Patch Tuesday

Last updated

Patch Tuesday [1] (also known as Update Tuesday [1] [2] ) is an unofficial term used to refer to when Microsoft, Adobe, Oracle and others regularly release software patches for their software products. [3] It is widely referred to in this way by the industry. [4] [5] [6] Microsoft formalized Patch Tuesday in October 2003. [1] [7] Patch Tuesday is known within Microsoft also as the "B" release, to distinguish it from the "C" and "D" releases that occur in the third and fourth weeks of the month, respectively. [1]

Contents

Patch Tuesday occurs on the second Tuesday of each month [8] in North America. Critical security updates are occasionally released outside of the normal Patch Tuesday cycle; these are known as "Out-of-band" releases. As far as the integrated Windows Update (WU) function is concerned, Patch Tuesday begins at 10:00 a.m. Pacific Time. [9] Vulnerability information is immediately available in the Security Update Guide. The updates show up in Download Center before they are added to WU, and the KB articles are unlocked later.

Daily updates consist of malware database refreshes for Microsoft Defender and Microsoft Security Essentials, these updates are not part of the normal Patch Tuesday release cycle.

History

Starting with Windows 98, Microsoft included Windows Update, which once installed and executed would check for patches to Windows and its components, which Microsoft would release intermittently. With the release of Microsoft Update, this system also checks for updates for other Microsoft products, such as Microsoft Office, Visual Studio and SQL Server.

Earlier versions of Windows Update suffered from two problems:

  1. Less experienced users often remained unaware of Windows Update and did not install it. Microsoft countered this issue in Windows ME with the Automatic Updates component, which displayed availability of updates, with the option of automatic installation.
  2. Customers with multiple copies of Windows, such as corporate users, not only had to update every Windows deployment in the company but also to uninstall patches issued by Microsoft that broke existing functionality.

Microsoft introduced "Patch Tuesday" in October 2003 to reduce the cost of distributing patches after the Blaster worm. [10] This system accumulates security patches over a month, and dispatches them all on the second Tuesday of each month, an event for which system administrators may prepare. The following day, informally known as "Exploit Wednesday", [11] marks the time when exploits may appear in the wild which take advantage on unpatched machines of the newly announced vulnerabilities.

Tuesday was chosen as the optimal day of the week to distribute software patches. This is done to maximize the amount of time available before the upcoming weekend to correct any issues that might arise with those patches, while leaving Monday free to address other unexpected issues that might have arisen over the preceding weekend[ citation needed ].

Security implications

An obvious security implication is that security problems that have a solution are withheld from the public for up to a month. This policy is adequate when the vulnerability is not widely known or is extremely obscure, but that is not always the case.

There have been cases where vulnerability information became public or actual worms were circulating prior to the next scheduled Patch Tuesday. In critical cases Microsoft issues corresponding patches as they become ready, alleviating the risk if updates are checked for and installed frequently.

At the Ignite 2015 event, Microsoft revealed a change in distributing security patches. They release security updates to home PCs, tablets and phones as soon as they are ready, while enterprise customers will stay on the monthly update cycle, which was reworked as Windows Update for Business. [12]

Exploit Wednesday

Many exploitation events are seen shortly after the release of a patch; [13] analysis of the patch helps exploit developers to immediately take advantage of the previously undisclosed vulnerability, which will remain in unpatched systems. [14] Therefore, the term "Exploit Wednesday" was coined. [15]

Discontinued Windows versions

Microsoft warned users that it discontinued support for Windows XP starting on April 8, 2014  users running Windows XP afterwards would be at the risk of attacks. As security patches of newer Windows versions can reveal similar (or same) vulnerabilities already present in older Windows versions, this can allow attacks on devices with unsupported Windows versions (cf. "zero-day attacks"). However Microsoft stopped fixing such (and other) vulnerabilities in unsupported Windows versions, regardless how widely known they became, leaving devices running these Windows versions vulnerable to attacks. Microsoft made a singular exception during the rapid spread of the WannaCry ransomware and released patches in May 2017 for the by then-unsupported Windows XP, Windows 8, and Windows Server 2003 (in addition to then supported Windows versions). [16]

For Windows Vista "extended support" was ended April 11, 2017, which will leave vulnerabilities discovered afterwards unfixed, creating the same situation for Vista as for XP before. [17]

