Apr 06, 2021
Microsoft releases security updates on Patch Tuesday every month. In order to manage these releases more efficiently, organizations and IT experts must know what to expect on Patch Tuesday.
Since 2003, Patch Tuesday has been a tradition for IT experts. That is when Microsoft established a schedule for its security updates, which allows network administrators to build compatibility testing and deployment plans into their monthly schedules.
The idea was to ensure administrators no longer have to scramble to deal with updates released on an irregular schedule. Initially, there was some uncertainty about the idea. However, over the past years, it has become widely acceptable and other companies such as Adobe have adopted the same schedule.
There are two important Tuesdays on Microsoft’s update schedule. The second Tuesday of each month is the one known as Patch Tuesday. That’s when Microsoft releases security-related updates for Windows, Office and other related products. The fourth Tuesday of each month is reserved for updates that are not related to security.
In rare cases, Microsoft will issue what’s known as an ‘out-of-band’ update for a security issue, publishing an update on a day other than the normal Tuesday update period. Normally, this happens only when a security issue is very serious and is being actively exploited.
Every security update issued by Microsoft is accompanied by a report that is published by the Microsoft Security Response Center (MSRC) at the same time the updates are released.
The Security Advisories and Bulletins page is the main index for such documents. It comprises the following:
The title of every security bulletin and advisory includes a number that matches an article in the Microsoft Knowledge Base. For example, security bulletin MS14-064 was associated with KB article 3011443. The Knowledge Base article normally contains more information about an individual bulletin, which includes known issues, workarounds, details about downloadable files, and details about files installed or replaced as part of an update.
The computer security industry has standardized a disclosure format for what it calls Common Vulnerabilities and Exposures (CVEs). Each disclosure is published in the National Vulnerability Database (NVD), which is maintained by the government of the United States.
CVEs use a standard numbering system that’s maintained by The MITRE Corporation. Microsoft is one of many big organizations that use CVE identifiers to enable security researchers to discuss issues. If you see a CVE number in a security bulletin, you can look it up in the NVD and use your favorite search engine for more information.
Every security bulletin is accompanied by a rating that represents the worst theoretical outcome if the vulnerability addressed on that bulletin were to be exploited. There are four severity ratings, listed here from most to least severe:
1. Critical: This type of vulnerability, if exploited, may lead to code execution with no interaction on the part of the user. These updates should typically be applied without delay.
2. Important: This severity rating applies to vulnerabilities that can be exploited to compromise the integrity or confidentiality of user data or to cause a denial of service attack.
3. Moderate: Normally, this rating is applied to vulnerabilities that are mitigated by default configurations, authentication requirements, and much more.
4. Low: This type of vulnerability typically requires either an unusual configuration or extensive interaction.
Microsoft used to publish advance notifications of security bulletins, but this practice was stopped in 2014. For now, the whole IT world gets to wait until the second Tuesday of each month for the latest round of updates for Windows and other Microsoft products.
It’s essential to get more information concerning what Patch Tuesday is, what to expect, and how to get updated on the latest security patches. An organization should keep its IT experts informed about security patches, security updates, and vulnerabilities remediation to avert any cyber attacks on the data of the organization.
Do you want to learn more about what to expect on Patch Tuesday for your organization? Do you need help with Patch Tuesday update? If yes, Vicarius is your go-to cybersecurity company.
Topia is a vulnerability management software that targets cybersecurity officers and operators, as well as IT managers and operators from the U.S. market. If you would like to implement a patch management tool, we are here for you.
Our Path to Product-Led GrowthMichael Assraf May 24, 2022
OSINT Basics – What is OSINT and Why Do We Do/Need OSINT?Nikola Kundacina May 22, 2022
What is OS Fingerprinting?Kent Weigle May 16, 2022
John the Ripper Pt.4Nikola Kundacina May 16, 2022
John the Ripper Pt. 3Nikola Kundacina May 09, 2022