Microsoft this week canceled February’s slate of security updates for Windows and its other products, including Office, just a day after saying that the fixes would only be delayed.
Patch experts struggled with the decision, pointing out that known vulnerabilities will go unpatched and that IT planning had been disrupted.
“I was shocked,” said Chris Goettl, product manager at patch management vendor Ivanti, formerly Shavlik. “I was really expecting [the patches to release] next week.”
On Tuesday, just hours before the month’s Patch Tuesday updates were to appear, Microsoft announced a delay. “We discovered a last-minute issue that could impact some customers and was not resolved in time for our planned updates today,” the company said at the time. The implication was that February’s security fixes would ship as soon as that “last-minute issue” was resolved.
But in a Wednesday revision to the original announcement, Microsoft said, “We will deliver updates as part of the planned March Update Tuesday, March 14, 2017.” (Microsoft prefers the label “Update Tuesday” to the more universal “Patch Tuesday.”)
Skipping a month’s update slate was unprecedented. Although Microsoft has not issued updates on four Patch Tuesdays since the 2003 debut of regularly-scheduled updates—most recently in March 2007—those were instances when no patches had been prepared. It has never missed a month when there were clearly fixes prepped and ready to go.
“This isn’t like before when no updates meant nothing was ready,” said Susan Bradley, the moderator of the PatchMangement.org mailing list, where business IT administrators discuss update tradecraft. “Patches were ready. They just—for whatever unknown reason—couldn’t be delivered.” Bradley also writes about Microsoft’s patching processes for the Windows Secrets newsletter.
Microsoft has not said what prompted the delay, or what triggered the expansion of that into the month’s cancelation.
Without a declaration from the Redmond, Wash. company, speculation about the cause has been rife. Some believed that a single faulty patch had shelved them all, but that made little sense, Goettl said Wednesday when he pointed out that Office patches are delivered separately from those addressing vulnerabilities in Windows. If a single patch for Windows held back the Windows cumulative update, the Office update should have remained viable.
Two days ago, Goettl argued that the extent of the cancelation—all updates—hinted at problems with the company’s update service infrastructure. In an interview today, he stuck by his guns. “This is something bigger than a single patch,” Goettl said, “something with Windows Update or the update replication process.”
Bradley decried the lack of information from Microsoft, which, she said, only fueled conjecture, including her own. “My gut tells me something was up with the [update] publishing engine, [but] again merely speculation,” she said.
The experts agreed that the cancelation of February’s updates will affect Windows customers, but not on the extent of the disruption. “I think there will be minor disruptions, along the lines of needing to re-plan [for deploying the updates] for next month,” said Goettl when asked how the missing month would affect IT administrators.
“Is it [having an impact?] I’d say yes, it is, given the vibe I’m getting from my peers,” Bradley said.
Without February’s patches, security researchers have said, some unprotected systems may be compromised by exploits of now-known vulnerabilities.
Agreeing, Bradley ticked off several obvious ones. “We now have a potentially ticking time bomb on our hands as we’re not expected to get [this month’s Adobe] Flash update on our Windows 8 and Windows 10 [PCs] until March,” she said. “We have a SMB zero-day denial of service [vulnerability] we now need to investigate mediations for.”
The latter Windows vulnerability went public Feb. 2; a patch was anticipated in the now-canceled batch that was to ship Tuesday.
And come March, there’s a chance that the increased size and complexity—two months’ worth of fixes rather than one—could toss a wrench into the works. “The [update], when it arrives, at least for the pre-Windows 10 versions, may have twice as much change in it, and most likely, twice as much a chance of breaking something,” contended Goettl.
For all the complaints from patch professionals like Goettl and Bradley, as well as IT administrators and Windows users in general, the snafu—whatever its cause—will not change Microsoft’s fortunes or in a material way, even its reputation.
“We have no choice to accept [how things are] if we are running Windows,” said Bradley, voicing the reality in business. But that doesn’t mean customers have to like it.
“If they don’t have a Plan B, we don’t have one either,” Bradley said.
This story, “Microsoft’s decision to scrap February security updates unnerves patch experts” was originally published by Computerworld.