Vuln of the Month Special Edition: What the End of Patch Tuesday Means for You
Share with Your Network
For 19 years, on every second Tuesday of the month, security professionals have scheduled their workday (and often, for those in the Central and Eastern time zones, their lunch hour) around Microsoft’s regular release of patches designed to fix vulnerabilities identified within Microsoft operating systems and other software. For security folks, Patch Tuesday has been as familiar a workplace fixture as casual Fridays and TPS Reports.
After today, however, Patch Tuesday will be “just another Tuesday.” Today marks the final Patch Tuesday release by Microsoft, which traditionally packs dozens of fixes into this single day. Last month, Microsoft issued no fewer than 72 patches for published CVEs, one of which was considered serious and was actively being exploited.
This special edition of our Vuln of the Month blog series is devoted to looking at the implications of Patch Tuesday’s demise.
Auto-patch rules everything around me
Instead of monthly patch dumps, Microsoft will issue patches as they become available, much as they do today for so-called “out of band” releases—typically reserved for fixes that should be implemented ASAP. This just-in-time model will be supported by an automated new service called Windows Autopatch, which rolls out starting in July for enterprise customers. Windows Autopatch will also be embedded as a feature in Windows 10/11 Enterprise E3 at no extra cost. Anyone already using Windows desktop systems will be familiar with this drill, as auto-updates are a pre-installed (and challenging to disable) feature of Windows.
This move was probably inevitable. Waiting up to 30 days to receive the fix to a vulnerability you might need to fix sooner rather than later is not a good policy, particularly as attackers grow more sophisticated. Granted, not all CVEs represent five-alarm fires, but being handed 72 patches on a given day is a lot to take on. This is one reason security managers wryly refer to the day after Patch Tuesday as Crash Wednesday—too many fixes at once can lead to conflicts that cause problems for users, applications, and services. And once bad actors get a look at where the latest vulns are in the Microsoft metaverse, they sometimes move fast to exploit vulnerabilities before organizations have a chance to patch them. This led some to rechristen Crash Wednesday as Exploit Wednesday.
All this helps make the argument for ongoing, automated patch releases. Patching a couple of vulnerabilities is a lot easier than trying to patch dozens. And if you have to roll back a patch because it causes problems, that’s also easier if you’ve only deployed a handful of patches.
Vuln management and remediation have evolved
Despite serving as the anchor for a lot of cybersecurity and remediation programs, Patch Tuesday likely outlived its welcome. Vulnerability management itself has become a more real-time effort than it used to be. Organizations have adopted agile and DevOps methodologies to infuse resilience into their operations, which makes monthly patch releases seem woefully untimely. Meanwhile, the most advanced risk-based vulnerability management (RBVM) solutions have largely automated the process of prioritizing the vulnerabilities that represent the highest risk to a business, while taking all the technical data used to score CVEs via systems like CVSS and enhancing it with exploit-intel and other contextual data to come up with dynamic risk scores that respond to changing conditions. With these solutions, you’ll always know where you stand, and you won’t have to wait a month to find out.
This is the world we live in now—one in which enterprises are looking not just for ways to find and patch high-risk vulns, but to use those insights within the larger context of achieving security resilience. And good ol’ Patch Tuesday just didn’t fit in that world any longer.
Vuln of the Month: Now every second Tuesday
In recognition of this sea change in the security landscape, starting in July we’ll publish our Vuln of the Month blog on The Day Previously Known as Patch Tuesday. That’s right…you’ll find us spotlighting CVEs worth your consideration (and which you may have overlooked) on the second Tuesday of every month.
Until then, let’s all take a moment to bid Patch Tuesday a fond farewell—while we welcome a new, more resilient regimen that should help you protect your infrastructure more effectively and confidently.
Watch this space for regular Vuln of the Month spotlights, which appear on the second Tuesday of each month. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.
