Patch Tuesday

Starting with Windows 98, Microsoft included Windows Update, which once installed and executed would check for patches to Windows and its components, which Microsoft would release intermittently. With the release of Microsoft Update, this system also checks for updates for other Microsoft products, such as Microsoft Office, Visual Studio and SQL Server.

Earlier versions of Windows Update suffered from two problems:

1. Less experienced users often remained unaware of Windows Update and did not install it. Microsoft countered this issue in Windows ME with the Automatic Updates component, which displayed availability of updates, with the option of automatic installation.
2. Customers with multiple copies of Windows, such as corporate users, not only had to update every Windows deployment in the company but also to uninstall patches issued by Microsoft that broke existing functionality.

Microsoft introduced "Patch Tuesday" in October 2003 to reduce the cost of distributing patches after the Blaster worm.{{cite web|url= http://news.cnet.com/Microsoft-details-new-security-plan/2100-1002_3-5088846.html |title= Microsoft details new security plan |publisher= News.cnet.com |access-date=2013-02-12}} This system accumulates security patches over a month, and dispatches them all on the second Tuesday of each month, an event for which system administrators may prepare. The following day, informally known as "Exploit Wednesday",{{cite web |url=http://blog.trendmicro.com/trendlabs-security-intelligence/patch-tuesday-exploit-wednesday/ |title=Patch Tuesday… Exploit Wednesday |newspaper=Blog.trendmicro.com |date=4 October 2006 |author=Paul Oliveria (Trend Micro Technical Communications) |access-date= 9 February 2016}} marks the time when exploits may appear in the wild which take advantage on unpatched machines of the newly announced vulnerabilities.

Tuesday was chosen as the optimal day of the week to distribute software patches. This is done to maximize the amount of time available before the upcoming weekend to correct any issues that might arise with those patches, while leaving Monday free to address other unexpected issues that might have arisen over the preceding weekend.

An obvious security implication is that security problems that have a solution are withheld from the public for up to a month. This policy is adequate when the vulnerability is not widely known or is extremely obscure, but that is not always the case.

There have been cases where vulnerability information became public or actual worms were circulating prior to the next scheduled Patch Tuesday. In critical cases Microsoft issues corresponding patches as they become ready, alleviating the risk if updates are checked for and installed frequently.

At the Ignite 2015 event, Microsoft revealed a change in distributing security patches. They release security updates to home PCs, tablets and phones as soon as they are ready, while enterprise customers will stay on the monthly update cycle, which was reworked as Windows Update for Business.{{cite web|url=https://www.theregister.co.uk/2015/05/04/microsoft_windows_10_updates/|title=Windows 10 bombshell: Microsoft to KILL OFF Patch Tuesday|work=theregister.co.uk|access-date=25 November 2015}}

Many exploitation events are seen shortly after the release of a patch;{{cite web|url=http://www.afterdawn.com/glossary/term.cfm/exploit_wednesday|title=Exploit Wednesday|work=afterdawn.com|access-date=25 November 2015}} analysis of the patch helps exploit developers to immediately take advantage of the previously undisclosed vulnerability, which will remain in unpatched systems.{{cite news |last1=Kurtz |first1=George |title=Operation "Aurora" Hit Google, Others |publisher=McAfee |date=2010-01-14 |access-date=2014-08-12 |url=http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/ |url-status=dead |archive-url=https://web.archive.org/web/20120117224754/http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/ |archive-date=2012-01-17 }} Therefore, the term "Exploit Wednesday" was coined.{{cite web |last=Leffall |first=Jabulani |title=Are Patches Leading to Exploits? |publisher=Redmond Magazine |date=2007-10-12 |access-date=2009-02-25 |url=https://redmondmag.com/articles/2007/10/12/are-patches-leading-to-exploits.aspx}}

Microsoft warned users that it discontinued support for Windows XP starting on April 8, 2014{{snd}} users running Windows XP afterwards would be at the risk of attacks. As security patches of newer Windows versions can reveal similar (or same) vulnerabilities already present in older Windows versions, this can allow attacks on devices with unsupported Windows versions (cf. "zero-day attacks"). However, Microsoft stopped fixing such (and other) vulnerabilities in unsupported Windows versions, regardless how widely known they became, leaving devices running these Windows versions vulnerable to attacks. Microsoft made a singular exception during the rapid spread of the WannaCry ransomware and released patches in May 2017 for the by then-unsupported Windows XP, Windows 8, and Windows Server 2003 (in addition to then supported Windows versions).{{Cite news|url=https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/|title=Customer Guidance for WannaCrypt attacks|work=MSRC|access-date=2017-11-23|language=en-US}}

