February 20, 2017 By Douglas Bonderud 2 min read

IT admins know it’s coming. The second Tuesday of every month is patch day or update day, when big tech vendors like Microsoft, Adobe and SAP release their latest round of security fixes. Not only does this necessitate extra care on the part of IT teams to ensure systems are ready for updates, but it also puts them on the hook to warn users about potential performance issues.

But on Tuesday, Feb. 14, Microsoft announced a sudden “patching delay” — now, the company plans to bundle this month’s fixes with the scheduled March batch. Enterprises are worried: Did the Redmond, Washington, giant just hand out a huge hacker Valentine?

Patch Tuesday Put on Hold

As noted by CSO Online, Microsoft didn’t announce the delay until Patch Tuesday, citing a “last minute issue” that prevented the rollout. At first, no fixed timeline was given for the eventual updates, but it’s now been confirmed that February and March patches are coming together next month.

While the company hasn’t offered any specifics on the patching delay, some experts suspect it’s linked to Windows Update infrastructure, specifically the upcoming move from Security Bulletins to the Security Updates Guide as the ultimate portal for Microsoft patch details. This was supposed to go live in February, and a widespread implementation problem might have triggered the delay. But if only a single aspect of the patch was problematic, why not release everything else ASAP and roll in any outliers next month?

Time Crunch

Microsoft isn’t known for delaying patches — according to The Verge, this kind of hold back is “unprecedented,” given that the company rarely misses the deadline even for individual updates. But whatever the reason, IT security pros have serious concerns.

“Even without knowing all the details, I find such a decision very hard to justify,” Carsten Eiram, chief research officer of Risk Based Security, told CSO Online. “They are aware of vulnerabilities in their products and have developed fixes; those should always be made available to customers in a timely fashion.”

The Problem With a Patching Delay

Incoming fixes for two big issues stand out. First is a memory disclosure vulnerability in the Windows gdi32.dll component discovered by Google Project Zero. There was speculation that this flaw would be remedied in the February updates, but with the delay, it’s now over the 90-day disclosure deadline, prompting Project Zero to make the details public in hopes of reducing risk.

Second is a zero-day vulnerability in the SMB file-sharing protocol — if cybercriminals breach the firewall, it’s possible to crash affected systems. While there’s supposedly minimal risk of malware infection or data compromise, many companies are uncomfortable with the idea of waiting on a fix for this widely known issue.

Ultimately, Microsoft is staying mum on exactly what caused the delay, leaving companies to wait until March for their next round of updates. For cybercriminals, this is quite the gift: Known vulnerabilities remain unpatched for the next four weeks, offering a kind of compromise countdown. With no updates forthcoming, they’re free to leverage flaws until the middle of March. For companies, this means an increased focus on perimeter security and the expectation of a substantial spring patch.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today