Microsoft’s Patch Tuesday updates: Keeping up with the latest fixes

Long before Taco Tuesday became part of the pop-culture vernacular, Tuesdays were synonymous with security — and for anyone in the tech world, they still are.  Patch Tuesday, as you most likely know, refers to the day each month when Microsoft releases security updates and patches for its software products — everything from Windows to Office to SQL Server, developer tools to browsers.

The practice, which happens on the second Tuesday of the month, was initiated to streamline the patch distribution process and make it easier for users and IT system administrators to manage updates.  Like tacos, Patch Tuesday is here to stay.

In a blog post celebrating the 20th anniversary of Patch Tuesday, the Microsoft Security Response Center wrote: “The concept of Patch Tuesday was conceived and implemented in 2003. Before this unified approach, our security updates were sporadic, posing significant challenges for IT professionals and organizations in deploying critical patches in a timely manner.”

Patch Tuesday will continue to be an “important part of our strategy to keep users secure,” Microsoft said, adding that it’s now an important part of the cybersecurity industry.  As a case in point, Adobe, among others, follows a similar patch cadence.

Patch Tuesday coverage has also long been a staple of Computerworld’s commitment to provide critical information to the IT industry. That’s why we’ve gathered together this collection of recent patches, a rolling list we’ll keep updated each month.

In case you missed a recent Patch Tuesday announcement, here are the latest six months of updates.

September: Latest Patch Tuesday update fixes 4 zero-days

Addressing four zero-days flaws (CVE-2024-38014, CVE-2024-38217, CVE-2024-43491 and CVE-2024-38217), this month’s Patch Tuesday release from Microsoft includes 79 updates to the Windows platform. There are no patches to Microsoft Exchange Server or the company’s development tools (Visual Studio or.NET). And Microsoft addressed a recently exploited vulnerability in Microsoft Publisher with two critical updates and nine patches rated important for Microsoft Office. More info on Microsoft Security updates for September 2024.

August: Patch Tuesday means patch now

Microsoft pushed out 90 updates in its August Patch Tuesday release, including fixes for five Windows zero-days (CVE-2024-38178, CVE-2024-38193, CVE-2024-38213, CVE-2024-38106, CVE-2024-38107) and one zero-day affecting Office (CVE-2024-38189). This means a “Patch Now” recommendation for both Windows and Microsoft Office. Microsoft offered several (pretty useful) mitigations and recommendations to reduce the impact of these security issues. More info on Microsoft Security updates for August 2024.

July: 4 zero-day flaws

This July’s Patch Tuesday from Microsoft addressed a significant number of vulnerabilities, including four zero-day threats.  Here’s a quick rundown: Microsoft released updates for SQL Server, with patches for Windows, Office,.NET, and Visual Studio. It also released four critical updates for Windows, including patches for Hyper-V and MSHTML. There’s one critical update for Office’s SharePoint platform.More info on Microsoft Security updates for July 2024.

June: Relatively quiet on major updates

This month’s Patch Tuesday brought mostly low-risk updates with no reported zero-day vulnerabilities. Key areas addressed include changes to Secure Boot (requiring third-party driver testing), code integrity policies (needing verification for Windows Defender features), and core Windows systems (necessitating broad application testing). While there were no critical updates for Office or Exchange Server, some updates to Visual Studio require attention for developers.More info on Microsoft Security updates for June 2024.

May:  3 zero-day vulnerabilities signal ‘patch now’ alert

This month’s Patch Tuesday highlights three critical zero-day vulnerabilities affecting Windows PCs and requiring immediate patching  — that is,  identified as “patch now.” Some updates like those to Office and Edge browsers follow standard release schedules, but be aware of a critical update for SharePoint Server.  Developers need to aware o a late addition to the update cycle affecting the Azure Agent, requiring attention for Azure-based virtual macHines. Testing is crucial this month, especially for core Windows features like the Common Error Log, DNS, cryptography and routing services. More info on Microsoft Security updates for May.

April: Microsoft showers users with 149 patches

April’s Patch Tuesday was a complex one, especially for SQL-dependent applications. This hefty Patch Tuesday from Microsoft included 149 updates. While there were no zero-day vulnerabilities, key areas addressed include crypto APIs, networking and remote desktop connections. A major update to the Kerberos security system removes Windows 11 from the affected list, highlighting the importance of staying updated. For developers, 11 updates target the development platform, with 10 focused on SQL ODBC issues and 1 on.NET. While the.NET update can be added to the standard schedule, the ODBC updates require careful examination.More info on Microsoft Security updates for April.

March: It’s a complicated Patch Tuesday

This month’s Patch Tuesday from Microsoft was complex. There were no reported zero-day vulnerabilities, but a number of updates, particularly those affecting SQL, OLE and ODBC components, underscore the importance of a thorough evaluation. Key areas of focus include file management, cryptography, networking, remote desktop connections, and SQL-related functionalities. Given the interconnectedness of these systems, organizations should prioritize testing across their application portfolios to identify potential impacts. The update to the Kerberos security system is noteworthy, as it removes support for certain Windows 11 versions.More info on Microsoft Security updates for March.