Today is the second Tuesday of the month as known in the security community as "Patch Tuesday", when Microsoft releases security updates for its products. It all started in 2003 after customers asked Microsoft to stop releasing patches whenever it wanted and to standardise on one day a month. 5 years later it's still a nightmare and enterprises, including Microsoft itself, must use third party solutions like Shavlik's (more below) to patch their IT systems... once a month!

However, Microsoft has building defense-in-depth technologies inside of Windows (firewall, boot defender, phishing filter, data executing protection...) to make simple vulnerabilities harder to exploit. But of course, it's far from perfect as the General Manager for Microsoft's Product Security, George Stathakopoulos, admits. Especially as it could take as long as 90 days, from the time the vulnerability is discovered to the time the patch is made available. And sometimes more!

"In an average patch, we have to test it in 22 languages, 400,000 tests, etc. So it takes sometimes to build it... To do this, we have 2 strategies. The first one is defense in depth: make sure the system will hold even though its vulnerable. The second is, we've been working with the security community and our goal was to promote responsible disclosure... Which means the researchers will provide the information first, they will not go public. Of course we will be monitoring both spikes and other indicators to make sure it's not used. And then release the security update at the same time we release the patch", adds Stathakopoulos.

But why does it take so long for Microsoft to release a patch?

"The worst thing you can do to someone is provide them a patch that actually breaks the system: you are secure but half of the processessing systems doesn't work".

Today's 8 patches from Microsoft are "client side security vulnerabilities".

"Which means it requires a user to perform an action on the machine in order to exploit the system. So those systems that don't have end users logging on to them are safe. So your datacenter servers are safe because people don't usually log on to those. Its your end-user workstations and servers where people physically logged-in, where they are browsing the internet, opening documents or reading e-mails that are vulnerable this month", explains Shavlik CTO, Eric Schultze.