Patch Tuesday is the unofficial name of Microsoft's scheduled release of the newest security fixes for its Windows operating system and related software applications, as detailed in the Windows Security Updates Guide. Patch Tuesday occurs on the second Tuesday of each month.
Patch Tuesday history
Microsoft first introduced Patch Tuesday in 2003 as a means of reducing costs associated with patch deployment. Traditionally, updates consisted of Microsoft security bulletins organized around the various products and services affected like Office, Internet Explorer, .NET Framework and others. Each monthly release would consist of approximately 15 to 20 security bulletins.
Vulnerabilities within each Microsoft security bulletin would be rated "important," meaning they would require user interaction to be exploited, or "critical," meaning the flaw could be compromised without user interaction or warning. A vulnerability also could be rated "critical" if it was a zero-day, meaning it was found being actively exploited in the wild before the patch was released.
Microsoft regularly issued monthly security updates for more than a decade until February 2017. Microsoft unexpectedly cancelled the Patch Tuesday release for that month because of "a last minute issue" that was not resolved in time for the planned updates. It was the first time Microsoft had cancelled a Patch Tuesday release. While Microsoft did not disclose what the last-minute issue was, experts believe it was related to the U.S. National Security Agency's (NSA) Windows exploits, which were stolen by unknown threat actors and later published by the Shadow Brokers hacking group. According to reports, the NSA disclosed the exploits to Microsoft prior to their publication by the Shadow Brokers. Microsoft patched several critical vulnerabilities in March's Patch Tuesday, including the NSA's Windows exploits.
If a zero-day vulnerability was dangerous enough, was being exploited widely or was affecting unsupported systems, as was the case with the EternalBlue flaw exploited by the WannaCry ransomware threat, Microsoft might release an out-of-band patch. In this case, the patch would be released without waiting for the next Patch Tuesday, along with an advisory prompting users to patch immediately.
Patch Tuesday changes
In March 2017, Microsoft transitioned to the Security Update Guide, which presented patches in a way more focused on the Common Vulnerabilities and Exposures (CVE) being targeted with each patch, regardless of the product, and introduced new application performance indicators (APIs) to allow security researchers to do more with Patch Tuesday data.
Microsoft originally planned to transition to the Security Update Guide in February 2017, but instead the company cancelled Patch Tuesday that month.
When critical patches are pushed, system administrators must plan because there are a number of security issues involved in issuing patches. IT pros must ensure that security patches do not cause issues with other enterprise products.
Microsoft has continuously tried to find ways to speed up the process of businesses installing Patch Tuesday updates because even if system admins quickly install patches for zero-day vulnerabilities, more threats arise from each Patch Tuesday. Malicious actors can analyze patch code and exploit the vulnerabilities that the fixes were intended to deal with, and this process of creating exploits has gotten faster -- sometimes as short as just a couple of days.
In an effort to further streamline patch deployment, Microsoft began pushing users toward automatic updates with Windows 10, including two update branches for business customers for those in the Windows 10 Insider Program. One update ring -- the Current Branch for Business (CBB) -- holds critical updates for about 90 days, and the Long Term Servicing Branch (LTSB) -- only available to volume licensing customers -- makes patch updates even less frequent.