Patch Tuesday is the unofficial name of Microsoft’s scheduled release of the newest security fixes for its Windows operating system and other software applications, as documented in the Windows Security Updates Guide. Patch Tuesday occurs on the second Tuesday of every month.
History of Patch Tuesday
Microsoft first introduced Patch Tuesday in 2003 as a way of reducing costs associated with patch deployment. Normally, updates consisted of Microsoft security bulletins organized around different services and products like Office, .NET Framework, Internet Explorer and much more. Each monthly release would consist of about 15-20 security bulletins.
Vulnerabilities within each Microsoft security bulletin would be rated ‘important’. This means they would need user interaction to be exploited. It can also be ‘critical’, which means the flaw could be compromised without warning or user interaction. A vulnerability could also be rated ‘critical’ if it was a zero-day, which means it was found being actively exploited in the wild before the security patch was released.
Microsoft has been rolling out monthly security updates for more than a decade until February 2017. Microsoft suddenly canceled the Patch Tuesday release for that month due to a last-minute problem.
While Microsoft did not reveal what the issue was, professionals in the IT industry believe it was related to the U.S National Security Agency’s (NSA) Windows exploits, which were stolen by unknown threat actors and later published by the Shadow Brokers hacking group.
According to the reports, the NSA disclosed the exploits to Microsoft before their publication by the Shadow Brokers. Microsoft patched different critical vulnerabilities on Patch Tuesday, which included the NSA’s Windows exploits.
Out-of-Band Patches
If a zero-day vulnerability is risky enough, affecting unsupported systems and being widely exploited, Microsoft may release an out-of-band patch. In this scenario, the patch would be released without waiting for the next Patch Tuesday, along with an advisory encouraging users to patch instantly.
A successful vulnerability management program is an essential part of any network, regardless of the number of systems you’re managing. There are some key things you should know about maximizing the effectiveness of Patch Tuesday. Here are the dos and don’ts of Patch Tuesday.
The Dos of Patch Tuesday Management
1. Deploy a System That Can Patch More Than Just the Operating System
Consider all the third-party and plugins such as media players, PDF readers, browsing plugins and more that are available on your systems. Apple, Adobe and others release patches many times within a year. Many of these security updates are in response to exploits that are in the wild. Manually updating Flash on every workstation you have may cost more than the price of a patch management system and you’ll need to update Flash more than once a year.
2. Test Patches Before Deploying Them
While every vendor does everything they can to test patches before releasing them to clients, it’s not possible to test every single possible combination of software and configuration. Many times a Patch Tuesday is deployed to only break a mission-critical function. Have a set of workstations and test services. Also, make sure you QA any patches before deploying them.
3. Establish Regular Maintenance Windows for Patching
If you have different systems in your organization, you need to find a team that will focus on the maintenance of Windows. If any one of the systems had any issues, the IT experts will be able to identify them and resolve it immediately. Patching must take priority and having a regularly scheduled window that supersedes other concerns helps to ensure that you can get the systems patched.
The Don’ts of Patch Tuesday
1. Don’t Assume You Will Know About Issues Before They Become a Problem
Subscribe your IT distribution list to the security advisories for every vendor you use. You can add their RSS feeds to your reader. Follow security-related accounts on social media platforms. When a zero-day exploit hits, you will know about it as quickly as possible.
2. Don’t Assume Your Systems Are Patched
Regardless of the system you use, ensure you check the reports and verify that the patches you pushed were deployed to all systems successfully. Running security scans is an ideal way to confirm that all your systems were effectively updated. Also, don’t forget the users who work remotely. They also need to be patched and may not always connect to your internal network.
3. Don’t Use a Solution That Only Patches the Operating System
Setting every system to update automatically is better than nothing. WSUS helps you centralize your patching and creates great reports. While the price is high, you get what you pay for. Patching only the operating system and office products leaves other third-party applications unpatched, and it may lead to a system being exploited. This is an important part of your vulnerabilities management concerning Patch Tuesday.
In conclusion, if you follow the above points, you are on your way to deploying a successful patch management technique that will help secure your systems.
Do you want to learn more about Patch Tuesday Do’s & Don’ts and help your IT team manage Patch Tuesday? If yes, Vicarius is your go-to cybersecurity company.
Topia is a vulnerability management software that targets cybersecurity officers and operators, as well as IT managers and operators from the U.S. market. If you would like to implement a patch management tool, we are here for you.
Photo by Possessed Photography on Unsplash