Patch Tuesday updates to Windows and Office: What you need to know

On the second Tuesday of every month, at 1 p.m. EST, Microsoft releases security updates for all its products. Unofficially, it's called Patch Tuesday. Most people don't notice it at all, as updates are automatic and less disruptive than they used to be. But for security professionals, it's a busy time, especially since other software companies have taken to releasing their own updates on the same day. In this article, we explain why updates are released in this way and use the most recent Patch Tuesday as an example to explain what happens.

While Microsoft prefers to call the day Update Tuesday, internally, the updates are sometimes known as B releases. There are also C and D releases, which are non-security updates for all Windows client and server products. Released on the third and fourth weeks of the month, respectively, these are optional preview releases. They are released as part of the next month's B release, but before then, IT can test them and prepare. In March 2020, Microsoft paused all C and D releases, to lessen the burden on IT departments adapting to the pandemic. The company recently announced that these updates would resume in July.

Microsoft also has out-of-band releases, which are critical security updates that can't wait for Patch Tuesday. They are uncommon but not rare.

Finally, twice a year, Microsoft releases major feature updates, which add new features.

Here is Microsoft's explanation of the Windows 10 update servicing cadence.

Patch Tuesday history

Prior to October 2003, Microsoft released security updates on an as-needed basis. On a weekly schedule, but with no prior warning, it would issue an announcement that a security patch for a vulnerability that might or might not already be publicly disclosed was available. If the vulnerability was severe, IT departments felt pressure to drop whatever they were doing and apply the patch.

The first Patch Tuesday release was on Oct. 14, 2003. It disclosed and fixed seven vulnerabilities, five of them rated critical, in Windows and Microsoft Exchange Server. IT and security personnel knew that it was coming and could plan to be ready to react.

Over time, the authors of other products known for disruptive security updates (for example, Flash and Java) adopted schedules of their own. Many chose the second Tuesday of the month, with the reasoning being, if IT departments were going to be ready for Microsoft's updates, they could be ready for theirs too—and any embarrassing Microsoft news might drown out their own issues.

The quality of the update process has improved a great deal over the years. Because many computers are still compromised through old vulnerabilities the user declined to patch, Microsoft has also made the process more automatic, so that updates are applied without any user action. By default, you might notice in the morning that the system rebooted overnight.

Microsoft has also made the updates, at least for consumers, all cumulative. In other words, every month there is one security update, and it will apply all updates needed on the system, even those that were patched months ago. If you remember the days before cumulative updates, you can appreciate the value of that, as previously, it could take many hours to bring a new install of Windows up to date.

Security credit where credit is due

It's unclear how many security vulnerabilities Microsoft finds in its own software. The vast majority are found by outside researchers who report them responsibly to Microsoft. Why would they do this? Because they can make a good living doing it. Like all the other large software companies, Microsoft has a bug bounty program that regularly pays thousands of dollars to researchers for their findings. The biggest eyepopper is a bounty of as much as $250,000 for "critical remote code execution, information disclosure, and denial-of-services vulnerabilities in Hyper-V" (click here for details, and good luck).

In addition to monetary rewards, researchers get recognition from Microsoft as part of the Patch Tuesday announcements. The honor roll of researchers and the vulnerabilities they reported includes 67 outside researchers in June alone, reporting 142 vulnerabilities, with Zhiniang Peng of Qihoo 360 Core Security named on 32 of them, plus many anonymous credits. There is a separate page of credits for researchers on Microsoft's online services. Finally, through the formal Microsoft Security Response Center Researcher Recognition Program, researchers can win recognition, collect points, get MSRC swag, and gain access to special events.

What happens on Patch Tuesday

Information on security updates is not available until the updates themselves are released. There are two good places you can look for that information:

• Links to basic release notes on the updates for each release version of Windows are tweeted out by @WindowsUpdate.
• A comprehensive list of all updates is on the Security Update Summary page.

End users get their updates automatically. Larger businesses work through patch management systems that pull the updates directly from Microsoft through a few channels, including direct download links and a Security Update API.

These same channels were used to announce a recent out-of-band update. In such cases, where people would not be looking for communication from Microsoft, word also gets out through Microsoft blogs as well as news sites and third-party mentions, and by seeing it show up in their own Windows Update.

