Patch Tuesday Isn’t Ending. Here’s What Microsoft is Saying
Patch Tuesday will continue in its current form, according to Microsoft.
For nearly two decades, security teams have suffered through “Patch Tuesday”—a recurring monthly event when Microsoft publishes the vulnerabilities affecting their software. It is common for hundreds of vulnerabilities to be published during this one day, but according to some security providers and media sources, June’s Patch Tuesday was supposedly the last.
Security teams have likely heard, the second Tuesday of every month will just be another Tuesday, a marketing tagline intended for Microsoft’s upcoming Windows Autopatch service. Unfortunately, several prominent media outlets have misinterpreted this, writing rhetorically-charged titles that have created confusion within the security community.
Patch Tuesday will continue in its current form
In Microsoft’s formal announcement for Windows Autopatch, they state rather plainly that “Monthly security and quality updates for supported versions of the Windows and Windows Server operating systems will continue to be delivered on the second Tuesday of the month (commonly referred to Patch Tuesday or Update Tuesday).” They have also recently communicated this statement to other news publications.
Automated patching: can it replace manual processes?
According to Microsoft, Patch Tuesday will continue in July 2022 and the foreseeable future. But starting next month, Microsoft’s enterprise customers will have some capability to automate patching for certain devices.
However, as alluring as that sounds, many automated patching services are not mature enough to replace manual patching processes. In fact, organizations that do so may introduce more risk. A lot of organizations’ mission-critical processes sometimes rely on outdated hardware and software, so forcing an update to these assets could result in a shutdown.
The need for comprehensive vulnerability intelligence
Regardless if organizations are looking to automate patch management or not, every security team will need quality vulnerability intelligence to effectively remediate risk. If your risk remediation program relies on data from CVE/NVD, you are likely unaware of over 93,000 vulnerabilities.
Within that delta are many vulnerabilities affecting widely-used vendors and products, with thousands of them having public exploits that may be remotely executed. Therefore, if your vulnerability managers are not informed of those issues, at-risk assets may never be tasked for remediation.
Reveal vulnerabilities and remediate them faster with Flashpoint
Flashpoint’s VulnDB database contains actionable details on over 291,000 vulnerabilities— including over 93,000 that CVE/NVD fails to report. Sign up for a free trial to get the full intelligence picture. See how quality intelligence empowers your vulnerability management program, enabling security teams to quickly identify and remediate issues that really matter.