I mentioned Patch Tuesday yesterday. Did you know that it is 10 years old this month?
Prior to October 2003, Microsoft issued updates on an ad-hoc basis. This caused problems for their customers, particularly in large organisations where configuration management must be carefully handled. I worked in one of those at the time and change control was a rigid process, for good reason. Untested upgrades could lead to chaos, shutting down production lines and costing millions.
In a complex system, it’s not always clear what the dependencies are until something goes wrong. For this reason, changes are batched, tested together, approved and rolled out together. Otherwise you would be implementing one change before another had been completed.
The problems would arise when a critical vulnerability would be announced publicly, out of step with an organisation’s change control cycle. Once a vulnerability is disclosed, the clock starts ticking. Depending on the severity of the exploit, IT departments would find themselves agonising over whether to rush a patch through without their normal test process and risk breaking the production system, or leave themselves exposed to a publicly disclosed vulnerability.
Patch Tuesday was Microsoft’s response to the increasing frequency and necessity for security updates, and to the pleas of their customers. It was an acknowledgement that security updates will always be with us, and an acceptance that they should not be a late-night, nail-biting, stress-fest. Patch Tuesday normalised the business of security updates and, in encouraging customers to embrace the patching process, it could be argued that it has strengthened security both in the corporate and the domestic world.
10 years on, Patch Tuesday is no big deal anymore. That is its success.