Computerworld NZ
Long before Taco Tuesday became part of the pop-culture vernacular, Tuesdays were synonymous with security — and for anyone in the tech world, they still are. Patch Tuesday , as you most likely know, refers to the day each month when Microsoft releases security updates and patches for its software products — everything from Windows to Office to SQL Server, developer tools to browsers. The practice, which happens on the second Tuesday of the month, was initiated to streamline the patch distribution process and make it easier for users and IT system administrators to manage updates. Like tacos, Patch Tuesday is here to stay. In a blog post celebrating the 20th anniversary of Patch Tuesday, the Microsoft Security Response Center wrote: “The concept of Patch Tuesday was conceived and implemented in 2003. Before this unified approach, our security updates were sporadic, posing significant challenges for IT professionals and organizations in deploying critical patches in a timely manner.” Patch Tuesday will continue to be an “important part of our strategy to keep users secure,” Microsoft said, adding that it’s now an important part of the cybersecurity industry. As a case in point, Adobe , among others, follows a similar patch cadence. Patch Tuesday coverage has also long been a staple of Computerworld ’s commitment to provide critical information to the IT industry. That’s why we’ve gathered together this collection of recent patches, a rolling list we’ll keep updated each month. In case you missed a recent Patch Tuesday announcement, here are the latest six months of updates. For May, Patch Tuesday means 139 updates — but no zero-days Microsoft this week released 139 updates affecting Windows, Office, .NET, and SQL Server (though there were no updates for Microsoft Exchange Server). Despite the absence of zero-days, the May Patch Tuesday update still requires Patch Now recommendations for Windows and Office. The combination of three unauthenticated network RCEs (Netlogon, DNS Client, and SSO Plugin for Jira and Confluence), four Word Preview Pane RCEs, the large TCP/IP vulnerability cluster, and the carry-over BitLocker recovery condition (still active on Windows 10 and Windows Server) warrants an accelerated deployment release schedule. More info is available here on Microsoft Security updates for May 2026 . Microsoft’s Patch Tuesday release for April is a whopper Windows admins are going to be busy this month, dealing with the largest Patch Tuesday cycle in memory. The April release involves 165 updates and roughly 340 unique CVEs from Microsoft — including two zero-days, one of which is already being actively exploited in the wild. The Readiness team recommends “Patch Now” schedules for nearly every major product family: Windows, Office (with a zero-day), Microsoft Edge (Chromium), SQL Server, and Microsoft Developer Tools (.NET). April also brings Phase 2 of Microsoft’s Kerberos RC4 hardening with full enforcement set for July. There is a lot to cover, so here’s a useful infographic mapping the deployment risk for each platform . More info is available here on Microsoft Security updates for April 2026 . For March, Patch Tuesday delivers fixes for 83 vulnerabilities Microsoft’s March Patch Tuesday release addresses 83 vulnerabilities across Windows, Office, SQL Server, Azure, and .NET — with two publicly disclosed zero-days affecting SQL Server and .NET (though neither is being actively exploited in the wild.) Six additional vulnerabilities spanning the Windows Kernel , Graphics Component , SMB Server , Accessibility Infrastructure , and Winlogon are flagged as “ Exploitation More Likely .” The most significant change this month is the introduction of Common Log File System (CLFS) hardening with signature verification, which will affect how Windows handles log files across the operating system. More info on Microsoft Security updates for March 2026 . February’s Patch Tuesday release fixes 59 flaws, including 6 being exploited The company’s Patch Tuesday release for February addresses 59 CVEs across the company’s product family — roughly half the volume of January’s 159 patches . Six vulnerabilities, affecting Windows Shell, MSHTML, Desktop Window Manager, Remote Desktop, Remote Access, and Microsoft Word, are already being actively exploited. (All five Critical-rated CVEs target Azure services rather than Windows, however.) Both Windows and Office get a “Patch Now” recommendation, with CISA setting a March 3 enforcement deadline for all six exploited vulnerabilities. Two new enforcement timelines also take effect in April: Kerberos RC4 deprecation ( CVE-2026-20833 ) and Windows Deployment Services hardening ( CVE-2026-0386 ). More info on Microsoft Security updates for February 2026 . For January, Patch Tuesday starts off with a bang The first Patch Tuesday release of 2026 addresses 112 CVEs across Microsoft’s product portfolio , including eight rated critical and three zero-day vulnerabilities. One zero-day ( CVE-2026-20805 ), an information disclosure flaw in the Desktop Window Manager, is already under active exploitation, prompting CISA to add it to the Known Exploited Vulnerabilities catalog with a remediation deadline of Feb. 3, 2026. (Note: 95 of the vulnerabilities affect Windows.) More info on Microsoft Security updates for January 2026 . Ho ho ho! December’s Patch Tuesday delivers three zero-days The December Patch Tuesday update addresses three zero-days ( CVE-2025-64671 , CVE-2025-54100 , and CVE-2025-62221 ) but includes surprisingly few total patches (just 57). Notably, Microsoft has not published any critical updates for the Windows platform this month. That said, given the zero-days, we recommend a “Patch Now” release schedule for Windows and Microsoft Office. More info on Microsoft Security updates for December 2025 .
Go to News Site