Patch Tuesday has been a tradition for IT professionals since 2003. That's when Microsoft established a schedule for its security updates, allowing network administrators to build compatibility testing and deployment plans into their monthly schedules.
The idea was to keep administrators from having to scramble to deal with updates released on an unpredictable schedule. There was some skepticism about the idea initially, but over the past dozen years it has become widely accepted, and other companies, such as Adobe, have adopted the same schedule.
1: When is Patch Tuesday?
There are actually two important Tuesdays on Microsoft's update schedule.
The second Tuesday of each month is the one most commonly referred to as Patch Tuesday. That's when Microsoft releases security-related updates for Windows (desktop and server editions), Office, and related products. The fourth Tuesday of each month is reserved for updates that aren't related to security.
In rare cases, Microsoft will issue what's called an "out of band" update for a security issue, publishing an update on a day other than the normal Tuesday update timeframe. Typically, this occurs only when a security issue is extremely serious and is being actively exploited.
Also see: Guidelines for building security policies
2: How do I know what's being released?
Every security update issued by Microsoft (whether it's on Patch Tuesday or as an out-of-band release) is accompanied by a bulletin that's published by the Microsoft Security Response Center (MSRC) at roughly the same time the updates are released.
The Security Advisories and Bulletins page is the main index for all such documents. It consists of the following:
- Security Bulletin Summaries. This index consists of one document per month, organized chronologically, with the most recent documents at the top. Each summary has a full list of bulletins issued that month, with a title and executive summary for each one. The summary also includes an Exploitability Index for each bulletin, listing the risk on a 1-4 scale, with 1 meaning "Exploitation More Likely" and 4 meaning "Not Affected." At the end of the index is an Affected Software section that lists bulletins in order of major software category and severity. So, for example, if you're concerned about which new security bulletins apply to your servers running Windows Server 2008 R2, you can look here to get an exact answer.
- Security Bulletins. This list is also organized in reverse chronological order, with a separate entry for every bulletin. The naming convention uses the format MSYY-NNN. For example, MS15-042 would be the 42nd bulletin issued in 2015. Each bulletin includes an Executive Summary, an Affected Software list, and details about the vulnerability that the update resolves.
- Security Advisories. The documents listed on this page represent communications about known security issues that are not necessarily accompanied by updates. Advisories occasionally include explanations of known vulnerabilities that have been disclosed by a third party and that Microsoft considers serious. They typically include workarounds and mitigation steps, when they're available.
If you know the name of an individual security bulletin, you can look it up using this syntax:
https://technet.microsoft.com/library/security/MSy...nnn
(replacing the last block with the actual bulletin number)
3: Where do I find more details about individual bulletins?
The title of every security bulletin and advisory includes a number that corresponds to an article in the Microsoft Knowledge Base (KB). For instance, security bulletin MS14-064 was associated with KB article 3011443. The KB article typically contains more information about an individual bulletin, including workarounds, known issues, details about downloadable files, and details (including version and file hash information) about files installed or replaced as part of an update.
If you know the KB number for a bulletin, you can look it up using this syntax:
https://support.microsoft.com/kb/nnnnnnn/
(replacing the last block with the actual number)
4: What are CVE numbers?
The computer security industry has standardized on a disclosure format for what it calls Common Vulnerabilities and Exposures (CVEs). Each disclosure is published in the National Vulnerability Database (NVD), which is maintained by the US government.
CVEs use a standard numbering system that is maintained by The MITRE Corporation. Microsoft is one of many large organizations that use CVE identifiers to make it possible for security researchers to discuss issues using standard terminology. If you see a CVE number in a security bulletin, you can look it up in the NVD and use your favorite search engine for more details.
Also see: Network Security Policy
5: How do I know which updates are most important?
Every security bulletin is accompanied by a rating that represents the worst theoretical outcome if the vulnerability addressed on that bulletin were to be exploited. There are four severity ratings, listed here from most to least severe:
- Critical. This type of vulnerability, if exploited, could lead to code execution with no interaction on the part of the user. These updates should normally be applied without delay.
- Important. This severity rating applies to vulnerabilities that can be exploited to compromise the confidentiality or integrity of user data or to cause a denial of service attack.
- Moderate. Typically, this rating is applied to vulnerabilities that are mitigated by default configurations, authentication requirements, and so on.
- Low. This type of vulnerability normally requires either extensive interaction or an unusual configuration.
Microsoft has published the complete documentation for this rating system in a Security TechCenter article: "Security Bulletin Severity Rating System."
6: Can I get advance notice of upcoming bulletins?
Microsoft used to publish advance notifications of security bulletins but stopped this practice in 2014. For now at least, the entire IT world gets to wait on pins and needles until 10:00 AM Pacific Time on the second Tuesday of each month to see what's in the latest round of updates for Windows and other products from Microsoft.
Also see: IT email templates: Security alerts
More From Tech Pro Research
-
Downloads
Kubernetes: A guide for IT pros and business leaders
Kubernetes enables the deployment, scaling, and management of containerized applications. This ebook explains why the ecosystem matters, ways to take advantage of it, and how it may contribute to the ...
-
eBooks
Top cloud providers 2019: A leader’s guide to the major players
Competition in the cloud computing space is heating up this year. This ebook offers a look at the relative merits, advantages, and shortcomings of the most prominent contenders. From the ebook: ...
-
Tools & Templates
Telecommuting policy
As more and more employees request the opportunity to perform some or all of their work from a remote location, the need has grown for organizations to have clearly defined guidelines that govern empl...
-
Tools & Templates
Feature comparison: Data analytics software and services
Finding the best data analytics software, services, and tools for your business requires extended research and a systematic evaluation of features. This download includes an overview of factors to con...
