Security fixes delayed as Microsoft postpones Patch Tuesday

Known security vulnerabilities in SMB and Flash are left unpatched, indicating an unprecedented problem, but Microsoft isn't talking

Security fixes delayed as Microsoft postpones Patch Tuesday
Credit: Thinkstock

A surprise announcement yesterday afternoon rattled Microsoft customers: Patch Tuesday is officially delayed for a month.

Microsoft is being close-mouthed. A curt, unsigned post on the Microsoft Security Resource Center TechNet blog simply states: "UPDATE: 2/15/17: We will deliver updates as part of the planned March Update Tuesday, March 14, 2017."

Microsoft started documenting its security patches with Security Bulletins in 1998, but the patches arrived at random. Steve Ballmer announced the Patch Tuesday protocol on Oct. 9, 2003, to “reduce the burden on IT administrators by adding a level of increased predictability and manageability.” Starting with MS03-041, security patches were generally held until the second – sometimes third or fourth – Tuesday of the month.

The practice of releasing all security patches on Patch Tuesday has been the subject of some well-deserved criticism. See, for example, Christopher Budd’s Oct. 13, 2013, article in GeekWire. Although out-of-band patches – security patches not released on the second Tuesday – are fairly common, the system has held. There’s never been a skipped Patch Tuesday that I can find, until now.

It looks like the skipped security month includes more than “just” Windows. There have been no recent security patches for Vista, Windows 7, Windows 8.1, and Windows 10 versions 1507, 1511, and 1607. Also no security patches this month for Office 2010, 2013, 2016, and the Office 365 Click-to-Run current channel version 1611. No security patches for Internet Explorer (which was supposed to start getting its own security patches this month), and no .Net security patches. No servicing stack updates, either.

Posters Bill C and The Surfing Pensioner on the AskWoody Lounge have an additional observation: Microsoft Security Essentials updates were down for more than 24 hours. “No MSE update my end since Feb 13, 2017 5:20 PM UTC.”

There’s more: Apparently in anticipation of a Patch Tuesday that never happened, Microsoft pulled the two snooping patches it released last week, KB 2952664 (Windows 7) and KB 2976978 (Windows 8.1). KB 2952664 is not available in the Microsoft Update Catalog, and the KB 2976978 that is available in the Update Catalog is from July 2016.

Two poker hands lie face-up on the table

First, the SMB bug I talked about earlier this month hasn’t been fixed. See the CERT Vulnerability Note VU#867968. It’s not a debilitating security hole – denial of service is the worst effect reported so far – but the exploit code is in the wild, and the hole should’ve been fixed this month.

Second, Flash hasn’t been updated. Günter Born has details on his BornCity blog.

Microsoft has long claimed that Windows PCs should be patched promptly, as soon as Patch Tuesday rolls around. I’ve long claimed that knee-jerk patching isn’t necessary for most folks, but that said, waiting a full month is a bit of a stretch. It’s odd that Microsoft has left two known security threats unpatched.

I’ve read reams of rumors about why Microsoft is skipping security patches this month, but there’s been no official word. Those in the know aren’t talking. I’m speculating that the delivery mechanism for the patches has somehow broken down.

Whatever the outcome, we know this for sure: Far better to wait than to proceed with something half fast.

Discussion continues on the AskWoody Lounge.

From CIO: 8 Free Online Courses to Grow Your Tech Skills