Is 'Patch Tuesday' Dead?

Is 'Patch Tuesday' Dead? - Hackers' Window of Opportunity

Microsoft is aware of the window of opportunity between Patch Tuesday and the actual deployment of patches in production environments. For years, the recommended best practice for patching called for security teams to conduct regression testing in nonproduction environments before rolling out to production machines. The lag time created by testing creates the exploitation window of opportunity.

Microsoft even acknowledges the potential for hackers to keep exploits in reserve to see what fixes are released on Patch Tuesday. However, it believes both the process and layers of protection built into the Patch Tuesday release cycle provide adequate protection against many exploits. The first line of defense is the Active Protection Program, a collaborative effort by Microsoft and 22 partners to provide intermediary workarounds and shields against the exploitation of vulnerabilities before new patches are deployed.

“If you look at Patch Tuesday, we provide means to protect and information to prioritize the patch deployment,” says Mike Reavey, director of the Microsoft Security Response Center, the unit charged with triaging Microsoft vulnerabilities and creating patches. “The window of vulnerability is what Active Protection was designed for. While users are doing their regression testing of the new patch, they’re being protected by the 22 vendors in the program.”

Additionally, automatic updates embedded in Windows and other Microsoft applications enable Microsoft to transparently deploy patches—which is particularly useful for home and small-business users that don’t follow security bulletins or have dedicated administrative support.

When all else fails, Reavey says Microsoft will deploy a patch outside the regular Patch Tuesday cycle. While Microsoft released three out-of-band patches in 2008, it has only broken the Patch Tuesday cycle eight times in the last five years, Reavey says.

“The customers I’ve talked with still appreciate the predictable cycle,” Reavey says. “Having partners that provide protection and releasing more information keep [Patch Tuesday] relevant.”

Few people will dispute the utility and effectiveness of Patch Tuesday. While Microsoft is releasing only one patch this month, software rival Oracle is unleashing a tsunami of 41 patches for numerous applications. But should Microsoft consider a little less predictable patch release process? Reavey says no, but others say it should be on the table.

“Microsoft maybe should start thinking about some additional randomization; it might be helpful," FishNet’s Shilts says. “It’s probably better to have regularity and have a process in place to deploy patches as they come out.”