As Patch Tuesday celebrates its tenth birthday we look back at the remarkable turnaround in Microsoft's security processes.

Patch Tuesday Decade - Microsoft Security Turnaround
A man uses the camera of a Nokia Lumia 820 smartphone near a Microsoft logo as he poses in this photo illustration taken in the central Bosnian town of Zenica September 3, 2013 (Reuters)

Ten years ago, Microsoft's software products were hugely popular - but also hugely insecure.

Most desktops and laptops were running Windows XP at the time and specifically Windows XP SP1 (Service Pack 1). Why is this important? Well the SP1 version of the operating system didn't have a firewall enabled by default and did not receive automatic updates.

It meant that individuals and IT departments had to manually patch their systems, most likely using Internet Explorer 6 to download the updates, which itself was rife with security flaws. It is no surprise then to see that viruses and worms were rampant in 2003.


As renowned security expert Mikko Hypponen points out, 2003 saw the outbreak of some of the most damaging viruses ever seen, including Slammer, Sasser, Blaster and Sobig.

"Slammer infected a nuclear power plant in Ohio and shut down Bank of America's ATM systems. Blaster stopped trains in their tracks outside Washington DC and shut down Air Canada check-in systems at Canadian airports. Sasser thoroughly infected several hospitals in Europe."

Microsoft knew it had to do something, and it did.

Ziv Mador, currently director of security research at Trustwave but who previously worked in Microsoft's security division for 15 years, says these viruses and the reaction to them was one of the main triggers for a seismic change in the company's approach to security.

Trustworthy computing

"There were a couple of major exploits against Microsoft software, and they caused damage to customers, customers became unhappy, and there was indeed a lot of pressure on Microsoft to solve this problem."

Mador says that this was around the time when Bill Gates issued his famous trustworthy computing memo which called on Microsoft to "lead the industry to a whole new level of trustworthiness in computing."

Mador continues: "Shortly after there were major, major efforts within the company to both improve the processes and [increase] the awareness and education of the programmers." According to Mador these steps included simply learning to write more secure code and the use of fuzzing tools.

Microsoft also sought to improve its collaboration with the security industry as well as the hacker community.

Patch Tuesday

One of the biggest changes to come out of this new initiative was Patch Tuesday, which began on 14 October, 2003 and has been issued on the second Tuesday of the every month since then.

Previously, patches for Microsoft's software were issued erratically, leading to a lot of frustration and anger among IT departments in particular. With Patch Tuesday Microsoft gathers together its security updates and releases them all at once on the second Tuesday of every month, giving limited advance warnings of the contents of the updates.

Building on the success of Patch Tuesday, Microsoft subsequently implemented a grading system for the updates - called the Exploitability Index - which gives each patch a score of 1, 2 or 3 depending on how important Microsoft thinks they are, with a 1 rating meaning "exploit code likely."

It meant users could decide for themselves if they need to apply the patch straight away or if it could wait.


Patch Tuesday has become a template for other companies too, with the likes of Adobe and Oracle now employing similar scheduled updates for their software products.

However Microsoft is still finding and patching serious flaws in its software products, with the tenth anniversary of Patch Tuesday seeing two zero-day exploits in Internet Explorer, one of which was discovered and reported to Microsoft by security company Trustwave.

Mador believes that while things are still far from perfect, they are much better than before.

"There is no doubt that the processes that Microsoft now uses to respond to issues is much better than before and in fact it is much better than most of the major vendors that have popular software."

MAP Programme

Mador points out that along with Patch Tuesday, in the last ten years Microsoft has implemented its Microsoft Active Protection (MAP) Programme, which sees 80 trusted security vendors around the globe get detailed vulnerability information from the company every month, ahead of Patch Tuesday.

This allows the security companies to update their products to defend against these vulnerabilities and release updates shortly after Microsoft releases its patches.

"By doing that, Microsoft helps the security vendors protect users in addition to the patching system as some customers need some time to test and patch their systems, and Microsoft now understands that patching is not the entire solution."

Default security level

While the Patch Tuesday system is clearly a vast improvement over what went before, the turnaround in Microsoft's standing in the security industry is more to do with the software it is now producing than its update system.

Hypponen says: "Today, the difference in the default security level of 64-bit Windows 8 is so much ahead of Windows XP you can't even compare them," adding "in hindsight, the company did a spectacular turnaround in their security processes."

One of the problems facing Microsoft now of course is that just as it has matured in terms of security so have the people who are attempting to breach that security. In 2003, when Patch Tuesday began, the people releasing the likes of Slammer and Sasser were just hobbyists doing it more out of curiosity than anything else. Today the situation is much more complex.

Microsoft is in some ways a victim of its own success. Windows is the preeminent operating system in the world with over 90% of people using some version of the software as of last month, according to Net Applications.

Numbers game

It is therefore easy to see why cyber-criminals target Windows over Mac OS X or Linux - it's a simple numbers game.

But it is not just cyber-criminals who are looking to target Microsoft's products. Over the past ten years we have seen the rise of the hacktivist as well as the much more potent threat of nation-states, with governments around the world developing offensive as well as defensive cyber-capabilities.

Indeed the highly-complex Flame malware which has been linked to the US and Israeli governments was signed using a rogue Microsoft certificate which allowed it to spread unimpeded within computer networks - meaning it's not just low level criminals who pose a threat to the integrity of Microsoft's products.


So while Microsoft has fundamentally changed its security processes in the last ten years, new and more numerous threats mean it will have to continue to innovate in order to stay ahead.

Hypponen warns that despite all the improvements in security our computers are still not safe, but concludes: "at least we don't see flights grounded and trains stopped by malware every other week, like we did in 2003."