For Windows 7 (including Service Pack 1), support ended January 14, 2020, [17] and on January 10, 2023 for Windows 8.1; [17] this will cause the same "unfixed vulnerabilities" issue for users of these operating systems. Support for Windows 8 already ended January 12, 2016 (with users having to install Windows 8.1 or Windows 10 to continue to get support), and support for Windows 7 without SP1 was ended April 9, 2013 (with the ability to install SP1 to continue to get support until 2020, or having to install Windows 8.1 or Windows 10 to receive support after 2020). [17]

Windows 10 and 11

Starting with Windows 10, Microsoft began releasing feature updates of Windows twice per year. These releases brought new functionalities, and are governed by Microsoft's modern lifecycle policy, which specifies a support period of 18-36 months. This is in contrast to previous Windows versions, which received only infrequent updates via service packs, and whose support was governed by the fixed lifecycle policy. With the release of Windows 11, both Windows 10 and 11 started receiving annual feature updates in the second half of the year.

Once a release's support period ends, devices must be updated to the latest feature update in order to receive updates from Microsoft. As such, for Home and Pro editions of Windows 10 and 11, the latest Windows version is downloaded and installed automatically when the device approaches the end of support date.

Windows 10 versions
VersionCodenameMarketing nameBuildRelease dateSupported until (and support status by color)
GAC [lower-alpha 1] LTSC [lower-alpha 2] Mobile
  • Home, Pro,
  • Pro Education,
  • Pro for Workstations
  • Education,
  • Enterprise,
  • IoT Enterprise
EnterpriseIoT Enterprise
1507 Threshold10240July 29, 2015May 9, 2017October 14, 2025 [lower-alpha 3]
1511 Threshold 2November Update10586November 10, 2015October 10, 2017January 9, 2018
1607 RedstoneAnniversary Update14393August 2, 2016April 10, 2018 [lower-alpha 4] April 9, 2019 [lower-alpha 4] October 13, 2026 [lower-alpha 5] October 9, 2018
1703 Redstone 2Creators Update15063April 5, 2017 [lower-alpha 6] October 9, 2018October 8, 2019 [lower-alpha 7] June 11, 2019
1709 Redstone 3Fall Creators Update16299 [lower-alpha 8] October 17, 2017April 9, 2019October 13, 2020 [lower-alpha 9] January 14, 2020
1803 Redstone 4April 2018 Update17134April 30, 2018November 12, 2019May 11, 2021 [lower-alpha 10]
1809 Redstone 5October 2018 Update17763November 13, 2018 [lower-alpha 11] November 10, 2020 [lower-alpha 12] January 9, 2029 [lower-alpha 13]
1903 19H1May 2019 Update18362May 21, 2019December 8, 2020
1909 19H2November 2019 Update18363November 12, 2019May 11, 2021May 10, 2022
2004 20H1May 2020 Update19041May 27, 2020December 14, 2021
20H2 20H2October 2020 Update19042October 20, 2020May 10, 2022May 9, 2023
21H1 21H1May 2021 Update19043May 18, 2021December 13, 2022
21H2 21H2November 2021 Update19044November 16, 2021June 13, 2023June 11, 2024January 12, 2027January 13, 2032 [lower-alpha 14]
22H2 22H22022 Update19045October 18, 2022October 14, 2025
Legend:   Old version [lower-alpha 15]    Older version, still maintained [lower-alpha 16]    Latest version [lower-alpha 17]
Notes:
  1. General Availability Channel, formerly Semi-Annual Channel (SAC) and Current Branch (CB).
  2. Long-Term Servicing Channel, formerly Long-Term Servicing Branch (LTSB).
  3. Mainstream support ended on October 13, 2020.
  4. 1 2 January 10, 2023 for Intel Clover Trail based systems.
  5. Mainstream support ended on October 12, 2021.
  6. April 11, 2017 for Education, Enterprise, and IoT Enterprise editions.
  7. March 9, 2021 for Surface Hub devices.
  8. Windows 10 Mobile: 15254.
  9. Originally EOS by April 14, 2020, but postponed due to COVID-19 pandemic.
  10. Version 1803 originally EOS by November 10, 2020, but postponed due to COVID-19 pandemic.
  11. Originally released on October 2, 2018, but was pushed back due to bugs.
  12. Originally EOS by May 12, 2020, but postponed due to COVID-19 pandemic.
  13. Mainstream support until January 9, 2024.
  14. Mainstream support until January 12, 2027.
  15. Windows 10 builds that have this color have reached their expiration dates and are no longer supported by Microsoft.
  16. Windows 10 builds that have this color are no longer the latest version of Windows 10, but are still supported by Microsoft.
  17. Windows 10 builds that have this color are the latest (by SKU) public version of Windows 10.
Windows 11 versions
VersionCodenameMarketing nameBuildRelease dateSupported until (and support status by color)
  • Home, Pro, SE,
  • Pro Education,
  • Pro for Workstations
  • Education,
  • Enterprise,
  • IoT Enterprise
21H2 Sun Valley22000October 4, 2021October 10, 2023October 8, 2024
22H2 Sun Valley 22022 Update [lower-alpha 1] 22621September 20, 2022October 8, 2024October 14, 2025
23H2 Sun Valley 32023 Update22631October 31, 2023November 11, 2025November 10, 2026
Legend:   Old version [lower-alpha 2]    Older version, still maintained [lower-alpha 3]    Latest version [lower-alpha 4]
Notes:
  1. Four updates were released:
    "Moment 1" with build 22621.675 on October 18, 2022
    "Moment 2" with build 22621.1344 on February 28, 2023
    "Moment 3" with build 22621.1778 on May 24, 2023
    "Moment 4" with build 22621.2361 on September 26, 2023
  2. Windows 11 builds that have this color have reached their expiration dates and are no longer supported by Microsoft.
  3. Windows 11 builds that have this color are no longer the latest version of Windows 11, but are still supported by Microsoft.
  4. Windows 11 builds that have this color are the latest (by SKU) public version of Windows 11.