For Windows Vista "extended support" was ended April 11, 2017, which will leave vulnerabilities discovered afterwards unfixed, creating the same situation for Vista as for XP before.{{cite web |title=Windows lifecycle fact sheet|publisher=Microsoft|date=2015-08-31 |access-date=2015-08-31|url=http://windows.microsoft.com/en-us/windows/lifecycle}}

For Windows 7 (including Service Pack 1), support ended January 14, 2020, and on January 10, 2023, for Windows 8.1; this will cause the same "unfixed vulnerabilities" issue for users of these operating systems. Support for Windows 8 already ended January 12, 2016 (with users having to install Windows 8.1 or Windows 10 to continue to get support), and support for Windows 7 without SP1 was ended April 9, 2013 (with the ability to install SP1 to continue to get support until 2020, or having to install Windows 8.1 or Windows 10 to receive support after 2020).

{{See also|Windows 10 version history}}

{{See also|Windows 11 version history}}

Starting with Windows 10, Microsoft began releasing feature updates of Windows twice per year. These releases brought new functionalities, and are governed by Microsoft's modern lifecycle policy, which specifies a support period of 18–36 months. This is in contrast to previous Windows versions, which received only infrequent updates via service packs, and whose support was governed by the fixed lifecycle policy. With the release of Windows 11, both Windows 10 and 11 started receiving annual feature updates in the second half of the year.

Once a release's support period ends, devices must be updated to the latest feature update in order to receive updates from Microsoft. As such, for Home and Pro editions of Windows 10 and 11, the latest Windows version is downloaded and installed automatically when the device approaches the end of support date.

{{Windows 10 versions}}

{{Windows 11 versions}}

{{clear}}

In addition to the commonly used editions like Home and Pro, Microsoft offers specialized Long-Term Servicing Channel (LTSC) versions of Windows 10 with longer support timelines, governed by Microsoft's fixed lifecycle policy. For instance, Windows 10 Enterprise 2016 LTSB will receive extended support until October 13, 2026,{{Cite web|url=https://docs.microsoft.com/en-us/lifecycle/products/windows-10-2016-ltsb|title=Windows 10 2016 LTSB - Microsoft Lifecycle|website=Microsoft Docs|access-date=2021-08-22}} and Windows 10 LTSC 2019 will receive extended support until January 9, 2029.{{Cite web|url=https://docs.microsoft.com/en-us/lifecycle/products/windows-10-ltsc-2019|title=Windows 10 LTSC 2019 - Microsoft Lifecycle|website=Microsoft Docs|access-date=2021-08-22}}

SAP's "Security Patch Day", when the company advises users to install security updates, was chosen to coincide with Patch Tuesdays.{{cite web|url=http://www.h-online.com/security/news/item/SAP-introduces-a-patch-day-1079976.html|archive-url=https://web.archive.org/web/20110811193736/http://www.h-online.com/security/news/item/SAP-introduces-a-patch-day-1079976.html|archive-date=11 August 2011|title=SAP introduces a patch day|last=von Etizen|first=Chris|publisher=The H Security|date=2010-09-15|access-date=2013-01-07}} Adobe Systems' update schedule for Flash Player since November 2012 also coincides with Patch Tuesday.{{cite web|url=https://www.theregister.co.uk/2012/11/08/adobe_switching_to_patch_tuesday/|title=Adobe switches Flash fix schedule to Patch Tuesdays|publisher=The Register|date=2012-11-08|access-date=2013-01-07|last=McAllister|first=Neil}} One of the reasons for this is that Flash Player comes as part of Windows starting with Windows 8 and Flash Player updates for the built-in and the plugin based version both need to be published at the same time in order to prevent reverse-engineering threats. Oracle's quarterly updates coincide with Patch Tuesday.{{Cite web|title=Oracle Tackles a Massive 405 Bugs for Its April Quarterly Patch Update|url=https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/|access-date=2020-10-12|website=threatpost.com|date=13 April 2020 |language=en}}

