October 18, 2012    /    by

Will Patch Tuesday Ever End?

Patch Tuesday is just around the corner, and I feel an urge to rant.

Another Patch Tuesday is just around the corner, and I feel an urge to rant.

In reality, the actual day each month is just a part of an ongoing cycle. Like a coach’s preparation for the next football game on the schedule. We even tell our rookies, “Don’t worry, we’ve got this down to a science. Just study the playbook and learn the system.”  

We scout, breakdown the patch details, analyze the impact, discuss strategy, watch film, highlight strengths and weaknesses, suggest alternatives and finally build a game plan. Actually, I’m exaggerating – but only on the film part.

Here’s the routine… During the first week of the month, we realize that our infrastructure is coming up on that time of the month again. We typically ask: How many patches in this round?

As we approach the big day, we read up on this month’s patches. Are they critical? What if we wait? Should we test them first or just trust the fixes? We call-in to the MS-ISAC’s (or other organization’s) monthly call on patches and check their dashboard for potential critical alerts.

After “the game,” we heal-up as we get ready for next team – I mean patch.  That is, unless an emergency update comes along.

Our Network History According To Patch Tuesday           

Almost like forecasting the weather and/or analyzing the results after a big storm, Patch Tuesday is an ongoing topic for computer infrastructure support teams. Veteran security pros remember the good, the bad and the ugly regarding viruses, malware and Patch Tuesday. We tell new interns to gather round and we’ll share stories from the past. We could probably create a “Patch Tuesday Hall of Fame” to remember from where we have come.

Do these headlines ring a bell?

Updates galore in Microsoft's biggest ever Patch Tuesday

Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser

Microsoft Patch Causes System Crashes on Infected Computers

Microsoft to patch Word critical security flaw next Patch Tuesday

Going back a bit further, I remember the fixes for Code Red and responding to the 10 worst computer viruses in history. This has been going on since… well, we can hardly remember a time without it.

Actually, Wikipedia claims that Microsoft officially began Patch Tuesday in October 2003, although regularly scheduled patches have been released on the second Tuesday of each month since the launch of Windows 98.

And this is so much fun, other vendors, like Adobe, have occasionally decided to join in on the Patch Tuesday action. Vendors like Symantec and McAfee are constantly updating their anti-virus signatures, and our teams often ask what zero days attacks can be stopped by different versions of antivirus protection mixed with various operating system patches.

Will there be a new YouTube Channel for Patches in the future? Could this become Reality TV for geeks?

Necessary Disclaimer

After getting this far, some readers will no doubt think that I am just bashing Microsoft. Actually, that’s not my purpose. I am a fan of Microsoft, Bill Gates, Steve Ballmer and most things coming out of Redmond, Washington. I am lifetime user – from MS DOS to Windows 95 to Windows NT to Windows 7. My family has owned dozens of computers and laptops running Microsoft software over the past three decades in the UK and USA.  

I’ve come to think of Patch Tuesday (and other software and operating system updates and upgrades) as a necessary part of life – like cleaning the garage. Somebody has to do this work. Someone has to configure everything when the new PCs get unpacked. I have fond memories of my first Windows-based PC, and I’ve never second-guessed my decision to NOT move to a MAC.

Nor do I want to get dozens of emails from companies telling me that they have a better way for the Michigan government enterprise or my family to apply patches easier (been there and done that) –or- that we need to move to Open Source or convert to all Apple or Google or some other software for all of our computing needs.  (Yes – I have an iPad and an iPhone.)

Actually, I appreciate all the work that goes into keeping us safe online - fixing bugs, sounding alarms and upgrading functionality. I know that the bad guys will always try to break into our PCs and servers no matter what. When you’re a long-standing top dog, like Microsoft has been over many years, everyone is shooting at you. I am thankful that they do what they do. Like Hadrian’s Wall from Ancient Roman times, Microsoft has usually protected us on the digital frontier since the early days of the global Internet. Truth be told, cybersecurity challenges as well as support of operating systems are getting more complex and the problems more daunting in 2012. Patch Tuesday is just an industry poster-child for all of this front-line effort.

Nevertheless, it doesn’t mean that I can’t hope that someday…., perhaps…, things will be different. I won’t get that sinking feeling when I see that my PC needs to download and install 20 new updates over the next 30 minutes before my PC is happy again or my shutdown is complete. Our bulletins to systems admins, database admins, security pros and others will be a little less frequent.

Our Future: Window 8 and Windows RT?

Lately, the headlines have declared that PC sales are dropping sharply.  It remains to be seen if this is because people are just waiting for Windows 8 or moving away from the laptop and desktops entirely. Some may be moving to Google or Apple or Microsoft’s new Surface RT tablet. Or, is the global economy a factor?

Regardless, as we prepare for the next rollout (at home and work), I’ve started to ponder the age-old question: Will Patch Tuesday ever end?  I doubt it, since Microsoft has already announced a massive patch prior to the public release of Windows 8. Of course, they can always change the name of Patch Tuesday, but not the ongoing work. I’m not predicting the end of an era either, since many IT managers prefer Microsoft technology.

I also realize that an entire industry has developed from Patch Tuesday. I suspect that this part of infrastructure support life will continue for many years to come. Every major vendor has vulnerabilities, fixes, new releases, mistakes and just plain upgrades with new features. For most of us, it is just a part of online life – like changing oil in your (real-world) car.

Still, I think no regular event is more of an ongoing support headache for the tech industry than Patch Tuesday.  Our enterprises follow, study, refine, fear, talk-about and act on Patch Tuesday more than many other areas of infrastructure, month after month, year after year. Sure other “sexier” topics grab the headlines temporarily, but Patch Tuesday is always waiting for us like the next game on the schedule.

And no CIO, CTO or CSO would mind hitting the delete button – if only the problems would go away with the patches. What’s your experience with Patch Tuesday?