In addition to the commonly used editions like Home and Pro, Microsoft offers specialized Long-Term Servicing Channel (LTSC) versions of Windows 10 with longer support timelines, governed by Microsoft's fixed lifecycle policy. For instance, Windows 10 Enterprise 2016 LTSB will receive extended support until October 13, 2026, [18] and Windows 10 LTSC 2019 will receive extended support until January 9, 2029. [19]

Adoption by other companies

SAP's "Security Patch Day", when the company advises users to install security updates, was chosen to coincide with Patch Tuesdays. [20] Adobe Systems' update schedule for Flash Player since November 2012 also coincides with Patch Tuesday. [21] One of the reasons for this is that Flash Player comes as part of Windows starting with Windows 8 and Flash Player updates for the built-in and the plugin based version both need to be published at the same time in order to prevent reverse-engineering threats. Oracle's quarterly updates coincide with Patch Tuesday. [22]

Bandwidth impact

Windows Update uses the Background Intelligent Transfer Service (BITS) to download the updates, using idle network bandwidth. [23] However BITS will use the speed as reported by the network interface (NIC) to calculate bandwidth. This can lead to bandwidth calculation errors, for example when a fast network adapter (e.g. 10 Mbit/s) is connected to the network via a slow link (e.g. 56 kbit/s)  according to Microsoft "BITS will compete for the full bandwidth [of the NIC] ... BITS has no visibility of the network traffic beyond the client." [24]

Furthermore, the Windows Update servers of Microsoft do not honor the TCP's slow start congestion control strategy. [25] As a result, other users on the same network may experience significantly slower connections from machines actively retrieving updates. This can be particularly noticeable in environments where many machines individually retrieve updates over a shared, bandwidth-constrained link such as those found in many multi-PC homes and small to medium-sized businesses. Bandwidth demands of patching large numbers of computers can be reduced significantly by deploying Windows Server Update Services (WSUS) to distribute the updates locally.

In addition to updates being downloaded from Microsoft servers, Windows 10 devices can "share" updates in a peer-to-peer fashion with other Windows 10 devices on the local network, or even with Windows 10 devices on the internet. This can potentially distribute updates faster while reducing usage for networks with a metered connection. [26] [27]

See also

Related Research Articles

<span class="mw-page-title-main">Internet Explorer</span> Web browser series by Microsoft

Internet Explorer is a retired series of graphical web browsers developed by Microsoft that were used in the Windows line of operating systems. While IE has been discontinued on most Windows editions, it remains supported on certain editions of Windows, such as Windows 10 LTSB/LTSC. Starting in 1995, it was first released as part of the add-on package Plus! for Windows 95 that year. Later versions were available as free downloads or in-service packs and included in the original equipment manufacturer (OEM) service releases of Windows 95 and later versions of Windows. Microsoft spent over US$100 million per year on Internet Explorer in the late 1990s, with over 1,000 people involved in the project by 1999. New feature development for the browser was discontinued in 2016 and ended support on June 15, 2022 for Windows 10 Semi-Annual Channel (SAC), in favor of its successor, Microsoft Edge.

Microsoft Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For instance, Windows NT for consumer and corporate desktops, Windows Server for servers, and Windows IoT for embedded systems. Defunct Windows families include Windows 9x, Windows Mobile, Windows Phone, and Windows Embedded Compact.