Windows Update uses the Background Intelligent Transfer Service (BITS) to download the updates, using idle network bandwidth.{{cite web|title=About BITS|url=https://msdn.microsoft.com/en-us/library/aa362708%28v=vs.85%29.aspx|website=MSDN|publisher=Microsoft|access-date=26 March 2016}} However BITS will use the speed as reported by the network interface (NIC) to calculate bandwidth. This can lead to bandwidth calculation errors, for example when a fast network adapter (e.g. 10 Mbit/s) is connected to the network via a slow link (e.g. 56 kbit/s){{snd}} according to Microsoft "BITS will compete for the full bandwidth [of the NIC] ... BITS has no visibility of the network traffic beyond the client."{{Cite web |last1=White |first1=Steven |last2=Cai |first2=Saisang |last3=Coulter |first3=David |last4=Satran |first4=Michael |last5=Smith |first5=Peter |date=2020-08-19 |title=Network Bandwidth - Win32 apps |url=https://learn.microsoft.com/en-us/windows/win32/bits/network-bandwidth |access-date=2023-12-22 |website=Microsoft Learn |language=en-us}}

Furthermore, the Windows Update servers of Microsoft do not honor the TCP's slow start congestion control strategy.{{cite web|last=Strong |first=Ben |date=2010-11-25 |url=http://blog.benstrong.com/2010/11/google-and-microsoft-cheat-on-slow.html |title=Google and Microsoft Cheat on Slow Start |publisher=benstrong.com |format=blog |url-status=dead |archive-url=https://web.archive.org/web/20131207015609/http://blog.benstrong.com/2010/11/google-and-microsoft-cheat-on-slow.html |archive-date=December 7, 2013 }} As a result, other users on the same network may experience significantly slower connections from machines actively retrieving updates. This can be particularly noticeable in environments where many machines individually retrieve updates over a shared, bandwidth-constrained link such as those found in many multi-PC homes and small to medium-sized businesses. Bandwidth demands of patching large numbers of computers can be reduced significantly by deploying Windows Server Update Services (WSUS) to distribute the updates locally.{{Citation needed|date=April 2025}}

In addition to updates being downloaded from Microsoft servers, Windows 10 devices can "share" updates in a peer-to-peer fashion with other Windows 10 devices on the local network, or even with Windows 10 devices on the internet. This can potentially distribute updates faster while reducing usage for networks with a metered connection.{{cite web|last1=Warren|first1=Tom|title=Microsoft to deliver Windows 10 updates using peer-to-peer technology|url=https://www.theverge.com/2015/3/15/8218215/microsoft-windows-10-updates-p2p|website=The Verge|publisher=Vox Media|date=15 March 2015}}{{cite web|last1=Chacos|first1=Brad|title=How to stop Windows 10 from using your PC's bandwidth to update strangers' systems|url=http://www.pcworld.com/article/2955491/windows/how-to-stop-windows-10-from-using-your-pcs-bandwidth-to-update-strangers-systems.html|website=PC World|publisher=IDG|date=3 August 2015}}

• History of Microsoft Windows
• Full disclosure (computer security)

{{Reflist|30em}}

• {{cite news | last = Evers | first = Joris | title = Microsoft pulls 'critical' Windows update | publisher = CNET News.com | date = 2005-09-09 | url = http://www.cnet.com/news/microsoft-pulls-critical-windows-update/ | access-date = 2006-12-12 }}
• {{Cite web|url = https://www.schneier.com/blog/archives/2006/07/zeroday_microso.html|title = Zero-Day Microsoft PowerPoint Vulnerability|date = 17 July 2006|website = Schneier on Security|last = Schneier|first = Bruce}} Example of report about vulnerability found in the wild with timing seemingly coordinated with "Patch Tuesday"
• {{Cite web|url = https://www.schneier.com/blog/archives/2006/09/microsoft_and_f.html|title = Microsoft and FairUse4WM|date = 7 September 2006|website = Schneier on Security|last = Schneier|first = Bruce}} Example of a quick patch response, not due to a security issue but for DRM-related reasons.

• [https://m417z.com/ms-patch-tuesday/ Microsoft Patch Tuesday Countdown]
• [https://technet.microsoft.com/security/bulletin/ Microsoft Security Bulletin]

Category:Computer security procedures

Category:Microsoft culture

Category:History of Microsoft

Category:Holidays and observances by scheduling (nth weekday of the month)

Category:Tuesday observances

Category:Software maintenance