In addition, all security notes were organized into one consolidated database.
Tech giants align
Other tech giants, including Adobe and Oracle, followed suit with their own patch releases timed to coincide with Microsoft’s. For 12 years, the Microsoft Patch Tuesday plan stayed the course, but in 2015, the company announced that home users would return to a “ship when ready” model, with enterprise users staying on the Patch Tuesday schedule. The idea was to keep home devices constantly up to date, reflecting lax personal attention to security updates, as well as giving network administrators the benefit of seeing how patches played in the field before they applied them in an enterprise setting.
The Patch Tuesday model isn’t perfect. Zero-day situations arise all of the time, and end users then want “out of band” releases, as a former MSRC team member reflected on Patch Tuesday’s 10th anniversary. Plus, there’s the issue of “Exploit Wednesday,” the day after Patch Tuesday, when bad actors respond to published vulnerabilities with bad code—again, taking advantage of lax security patching.
All in all, it’s a good idea to stay up to date on security patches.
Did you enjoy this installation of SmarterMSP’s Tech Time Warp? Check out others here.
Photo: Stanislav Samoylik / Shutterstock
