IT admins know it’s coming. The second Tuesday of every month is patch day or update day, when big tech vendors like Microsoft, Adobe and SAP release their latest round of security fixes. Not only does this necessitate extra care on the part of IT teams to ensure systems are ready for updates, but it also puts them on the hook to warn users about potential performance issues.
But on Tuesday, Feb. 14, Microsoft announced a sudden “patching delay” — now, the company plans to bundle this month’s fixes with the scheduled March batch. Enterprises are worried: Did the Redmond, Washington, giant just hand out a huge hacker Valentine?
Patch Tuesday Put on Hold
As noted by CSO Online, Microsoft didn’t announce the delay until Patch Tuesday, citing a “last minute issue” that prevented the rollout. At first, no fixed timeline was given for the eventual updates, but it’s now been confirmed that February and March patches are coming together next month.
While the company hasn’t offered any specifics on the patching delay, some experts suspect it’s linked to Windows Update infrastructure, specifically the upcoming move from Security Bulletins to the Security Updates Guide as the ultimate portal for Microsoft patch details. This was supposed to go live in February, and a widespread implementation problem might have triggered the delay. But if only a single aspect of the patch was problematic, why not release everything else ASAP and roll in any outliers next month?
Microsoft isn’t known for delaying patches — according to The Verge, this kind of hold back is “unprecedented,” given that the company rarely misses the deadline even for individual updates. But whatever the reason, IT security pros have serious concerns.
“Even without knowing all the details, I find such a decision very hard to justify,” Carsten Eiram, chief research officer of Risk Based Security, told CSO Online. “They are aware of vulnerabilities in their products and have developed fixes; those should always be made available to customers in a timely fashion.”
The Problem With a Patching Delay
Incoming fixes for two big issues stand out. First is a memory disclosure vulnerability in the Windows gdi32.dll component discovered by Google Project Zero. There was speculation that this flaw would be remedied in the February updates, but with the delay, it’s now over the 90-day disclosure deadline, prompting Project Zero to make the details public in hopes of reducing risk.
Second is a zero-day vulnerability in the SMB file-sharing protocol — if cybercriminals breach the firewall, it’s possible to crash affected systems. While there’s supposedly minimal risk of malware infection or data compromise, many companies are uncomfortable with the idea of waiting on a fix for this widely known issue.
Ultimately, Microsoft is staying mum on exactly what caused the delay, leaving companies to wait until March for their next round of updates. For cybercriminals, this is quite the gift: Known vulnerabilities remain unpatched for the next four weeks, offering a kind of compromise countdown. With no updates forthcoming, they’re free to leverage flaws until the middle of March. For companies, this means an increased focus on perimeter security and the expectation of a substantial spring patch.