How did Patch Tuesday become a thing and why is it important?
Back in the mid 90’s, the company I worked for was trying to make our products work on the newly released OS/2 Warp*. After a frustrating 18 months, we would eventually give up and move to use Windows NT4 Server. Using this was a revelation after the pain of OS/2 and having the same interface as Windows 95 was just the cherry on top – anyone else remember the difference between OS/2 Red spine vs Blue spine? The problem we then encountered was with the NT4 Service Packs. These were released on a 6 monthly basis and would introduce new features, resolve known issues and fix bugs. The problem was whenever certain settings were changed (such as anything to do with networking) you would then need to rerun the Service Pack and reboot before that feature would work again, and this could be on production servers.
*It wasn’t the operating system that was at fault, but the lack of 3rd party support/drivers is what was so frustrating about our experience with OS/2 during that time.
Windows 98 was the first Microsoft Operating System that featured the option to check for updates to the operating system and then install them, but you had to know that the feature was there and, more importantly, remember to use it.
Updates for Microsoft products were released semi-sporadically until October 2003 when the second Tuesday of the month was nominated to be “update day” or as it has become known in the industry: Patch Tuesday. This is the day that updates for all Microsoft products, not just operating systems but also the likes of Office, Exchange, SQL, etc. – a busy day for IT support teams around the globe.
Updates can also be released on the fourth Tuesday but this is more of a rarity. Occasionally patches are released outside of this schedule, such as when patches for the ‘Spectre’ vulnerability were released outside of this schedule early in January 2018. Patches are released for the lifetime of the operating system/product and when this is reached they are then only released for customers who pay for extended support (whilst they transit away from the affected product). This is not hard and fast though, when ‘WannaCry’ hit in May 2017, even though patches had been released some months before for current software, the widespread effect of this prompted Microsoft to release patches for operating systems that had gone ‘End of Life’ (EoL) such as Windows XP, 7, Server 2003, etc.
A lot of companies are reticent to patching as it does carry potential risks aside from the potential out of hours downtime, particularly when you’ve heavily customised certain software such as Dynamics or Sharepoint. It is important to test, and then to make sure the latest patches/updates won’t break your customisations.
Microsoft provides Windows Support and Update Service (WSUS) as part of Server and this can be used to provide a controlled rollout of patches in conjunction with Group Policy Objects (GPO) to differing computers so a schedule can be set up. For example, you might release patches to your test environment first and then a week later, other devices and so on.
It was a lack of patching that enabled the previously mentioned ‘WannaCry’ exploit to spread as far and as quickly as it did. It was a combination of legacy equipment running EoL operating systems plus a lack of a patching strategy as patches that fixed the SMB issue that ‘WannaCry’ exploited had been released several months previously. I can still remember one client I dealt with who had been deferring updates for some time, they mailed me over that weekend in May to check they were “protected against WannaCry” and I had to reply in the negative, I was then instructed to bring their entire estate up to standard and to then implement a strategy using WSUS and GPO’s.
Keeping your Desktops and Servers patched and updated is a vital cornerstone of any IT support and management strategy. Ideally, patches should be tested in a lab or sandbox environment beforehand as it’s not unknown for patches to introduce other issues or have a conflict with 3rd party software (such as antivirus) or even introduce conflicts with their own software such as .net 4.7 and Exchange.
As risky as it potentially is, the dangers of not patching were shown so clearly one Friday in May 2017 and no IT professional wants to have a weekend like that again.