But the interesting information is what vulnerabilities were patched. Microsoft has moved this information around on its site many times over the years. Currently, I can find just two lists of the vulnerabilities. One is the MSRC Security Update Guide page, which is an unwieldy list of vulnerabilities, with one row for each version of each product affected. As a result, for June 2020 alone, there are more than 3,500 lines in the list. The much better source is the acknowledgments list for researchers mentioned above. It includes a brief, descriptive title for the vulnerability (such as "Win32k Elevation of Privilege Vulnerability"), the CVE reference (such as "CVE-2020-1251"), and the acknowledgment (such as "Guopengfei from Codesafe Team of Legendsec at Qi'anxin Group").

Vulnerability jargon

What, you ask, is a CVE (Common Vulnerabilities and Exposures) reference? It is a standard naming system for software vulnerabilities administered by MITRE and sponsored by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency. The premier database of CVE is the National Vulnerability Database (NVD), run by the U.S. National Institute of Standards and Technology (NIST).

Back on the Microsoft acknowledgments list for researchers, the CVE code is a link to a page with a Microsoft advisory for the vulnerability, such as CVE-2020-1251, Win32K Elevation of Privilege Vulnerability. This page describes the vulnerability in as much detail as is readily found on the Internet. It also has an analysis of how exploitable the vulnerability is (CVE-2020-1251 is easily exploitable) and whether it has been publicly disclosed and/or exploited. If it has been exploited by Patch Tuesday, it is called a zero-day vulnerability, which means systems were vulnerable when there was no defense.

NVD entries (such as that for CVE-2020-1251) will collect non-Microsoft references about the vulnerability, such as third-party analyses. But the Microsoft and NVD pages will have CVSS (Common Vulnerability Scoring System) scores. CVSS is another important vulnerability standard, one that quantifies, on a scale of 0 to 10, both the ease and impact of an exploit of the vulnerability. It also tags it with different vulnerability characteristics, such as whether the attacker needs to have local account access on the system and whether any special conditions must exist for exploitation. These scores allow patch management systems to prioritize updates based on administrative priorities set in policy. Security administrators might, for example, choose to apply the most critical updates to the most critical systems automatically and evaluate the others before applying them.

Office updates

Microsoft separated updates to Windows and Office many years ago. The move to web-based Office apps and Click-to-Run executables tend to make updates automatic. Only users with conventionally installed Office executables, which are generally just the Enterprise users, need to be concerned with deploying updates. Office 2019 is available only as a Click-to-Run executable.

Office updates generally are deployed on the B release schedule—that is, the second Tuesday of the month—for the same reason Windows updates are released then: It gives IT a chance to plan.

Please don't ignore the updates

Updating Windows is not a simple business, and it's no surprise that things sometimes go wrong. In March, Microsoft announced that more than 1 billion active devices were running Windows 10, the current generation of the desktop OS. The number of devices still running Windows 8 and Windows Server is also large. The hardware in these devices is varied; most of it is designed by large OEMs that test continuously and have Microsoft's ear. But many are still built by tinkerers who assemble them from parts. Any of them may be running software, including privileged software such as device drivers, written by anyone.

That things can go wrong was demonstrated in the June 2020 Patch Tuesday—in Microsoft nomenclature, the KB4560960 update. This was a normal monthly, cumulative update, including security improvements in a wide variety of products and subsystems. It also included a couple of bugs.

The first, acknowledged by Microsoft two days later, caused Windows to not recognize USB printers in some cases. User reports, such as this one on Reddit, described different and more troublesome printer drivers. On June 18, Microsoft released an out-of-band update fixing the printer problem. But a more serious problem remained at the end of June, with the workaround being to uninstall the update.

Although Microsoft said that this affected very few systems, in some cases:

The Local Security Authority Subsystem Service (LSASS) file (lsass.exe) might fail on some devices with the error message, "A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000008. The machine must now be restarted."

You can find information on these and other bugs in Windows on the Known Issues and Notifications sections of the Windows release information pages. You'll need to know the release version of your copy of Windows.

To repeat: Many computers are still compromised through old vulnerabilities that the user declined to patch. It's possible, if unlikely, that bad things will happen to your computer if you apply security updates. But we know that very bad things come to those who do not apply updates.

At a glance

• There's almost no excuse for a system to be online if it is not completely up to date.
• Features exist to allow security personnel to prioritize patches.
• Security personnel need to be able to test and work quickly on Patch Tuesday.

Related reading:

• Patch management in a work-at-home world
• Welcome to the Windows 7 Extended Security Updates era
• The state of patch management