Microsoft this week canceled February’s slate of security updates for Windows and its other products, including Office, just a day after saying that the fixes would only be delayed.
Patch experts struggled with the decision, pointing out that known vulnerabilities will go unpatched and that IT planning had been disrupted.
“I was shocked,” said Chris Goettl, product manager at patch management vendor Ivanti, formerly Shavlik. “I was really expecting [the patches to release] next week.”
On Tuesday, just hours before the month’s Patch Tuesday updates were to appear, Microsoft announced a delay. “We discovered a last-minute issue that could impact some customers and was not resolved in time for our planned updates today,” the company said at the time. The implication was that February’s security fixes would ship as soon as that “last-minute issue” was resolved.
But in a Wednesday revision to the original announcement, Microsoft said, “We will deliver updates as part of the planned March Update Tuesday, March 14, 2017.” (Microsoft prefers the label “Update Tuesday” to the more universal “Patch Tuesday.”)
Skipping a month’s update slate was unprecedented. Although Microsoft has not issued updates on four Patch Tuesdays since the 2003 debut of regularly-scheduled updates—most recently in March 2007—those were instances when no patches had been prepared. It has never missed a month when there were clearly fixes prepped and ready to go.
“This isn’t like before when no updates meant nothing was ready,” said Susan Bradley, the moderator of the PatchMangement.org mailing list, where business IT administrators discuss update tradecraft. “Patches were ready. They just—for whatever unknown reason—couldn’t be delivered.” Bradley also writes about Microsoft’s patching processes for the Windows Secrets newsletter.Microsoft has not said what prompted the delay, or what triggered the expansion of that into the month’s cancelation.