
Microsoft releases a package of security fixes on the second Tuesday of every month covering the previous four weeks.
Some are for publicly known vulnerabilities in Microsoft products, while others are from internally detected or privately disclosed reports from professional security researchers.
But there is often a rash of exploits that arrive shortly after Microsoft releases its patches.
Some of these target vulnerabilities covered in the Patch Tuesday release, hoping to catch users who have not yet installed the fix. Others are so-called zero-day exploits, which target previously unknown flaws not fixed by the monthly release.
Bruce Schneier, security expert and chief technology officer at BT Counterpane, believes that this is not a coincidence.
"There are often a couple of weeks during which systems are vulnerable, and exploit writers are taking advantage of this," Schneier told vnunet.com.
"When Microsoft releases a patch users want to get it as quickly as possible. Every day they wait is a day during which they vulnerable.
"On the other hand, any patch must be extensively tested. Those two requirements are impossible to meet at the same time. Not difficult, impossible. "
Along with the need for carefully tested patches, Microsoft is faced with many customers that run large networks.
Installing patches on such networks is a time consuming process, and the company found that many of those large-network customers were unable to deal with sporadic patch releases.
"There is a profound difference in being an administrator and knowing when your patches are coming, compared with constantly having to scramble," Alfred Huger, senior director of engineering at Symantec Security Response, told vnunet.com.
The rise in exploits and proof-of-concept code for attacks seen after Patch Tuesday is down to several factors, explained Huger. One is from security researchers who had previously found the vulnerability and reported it to Microsoft confidentially.
"There is still a lot of recognition for people who post vulnerabilities and do vulnerability research," he said.
After the flaw has been disclosed to Microsoft and the patch issued, the researcher will take credit for the discovery by releasing proof-of-concept code that could be used in an attack.
Another source of post-Patch Tuesday attacks comes from exploit developers taking advantage of the fresh crop of vulnerability disclosures.
"Once malware writers become aware of the fact that there is a vulnerability they can turn that around pretty easily," Huger explained.
Finally, there are the malware developers who have an attack for a previously undisclosed zero-day exploit.
By waiting until after Microsoft has released its monthly patch, the malware author hopes to extend the amount of time the exploit can freely target even the most up-to-date applications.
Microsoft occasionally issues special 'out-of-cycle' fixes for zero-day attacks that are actively infecting systems.
The company uses several guidelines when deciding whether to issue an out-of-cycle fix, according to Mark Griesi, security programme manager for the Microsoft Security Response Center.
"It can be a critical vulnerability for which there is no record of any exploits, or it could be a responsible disclosure," Griesi told vnunet.com.
"If it is disclosed and made public, another thing we look at is whether customers are being affected. It could just be proof-of-concept code. But beyond that, even if those two things happen, are we really seeing customers impacted? "
The convenience of sticking to a regular schedule at the expense of some mobility has been a welcome trade-off, according to Griesi.
"Having updates come out every couple of weeks, companies can potentially find themselves in a constant cycle," he said.
Schneier admitted that the advantages of the Patch Tuesday system outweigh the drawbacks.
"It has actually worked well," he said. "In general, I think Microsoft deserves praise for this. It is a hard decision because you're balancing two things."
However, Huger argued that, while it is useful to have a patch system to which customers can adhere, it would be better to generate secure applications in the first place.
Huger admitted that no code is error-proof, but stressed that software companies could do more to minimise the number of security holes.
"The problem that Microsoft faces is not specific to Microsoft. Every software company will have vulnerabilities and needs to have fairly diligent controls in place," he said. "At the end of the day the question is how you deal with it."