quote:

---

The Windows Update system suffered from two problems, affecting opposite ends of the users scale. On the one hand, less experienced users were not aware of it, and did not run it. Microsoft's solution was to introduce the concept of "Automatic Update", which would pro-actively inform the user that an update was available for their system.

The second problem affected large deployments of Windows, such as can be found at large companies. Such large deployments found it increasingly difficult to make sure all systems across the company were all up to date. The problem was made worse by the fact that, occasionally, a patch issued by Microsoft would break existing functionality, and would have to be uninstalled.

In order to reduce the costs related to the deployment of patches, Microsoft introduced the concept of Patch Tuesday. The idea is that security patches are accumulated over a period of one month, and then dispatched all at once on an anticipated date which system administrators can prepare for. This date was set not too close to the beginning of the week, and yet far enough from the end of the week to allow any problems that may arise to be resolved before the weekend. System administrators can mark the second Tuesday of the month as the "day in which machines are updated", and plan accordingly. The name "Patch Tuesday" has been in use since the third quarter of 2004. It is becoming synonymous for the day any software vendor issues a vulnerability patch. Some editors/analysts talk about "Exploit Wednesday" as the day after, or even "Day Zero" immediately following the update, when hackers can launch attacks against the newly announced vulnerabilities.

---

said by daveinpoway :

Referring to the last sentence in the article, a more significant problem (at least to me, although they didn't talk about it) is that hackers can release malware targeting vulnerabilities which haven't been announced (or patched) yet on the day after Patch Tuesday, knowing that they will have a full month before Microsoft will do anything to close the door (unless it is such an extreme problem that MS will release an "out-of-cycle" patch).

quote:

---

Security implications of Patch Tuesday

The most obvious security implication is that security problems that have a solution are withheld from the public for a period of up to a month. Implicitly, this policy assumes that most attacks use information reverse engineered from the security patches that fix the vulnerability, rather than true "Zero day attack" exploits. It is unknown to what extent this assumption is true.

In the past, there were some cases where either vulnerability information or actual worms were released to the public a day or two before patch Tuesday. This does not leave Microsoft enough time to incorporate a fix for said vulnerabilities, and thus, theoretically, leave a one month window for attackers or the worm to exploit the hole, before a patch is available to formally fix it. This phenomenon is unrelated to Exploit Wednesday.

Exploit Wednesday

Many exploits are seen shortly after the release of a patch. By analyzing the patch, exploit developers can more easily figure out how to exploit the underlying vulnerability. Therefore the term "Exploit Wednesday" was coined. Also, starting to abuse an exploit on this day gives malicious code writers the longest period of time before a fix is supplied to users. Malware authors can sit on a new exploit until after a given patch Tuesday, knowing that there will be an entire month before Microsoft releases any patch to fix it.

Other consequences

Immediately following Patch Tuesday, millions of computers are rebooted within a short period of time. This causes an exceptional strain on other internet companies. For example, in August 2007, Skype experienced a two-day outage following Patch Tuesday.

---