February 20, 2017 By Douglas Bonderud 2 min read

IT admins know it’s coming. The second Tuesday of every month is patch day or update day, when big tech vendors like Microsoft, Adobe and SAP release their latest round of security fixes. Not only does this necessitate extra care on the part of IT teams to ensure systems are ready for updates, but it also puts them on the hook to warn users about potential performance issues.

But on Tuesday, Feb. 14, Microsoft announced a sudden “patching delay” — now, the company plans to bundle this month’s fixes with the scheduled March batch. Enterprises are worried: Did the Redmond, Washington, giant just hand out a huge hacker Valentine?

Patch Tuesday Put on Hold

As noted by CSO Online, Microsoft didn’t announce the delay until Patch Tuesday, citing a “last minute issue” that prevented the rollout. At first, no fixed timeline was given for the eventual updates, but it’s now been confirmed that February and March patches are coming together next month.

While the company hasn’t offered any specifics on the patching delay, some experts suspect it’s linked to Windows Update infrastructure, specifically the upcoming move from Security Bulletins to the Security Updates Guide as the ultimate portal for Microsoft patch details. This was supposed to go live in February, and a widespread implementation problem might have triggered the delay. But if only a single aspect of the patch was problematic, why not release everything else ASAP and roll in any outliers next month?

Time Crunch

Microsoft isn’t known for delaying patches — according to The Verge, this kind of hold back is “unprecedented,” given that the company rarely misses the deadline even for individual updates. But whatever the reason, IT security pros have serious concerns.

“Even without knowing all the details, I find such a decision very hard to justify,” Carsten Eiram, chief research officer of Risk Based Security, told CSO Online. “They are aware of vulnerabilities in their products and have developed fixes; those should always be made available to customers in a timely fashion.”

The Problem With a Patching Delay

Incoming fixes for two big issues stand out. First is a memory disclosure vulnerability in the Windows gdi32.dll component discovered by Google Project Zero. There was speculation that this flaw would be remedied in the February updates, but with the delay, it’s now over the 90-day disclosure deadline, prompting Project Zero to make the details public in hopes of reducing risk.

Second is a zero-day vulnerability in the SMB file-sharing protocol — if cybercriminals breach the firewall, it’s possible to crash affected systems. While there’s supposedly minimal risk of malware infection or data compromise, many companies are uncomfortable with the idea of waiting on a fix for this widely known issue.

Ultimately, Microsoft is staying mum on exactly what caused the delay, leaving companies to wait until March for their next round of updates. For cybercriminals, this is quite the gift: Known vulnerabilities remain unpatched for the next four weeks, offering a kind of compromise countdown. With no updates forthcoming, they’re free to leverage flaws until the middle of March. For companies, this means an increased focus on perimeter security and the expectation of a substantial spring patch.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today