On Oct. 9, 2003, Microsoft CEO Steve Ballmer announced that the company would only issue security patches once a month to “reduce the burden on IT administrators by adding a level of increased predictability and manageability.”
Two decades later, Microsoft continues to issue its security updates on the second Tuesday of every month, with occasional exceptions for emergency situations, and many other companies like Oracle and Adobe follow similar rules.
Patch Tuesday turned risk management into a monthly appointment, but like many innovations, it was founded from crisis. At the beginning of 2002, shortly after the world experienced two of its first cyber doomsdays, Code Red and Nimda, Microsoft decided to change its philosophy around security. The two worms, which infected hundreds of thousands of machines in a matter of hours, exploited vulnerabilities for which patches were available.
“The problem was not that we weren’t building patches; the problem was that people weren’t deploying them quickly enough,” says Christopher Budd, who was with Microsoft from 2000 to 2010 and is now a senior manager for threat research at Sophos.
At that time, the trauma of 9/11 was palpable in North America, and there was a growing concern within Microsoft regarding security. On Jan. 15, 2002, Bill Gates sent his famous Trustworthy Computing memo, highlighting the importance of protecting customers and their systems.
One way to improve security was to change how patches were delivered. So instead of announcing them unpredictably, on a ship-when-ready basis, several times during