Happy 20th birthday Patch Tuesday, but why do we still have Exploit Wednesday?

This month has quietly marked an important anniversary: Patch Tuesday is 20 years old. Back on 14 October 2003, Microsoft published the first set of bundled vulnerability fixes on a set date every month. The idea? To make patch deployment more straightforward to manage for organisations. The question? Why are organisations still so slow to patch?

That’s especially true because others, such as Adobe and Oracle, soon followed. And for good reason: accumulating these fixes on a set date, the second Tuesday of every month, allows IT departments to plan ahead while reducing costs and improving security.

Unfortunately, two decades on, the vast majority of businesses have not implemented patches for critical vulnerabilities within 24 hours, according to the results of a new threat mindset survey from SonicWall.

That 24-hour metric is important because the day after Patch Tuesday is known as Exploit Wednesday. For a very obvious reason: it’s when threat actors exploit published vulnerabilities before they’re patched, before the attack window closes.

Worrying security disconnect

The SonicWall Threat Mindset Survey unsurprisingly reflects the broader business concern with ransomware. Indeed, ransomware was the primary concern of 83% of those questioned, closely followed by phishing, including highly targeted spear-phishing attacks and encrypted malware.

Yet, despite these concerns, 78% said they don’t patch critical-rated vulnerabilities within that previously mentioned 24-hour window. Meanwhile, 13% will only apply those critical patched “when time allows.”

“Regularly patching is the same as locking your front door; all the other security aspects are redundant if the fundamental line of defence is corrupted,” said Spencer Starkey, EMEA Vice-President at SonicWall. “Before organisations look to address more complex aspects of their security stack, they should first bolster the defences at home.”

Why Patch Tuesday doesn’t solve the problem

Sylvain Cortes, Vice-President of Strategy at Hackuity, agrees that regular patching against vulnerabilities is important, but can see why Patch Tuesday isn’t a magic bullet.

“Patching continues to be a big challenge for many organisations,” said Cortes. “Sprawling IT estates, siloed operations, competing demands between security and operations teams, and a lack of communication, mean that patching becomes a disconnected, painful, and drawn-out process.”

So, what is the answer? The somewhat speckled history of the fix causing further failure rather dictates that patches must be tested before they can be rolled out into a live environment. This, inevitably, causes a delay that leaves the attack window open.

Which is why patch management has become so essential. As Cortes concludes: “With ever increasing numbers of vulnerabilities to manage, taking steps to contextualise and prioritise risks has never been more important.

“Building on the routine practice of patching, organisations must focus on vulnerability prioritisation to hone in on the threats that really matter to their business.”

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.