<span class="mw-page-title-main">Windows XP</span> Sixth major release of Windows NT, released in 2001

Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and business users and Windows Me for home users, and is available for any devices running Windows NT 4.0, Windows 98, Windows 2000, or Windows Me that meet the new Windows XP system requirements.

<span class="mw-page-title-main">Windows 2000</span> Fifth major release of Windows NT, released in 2000

Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and designed for businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was officially released to retail on February 17, 2000 and September 26, 2000 for Windows 2000 Datacenter Server. It was Microsoft's business operating system until the introduction of Windows XP Professional in 2001.

<span class="mw-page-title-main">Windows Server 2003</span> Third version of Windows Server, released in 2003

Windows Server 2003, codenamed "Whistler Server", is the second version of the Windows Server operating system produced by Microsoft. It is part of the Windows NT family of operating systems and was released to manufacturing on March 28, 2003 and generally available on April 24, 2003. Windows Server 2003 is the successor to the Server editions of Windows 2000 and the predecessor to Windows Server 2008. An updated version, Windows Server 2003 R2, was released to manufacturing on December 6, 2005. Windows Server 2003 is based on Windows 2000.

<span class="mw-page-title-main">Windows Update</span> Software update distribution service for Microsoft Windows

Windows Update is a Microsoft service for the Windows 9x and Windows NT families of the Microsoft Windows operating system, which automates downloading and installing Microsoft Windows software updates over the Internet. The service delivers software updates for Windows, as well as the various Microsoft antivirus products, including Windows Defender and Microsoft Security Essentials. Since its inception, Microsoft has introduced two extensions of the service: Microsoft Update and Windows Update for Business. The former expands the core service to include other Microsoft products, such as Microsoft Office and Microsoft Expression Studio. The latter is available to business editions of Windows 10 and permits postponing updates or receiving updates only after they have undergone rigorous testing.

A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually being called bugfixes or bug fixes. Patches are often written to improve the functionality, usability, or performance of a program. The majority of patches are provided by software vendors for operating system and application updates.

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft Corporation which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

In computing, Download.ject is a malware program for Microsoft Windows servers. When installed on an insecure website running on Microsoft Internet Information Services (IIS), it appends malicious JavaScript to all pages served by the site.

<span class="mw-page-title-main">Windows NT 4.0</span> Fourth major release of Windows NT, released in 1996

Windows NT 4.0 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It is the direct successor to Windows NT 3.51, and was released to manufacturing on July 31, 1996, and then to retail in August 24, 1996, with the Server versions released to retail in September 1996.

<span class="mw-page-title-main">Internet Explorer 7</span> Web browser for Windows

Windows Internet Explorer 7 (IE7) is a web browser for Windows. It was released by Microsoft on October 18, 2006, as the seventh version of Internet Explorer and the successor to Internet Explorer 6. Internet Explorer 7 is part of a long line of versions of Internet Explorer and was the first major update to the browser since 2001. It was the default browser in Windows Vista and Windows Server 2008, as well as Windows Embedded POSReady 2009, and can replace Internet Explorer 6 on Windows XP and Windows Server 2003, but unlike version 6, this version does not support Windows 2000, Windows ME, or earlier versions of Windows. It also does not support Windows 7, Windows Server 2008 R2 or later Windows Versions.

<span class="mw-page-title-main">Windows Vista</span> Seventh major release of Windows NT

Windows Vista is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on November 8, 2006, and became generally available on January 30, 2007, on the Windows Marketplace, the first release of Windows to be made available through a digital distribution platform. Vista succeeded Windows XP (2001); at the time, the five-year gap between the two was the longest time span between successive Windows releases.

<span class="mw-page-title-main">Windows Server 2008</span> Fourth version of Windows Server, released in 2008

Windows Server 2008, codenamed "Longhorn Server", is the fourth release of the Windows Server operating system produced by Microsoft as part of the Windows NT family of the operating systems. It was released to manufacturing on February 4, 2008, and generally to retail on February 27, 2008. Derived from Windows Vista, Windows Server 2008 is the successor of Windows Server 2003 and the predecessor to Windows Server 2008 R2.

The Windows Metafile vulnerability—also called the Metafile Image Code Execution and abbreviated MICE—is a security vulnerability in the way some versions of the Microsoft Windows operating system handled images in the Windows Metafile format. It permits arbitrary code to be executed on affected computers without the permission of their users. It was discovered on December 27, 2005, and the first reports of affected computers were announced within 24 hours. Microsoft released a high-priority update to eliminate this vulnerability via Windows Update on January 5, 2006. Attacks using this vulnerability are known as WMF exploits.

