Every month, Microsoft releases security updates on Patch Tuesday. To help you manage these releases more efficiently, Ed Bott tackles six key questions and provides the extra details all IT pros should know.
Patch Tuesday has been a tradition for IT professionals since 2003. That’s when Microsoft established a schedule for its security updates, allowing network administrators to build compatibility testing and deployment plans into their monthly schedules.
The idea was to keep administrators from having to scramble to deal with updates released on an unpredictable schedule. There was some skepticism about the idea initially, but over the past dozen years it has become widely accepted, and other companies, such as Adobe, have adopted the same schedule.
There are actually two important Tuesdays on Microsoft’s update schedule.
The second Tuesday of each month is the one most commonly referred to as Patch Tuesday. That’s when Microsoft releases security-related updates for Windows (desktop and server editions), Office, and related products. The fourth Tuesday of each month is reserved for updates that aren’t related to security.
In rare cases, Microsoft will issue what’s called an “out of band” update for a security issue, publishing an update on a day other than the normal Tuesday update timeframe. Typically, this occurs only when a security issue is extremely serious and is being actively exploited.
Every security update issued by Microsoft (whether it’s on Patch Tuesday or as an out-of-band release) is accompanied by a bulletin that’s published by the Microsoft Security Response Center (MSRC) at roughly the same time the updates are released.
The Security Advisories and Bulletins page is the main index for all such documents. It consists of the following:
If you know the name of an individual security bulletin, you can look it up using this syntax:
https://technet.microsoft.com/library/security/MSy…nnn
(replacing the last block with the actual bulletin number)
The title of every security bulletin and advisory includes a number that corresponds to an article in the Microsoft Knowledge Base (KB). For instance, security bulletin MS14-064 was associated with KB article 3011443. The KB article typically contains more information about an individual bulletin, including workarounds, known issues, details about downloadable files, and details (including version and file hash information) about files installed or replaced as part of an update.
If you know the KB number for a bulletin, you can look it up using this syntax:
https://support.microsoft.com/kb/nnnnnnn/
(replacing the last block with the actual number)
The computer security industry has standardized on a disclosure format for what it calls Common Vulnerabilities and Exposures (CVEs). Each disclosure is published in the National Vulnerability Database (NVD), which is maintained by the US government.
CVEs use a standard numbering system that is maintained by The MITRE Corporation. Microsoft is one of many large organizations that use CVE identifiers to make it possible for security researchers to discuss issues using standard terminology. If you see a CVE number in a security bulletin, you can look it up in the NVD and use your favorite search engine for more details.
Every security bulletin is accompanied by a rating that represents the worst theoretical outcome if the vulnerability addressed on that bulletin were to be exploited. There are four severity ratings, listed here from most to least severe:
Microsoft has published the complete documentation for this rating system in a Security TechCenter article: “Security Bulletin Severity Rating System.”
Microsoft used to publish advance notifications of security bulletins but stopped this practice in 2014. For now at least, the entire IT world gets to wait on pins and needles until 10:00 AM Pacific Time on the second Tuesday of each month to see what’s in the latest round of updates for Windows and other products from Microsoft.
