Microsoft's decision to scrap February security updates unnerves patch experts

Microsoft's decision to scrap February security updates unnerves patch experts

Cancellation of month's bug fixes came after company first said they would only be delayed

Microsoft this week canceled February's slate of security updates for Windows and its other products, including Office, just a day after saying that the fixes would only be delayed.

Patch experts struggled with the decision, pointing out that known vulnerabilities will go unpatched and that IT planning had been disrupted.

"I was shocked," said Chris Goettl, product manager at patch management vendor Ivanti, formerly Shavlik. "I was really expecting [the patches to release] next week."

On Tuesday, just hours before the month's Patch Tuesday updates were to appear, Microsoft announced a delay. "We discovered a last-minute issue that could impact some customers and was not resolved in time for our planned updates today," the company said at the time. The implication was that February's security fixes would ship as soon as that "last-minute issue" was resolved.

But in a Wednesday revision to the original announcement, Microsoft said, "We will deliver updates as part of the planned March Update Tuesday, March 14, 2017." (Microsoft prefers the label "Update Tuesday" to the more universal "Patch Tuesday.")

Skipping a month's update slate was unprecedented. Although Microsoft has not issued updates on four Patch Tuesdays since the 2003 debut of regularly-scheduled updates -- most recently in March 2007 -- those were instances when no patches had been prepared. It has never missed a month when there were clearly fixes prepped and ready to go.

"This isn't like before when no updates meant nothing was ready," said Susan Bradley, the moderator of the mailing list, where business IT administrators discuss update tradecraft. "Patches were ready. They just -- for whatever unknown reason -- couldn't be delivered." Bradley also writes about Microsoft's patching processes for the Windows Secrets newsletter.

Microsoft has not said what prompted the delay, or what triggered the expansion of that into the month's cancelation.

Without a declaration from the Redmond, Wash. company, speculation about the cause has been rife. Some believed that a single faulty patch had shelved them all, but that made little sense, Goettl said Wednesday when he pointed out that Office patches are delivered separately from those addressing vulnerabilities in Windows. If a single patch for Windows held back the Windows cumulative update, the Office update should have remained viable.

Two days ago, Goettl argued that the extent of the cancelation -- all updates -- hinted at problems with the company's update service infrastructure. In an interview today, he stuck by his guns. "This is something bigger than a single patch," Goettl said, "something with Windows Update or the update replication process."

Bradley decried the lack of information from Microsoft, which, she said, only fueled conjecture, including her own. "My gut tells me something was up with the [update] publishing engine, [but] again merely speculation," she said.

The experts agreed that the cancelation of February's updates will affect Windows customers, but not on the extent of the disruption. "I think there will be minor disruptions, along the lines of needing to re-plan [for deploying the updates] for next month," said Goettl when asked how the missing month would affect IT administrators.

"Is it [having an impact?] I'd say yes, it is, given the vibe I'm getting from my peers," Bradley said.

Without February's patches, security researchers have said, some unprotected systems may be compromised by exploits of now-known vulnerabilities.

Agreeing, Bradley ticked off several obvious ones. "We now have a potentially ticking time bomb on our hands as we're not expected to get [this month's Adobe] Flash update on our Windows 8 and Windows 10 [PCs] until March," she said. "We have a SMB zero-day denial of service [vulnerability] we now need to investigate mediations for."

The latter Windows vulnerability went public Feb. 2; a patch was anticipated in the now-canceled batch that was to ship Tuesday.

And come March, there's a chance that the increased size and complexity -- two months' worth of fixes rather than one -- could toss a wrench into the works. "The [update], when it arrives, at least for the pre-Windows 10 versions, may have twice as much change in it, and most likely, twice as much a chance of breaking something," contended Goettl.

For all the complaints from patch professionals like Goettl and Bradley, as well as IT administrators and Windows users in general, the snafu -- whatever its cause -- will not change Microsoft's fortunes or in a material way, even its reputation.

"We have no choice to accept [how things are] if we are running Windows," said Bradley, voicing the reality in business. But that doesn't mean customers have to like it.

"If they don't have a Plan B, we don't have one either," Bradley said.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftDaily Briefing



Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the leading customer-centric Microsoft channel partners

Meet the leading customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the leading customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments