Patch Tuesday has been a tradition for IT professionals since 2003. That’s when Microsoft established a schedule for its security updates, allowing network administrators to build compatibility testing and deployment plans into their monthly schedules.
The idea was to keep administrators from having to scramble to deal with updates released on an unpredictable schedule. There was some skepticism about the idea initially, but over the past dozen years it has become widely accepted, and other companies, such as Adobe, have adopted the same schedule.
1: When is Patch Tuesday?
There are actually two important Tuesdays on Microsoft’s update schedule.
The second Tuesday of each month is the one most commonly referred to as Patch Tuesday. That’s when Microsoft releases security-related updates for Windows (desktop and server editions), Office, and related products. The fourth Tuesday of each month is reserved for updates that aren’t related to security.
In rare cases, Microsoft will issue what’s called an “out of band” update for a security issue, publishing an update on a day other than the normal Tuesday update timeframe. Typically, this occurs only when a security issue is extremely serious and is being actively exploited.
2: How do I know what’s being released?
Every security update issued by Microsoft (whether it’s on Patch Tuesday or as an out-of-band release) is accompanied by a bulletin that’s published by the Microsoft Security Response Center (MSRC) at roughly the same time the updates are released.
The Security Advisories and Bulletins page is the main index for all such documents. It consists of the following:
- Security Bulletin Summaries. This index consists of one document per month, organized chronologically, with the most recent documents at the top. Each summary has a full list of bulletins issued that month, with a title and executive summary for each one. The summary also includes an Exploitability Index for each bulletin, listing the risk on a 1-4 scale, with 1 meaning “Exploitation More Likely” and 4 meaning “Not Affected.” At the end of the index is an Affected Software section that lists bulletins in order of major software category and severity. So, for example, if you’re concerned about which new security bulletins apply to your servers running Windows Server 2008 R2, you can look here to get an exact answer.
- Security Bulletins. This list is also organized in reverse chronological order, with a separate entry for every bulletin. The naming convention uses the format MSYY-NNN. For example, MS15-042 would be the 42nd bulletin issued in 2015. Each bulletin includes an Executive Summary, an Affected Software list, and details about the vulnerability that the update resolves.
- Security Advisories. The documents listed on this page represent communications about known security issues that are not necessarily accompanied by updates. Advisories occasionally include explanations of known vulnerabilities that have been disclosed by a third party and that Microsoft considers serious. They typically include workarounds and mitigation steps, when they’re available.
If you know the name of an individual security bulletin, you can look it up using this syntax:
(replacing the last block with the actual bulletin number)
3: Where do I find more details about individual bulletins?
The title of every security bulletin and advisory includes a number that corresponds to an article in the Microsoft Knowledge Base (KB). For instance, security bulletin MS14-064 was associated with KB article 3011443. The KB article typically contains more information about an individual bulletin, including workarounds, known issues, details about downloadable files, and details (including version and file hash information) about files installed or replaced as part of an update.
If you know the KB number for a bulletin, you can look it up using this syntax:
(replacing the last block with the actual number)
4: What are CVE numbers?
The computer security industry has standardized on a disclosure format for what it calls Common Vulnerabilities and Exposures (CVEs). Each disclosure is published in the National Vulnerability Database (NVD), which is maintained by the US government.
CVEs use a standard numbering system that is maintained by The MITRE Corporation. Microsoft is one of many large organizations that use CVE identifiers to make it possible for security researchers to discuss issues using standard terminology. If you see a CVE number in a security bulletin, you can look it up in the NVD and use your favorite search engine for more details.
Also see: Network Security Policy
5: How do I know which updates are most important?
Every security bulletin is accompanied by a rating that represents the worst theoretical outcome if the vulnerability addressed on that bulletin were to be exploited. There are four severity ratings, listed here from most to least severe:
- Critical. This type of vulnerability, if exploited, could lead to code execution with no interaction on the part of the user. These updates should normally be applied without delay.
- Important. This severity rating applies to vulnerabilities that can be exploited to compromise the confidentiality or integrity of user data or to cause a denial of service attack.
- Moderate. Typically, this rating is applied to vulnerabilities that are mitigated by default configurations, authentication requirements, and so on.
- Low. This type of vulnerability normally requires either extensive interaction or an unusual configuration.
Microsoft has published the complete documentation for this rating system in a Security TechCenter article: “Security Bulletin Severity Rating System.”
6: Can I get advance notice of upcoming bulletins?
Microsoft used to publish advance notifications of security bulletins but stopped this practice in 2014. For now at least, the entire IT world gets to wait on pins and needles until 10:00 AM Pacific Time on the second Tuesday of each month to see what’s in the latest round of updates for Windows and other products from Microsoft.