<span class="mw-page-title-main">Windows IoT</span> Embedded operating system by Microsoft

Windows IoT, short for Windows Internet of Things and formerly known as Windows Embedded, is a family of operating systems from Microsoft designed for use in embedded systems. Microsoft has three different subfamilies of operating systems for embedded devices targeting a wide market, ranging from small-footprint, real-time devices to point of sale (POS) devices like kiosks. Windows Embedded operating systems are available to original equipment manufacturers (OEMs), who make it available to end users preloaded with their hardware, in addition to volume license customers in some cases.

Microsoft Windows is the name of several families of computer software operating systems created by Microsoft. Microsoft first introduced an operating environment named Windows in November 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces (GUIs).

Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability.

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

References

  1. 1 2 3 4 Wilcox, John (2018). "Windows 10 update servicing cadence". Microsoft.
  2. "August updates for Windows 8.1 and Windows Server 2012 R2". Windows Experience Blog. Retrieved 25 November 2015.
  3. "April 2020 Patch Tuesday: Microsoft fixes three actively exploited vulnerabilities". Help Net Security. 2020-04-14. Retrieved 2020-10-12.
  4. "Microsoft Patch Tuesday to target Windows, IE". CNet. October 10, 2011. Retrieved November 9, 2011.
  5. ".NET Framework 1.1 Servicing Releases on Windows Update for 64-bit Systems". Microsoft. March 28, 2006. Archived from the original on March 27, 2012. Retrieved November 8, 2011.
  6. "Understanding Windows automatic updating". Microsoft — Understanding Windows — Get Help. Retrieved July 3, 2014.
  7. Budd, Christopher. "Ten Years of Patch Tuesdays: Why It's Time to Move On". GeekWire. Retrieved 28 July 2015.
  8. "When does Microsoft release security updates". Microsoft MSRC.
  9. "Patch Tuesday updates to Windows and Office: What you need to know". Hewlett Packard Enterprise. Retrieved 15 February 2022.
  10. "Microsoft details new security plan". News.cnet.com. Retrieved 2013-02-12.
  11. Paul Oliveria (Trend Micro Technical Communications) (4 October 2006). "Patch Tuesday… Exploit Wednesday". Blog.trendmicro.com. Retrieved 9 February 2016.
  12. "Windows 10 bombshell: Microsoft to KILL OFF Patch Tuesday". theregister.co.uk. Retrieved 25 November 2015.
  13. "Exploit Wednesday". afterdawn.com. Retrieved 25 November 2015.
  14. Kurtz, George (2010-01-14). "Operation "Aurora" Hit Google, Others". mcafee.com. Archived from the original on 2012-01-17. Retrieved 2014-08-12.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  15. Leffall, Jabulani (2007-10-12). "Are Patches Leading to Exploits?". Redmond Magazine. Retrieved 2009-02-25.
  16. "Customer Guidance for WannaCrypt attacks". MSRC. Retrieved 2017-11-23.
  17. 1 2 3 4 "Windows lifecycle fact sheet". Microsoft. 2015-08-31. Retrieved 2015-08-31.
  18. "Windows 10 2016 LTSB - Microsoft Lifecycle". Microsoft Docs . Retrieved 2021-08-22.
  19. "Windows 10 LTSC 2019 - Microsoft Lifecycle". Microsoft Docs . Retrieved 2021-08-22.
  20. von Etizen, Chris (2010-09-15). "SAP introduces a patch day". The H Security. Archived from the original on 11 August 2011. Retrieved 2013-01-07.
  21. McAllister, Neil (2012-11-08). "Adobe switches Flash fix schedule to Patch Tuesdays". The Register. Retrieved 2013-01-07.
  22. "Oracle Tackles a Massive 405 Bugs for Its April Quarterly Patch Update". threatpost.com. Retrieved 2020-10-12.
  23. "About BITS". MSDN . Microsoft . Retrieved 26 March 2016.
  24. stevewhims (2020-08-19). "Network Bandwidth - Win32 apps". learn.microsoft.com. Retrieved 2023-12-22.
  25. Strong, Ben (2010-11-25). "Google and Microsoft Cheat on Slow Start". benstrong.com. Archived from the original (blog) on December 7, 2013.
  26. Warren, Tom (15 March 2015). "Microsoft to deliver Windows 10 updates using peer-to-peer technology". The Verge . Vox Media.
  27. Chacos, Brad (3 August 2015). "How to stop Windows 10 from using your PC's bandwidth to update strangers' systems". PC World . IDG.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.