-
eBooks
Spectre and Meltdown: An insider’s guide
Design flaws in modern chip design have emerged as a significant threat to the security of data on PCs and mobile devices. This comprehensive ebook delves into two prominent vulnerabilities—Spectre an...
-
Tools & Templates
Comparison chart: VPN service providers
Selecting the right VPN provider for your needs requires a fair bit of legwork because the choices are many and the offerings vary greatly. This quick-glance chart rounds up 15 of the top contenders a...
-
Downloads
5G Research Report 2019: The enterprise is eager to adopt, despite cost concerns and availability
5G: The next-generation wireless network is finally a reality, and businesses remain eager to embrace this new technology. 5G will be popularized via telecom carriers and the marketing of wire-cutting...
-
eBooks
IoT security: A guide for IT leaders
The Internet of Things is delivering data and helpful insights to organizations around the world--but it has also introduced new and potentially devastating vulnerabilities. This ebook offers a compre...
-
Tools & Templates
Resource and data recovery policy
Employees, data, and resources are three of the biggest assets in any organization. All employees should be familiar with the processes for recovering information if it becomes lost, inaccessible, or ...
-
Tools & Templates
Feature comparison: CRM software and services
Choosing a CRM solution requires strategy, thoughtful consideration, and more than a little research. These guidelines and comparison tool provide a customizable framework your business can use to fin...
-
Tools & Templates
CD and DVD Policy
Seemingly innocent, CDs and DVDs have recently appeared on the market containing Digital Rights Management (DRM) software, which includes a rootkit to hide them from your system. Hackers have begun ex...
-
Tools & Templates
Crash Course: Microsoft Word
This pre-packaged presentation contains everything you need to instruct end users about how to get the most out of Microsoft Word--even if you don't consider yourself a public speaker. It includes a P...
-
Tools & Templates
Wireless Communications Policy
Wireless networks are becoming more and more popular. They're also an easy way for hackers and competitors to hack your network if improperly configured or used. This policy's purpose is to help dete...
-
Tools & Templates
TechRepublic's Streaming Media Policy
Numerous reports confirm streaming media use is on the rise. From video streams to subscription music sites, use of streaming media is growing rapidly year-over-year. Streaming media applications and ...
-
eBooks
Deleting User Accounts Without Deleting Data Files
When you delete a user account on Windows XP, you can also lose the user's data if you're not careful. This FastAnswer show you how to keep from losing data when deleting a profile.
-
eBooks
Assigning Keywords To Files
XP's Search feature can help you find data files on a workstation quickly, but you can make it even faster. This FastAnswer shows how to add keywords to file to help Search find them faster.
-
eBooks
First Look: Microsoft Office 2007
This presentation is based on Microsoft Office 2007 Beta 2 applications, offering a visual tour of some of the most significant enhancements. It is not intended to teach audience members how to use th...
-
Tools & Templates
IT Hardware and Software Purchasing Policy
Your IT Budget is tight. You want to get the most bang for your IT buck. That's where the IT Hardware and Software Purchasing Policy can help. This policy's purpose is to help properly set the bounda...
-
eBooks
First Look: Microsoft Windows Vista
This presentation is based on Microsoft Vista Beta 2 offering a visual tour of some of the most significant enhancements. It is not intended to teach audience members how to use the product; instead, ...
-
Tools & Templates
Crash Course: HTML
This pre-packaged presentation contains everything you need to get end users up to speed about HTML --even if you don't consider yourself a public speaker. It includes a PowerPoint presentation and sp...
-
Tools & Templates
CD and DVD Policy
Seemingly innocent, CDs and DVDs have recently appeared on the market containing Digital Rights Management (DRM) software, which includes a rootkit to hide them from your system. Hackers have begun ex...
-
Tools & Templates
Crash Course: Microsoft Word
This pre-packaged presentation contains everything you need to instruct end users about how to get the most out of Microsoft Word--even if you don't consider yourself a public speaker. It includes a P...
-
Tools & Templates
Wireless Communications Policy
Wireless networks are becoming more and more popular. They're also an easy way for hackers and competitors to hack your network if improperly configured or used. This policy's purpose is to help dete...
-
Tools & Templates
TechRepublic's Streaming Media Policy
Numerous reports confirm streaming media use is on the rise. From video streams to subscription music sites, use of streaming media is growing rapidly year-over-year. Streaming media applications and ...
-
eBooks
Deleting User Accounts Without Deleting Data Files
When you delete a user account on Windows XP, you can also lose the user's data if you're not careful. This FastAnswer show you how to keep from losing data when deleting a profile.
-
eBooks
Assigning Keywords To Files
XP's Search feature can help you find data files on a workstation quickly, but you can make it even faster. This FastAnswer shows how to add keywords to file to help Search find them faster.
-
eBooks
First Look: Microsoft Office 2007
This presentation is based on Microsoft Office 2007 Beta 2 applications, offering a visual tour of some of the most significant enhancements. It is not intended to teach audience members how to use th...
-
Tools & Templates
IT Hardware and Software Purchasing Policy
Your IT Budget is tight. You want to get the most bang for your IT buck. That's where the IT Hardware and Software Purchasing Policy can help. This policy's purpose is to help properly set the bounda...
-
eBooks
First Look: Microsoft Windows Vista
This presentation is based on Microsoft Vista Beta 2 offering a visual tour of some of the most significant enhancements. It is not intended to teach audience members how to use the product; instead, ...
-
Tools & Templates
Crash Course: HTML
This pre-packaged presentation contains everything you need to get end users up to speed about HTML --even if you don't consider yourself a public speaker. It includes a PowerPoint presentation and sp...