Thoughts on patching on the 20th anniversary of Patch Tuesday

Mary Jo Foley is the Editor in Chief at Directions on Microsoft. Before joining Directions, Mary Jo has worked as... more

This is a guest post from Directions on Microsoft analyst Michael Cherry, who covers Windows Client OS, corporate governance and more.

When some anniversaries come along, my immediate thought is there’s no way that event happened that long ago. Other anniversaries that I learn happened a long time in the past seem in my mind as if they occurred yesterday. That is how I feel about Oct. 14. While today I take Patch Tuesday for granted, I would not have guessed that I’ve been participating in Patch Tuesday for 20 years.

Initially, Microsoft attempted to honor its commitment to customers to only include patches that fixed issues, including security issues. But soon, just as it had with its commitment to only include fixes in service packs, features began to find their way into the patches delivered on Patch Tuesdays. It became necessary to at least examine a patch to see what impact it might have on problems that you knew or didn’t know about, and how the patch might change Windows in some way you didn’t necessarily want or need.

Looking back, those early Patch Tuesdays were simpler times.

Although there were threats, such threats were not on the order of the malicious software that has evolved to mostly be some form of ransomware. There did not seem to be any need to rush to apply the patches delivered on Patch Tuesday. Directions on Microsoft used to advise enterprises to let the patches age for at least a couple of days to ensure the patch fixed existing issues without creating new problems. This was because patches — even patches that were not mixed with features — are subject to the law of unintended consequences. This meant it was prudent to allow someone else to be the lab rat. If after a day or two I hadn’t heard or read of problems with the patches, I’d feel safe to go ahead and begin to roll them out to my devices and the devices I managed for Directions.

Today’s Patch Tuesdays aren’t like yesterday’s

But no more. Today, zero-day vulnerabilities and exploits that come under immediate attack mean that on the 20th anniversary of Patch Tuesday, the prudent approach is to patch quickly and live with the risk of problems, including whatever a “blue screen” is called today.

This change, more than any other, should be seen by Microsoft as reason enough for the company to slow the cadence of feature changes to Windows and stop co-mingling security fixes with new features on Patch Tuesday. People need to have a good known state with the Windows OS to assist in monitoring for malware that has made it past their defenses.

Although the technology to deliver, stage, and deploy patches has improved greatly from Microsoft’s investment in a software update and servicing infrastructure, at the end of the day, disciplining its release management system and its rules about what goes into the patch package remains the single most important element of building a safe and secure Windows environment — or as Microsoft once dubbed it — Trustworthy Computing. If only Microsoft were willing to put the trust back in “Trustworthy” by making the next 20 years of Patch Tuesdays exclusively about security fixes….

Michael analyzes and writes about Windows client OS, Office communication services, corporate governance. Before joining Directions on Microsoft in 2000, Michael worked at Microsoft for more than 10 years where he held a variety of technical and marketing positions, including program manager for Windows Embedded and Windows 2000 IntelliMirror.