Is 'Patch Tuesday' Dead?By Lawrence Walsh | Posted 2009-01-13 Email Print
The Myths and Truths of Building a World-Class Cyber Defense REGISTER >
After five years of Microsoft releasing patches on the second Tuesday of the month, there’s some evidence that hackers are trying to game the release cycle to their advantage. Is it time for Microsoft to change its pattern?
Microsoft’s first Patch Tuesday of the new year is an unusually singular effort; the company is releasing a single patch to correct a remote code vulnerability in all versions of Windows server.
When Microsoft created Patch Tuesday in October 2003, it was a mechanism for bringing regularity and predictability to the patch release process. Prior to Patch Tuesday, Microsoft was routinely criticized for the chaotic and unpredictable process of releasing patches whenever they became available.
At some points over the last five years, dozens of patches have been released on Patch Tuesday. To have only one patch come out may seem like a milestone for Microsoft, a sign of progress that Patch Tuesday has achieved its goals and the Trustworthy Computing Initiative—the sweeping program enacted by Bill Gates in 2002 to correct Microsoft’s vulnerability-ridden software—has achieved its goals.
"Microsoft has become more and more risk averse over time in an effort to protect its brand, so they're going to release patches as quickly as possible," says Aaron Shilts, vice president of professional services at FishNet Security, one of the largest security solution providers.
The truth is Patch Tuesday is far from being dead, and, in fact, some wonder whether Microsoft needs to introduce some irregularity to the patch release cycle to keep hackers and malware writers on their toes. Evidence exists that hackers are waiting for Patch Tuesday to see what fixes are released and what remains vulnerable before unleashing new exploit code. Hackers are either releasing existing exploits or reverse engineering the patch to create an exploit before the fix is widely deployed.
"It’s not uncommon that Microsoft releases a patch that criminals are trying to take advantage of the time, the window of opportunity, because they don’t immediately patch," says Paul Ferguson, director of Trend Micro’s Advance Threat Research.
Rewind a month to Patch Tuesday, December 2008, when Microsoft issued nine patches for a series of remote code vulnerabilities in the Windows operating system, Media Player and Internet Explorer. Within days of Patch Tuesday, reports started surfacing of a critical vulnerability in Internet Explorer that opens the door for Trojans to stealthily download from malicious Web sites. At one point, Trend Micro reported that more than 6,000 Web sites were compromised with the Trojan and hundreds of millions of IE users were at risk. Microsoft issued an out-of-band patch to correct the vulnerability about a week after Patch Tuesday.
While the December IE vulnerability appeared as a zero-day exploit in waiting, the truth is the vulnerability was little more than an accident. Ferguson says a Chinese security research lab accidentally posted details of the vulnerability, which was used to create the exploit that was quickly released to the wild. The incident, however, was enough to raise the specter of hackers holding exploits until they see what Microsoft is releasing in its patch rollouts.
"Patch Tuesday still is a working model, but Microsoft shouldn’t limit itself to that one release cycle," says Brandon Dunlap, managing director of Brightfly, a security consulting group in Houston. "By having a predictable schedule, you also have a predictable schedule for the bad guys. If Microsoft is releasing a SQL Server patch, a bad guy knows that he has at least a week to exploit it."