Microsoft releases security updates for Windows products on the second Tuesday of every month, widely known as “Patch Tuesday.” Breaking from the schedule is very rare, allowing IT administrators to plan around the date and make sure systems are prepared for some downtime while the patches install.
This week, Microsoft announced it would be missing its Tuesday release target due to an unforeseen issue. It was assumed the update would arrive later in the week but Microsoft has now confirmed that won’t be the case.
In a post on its TechNet admin blog, Microsoft said the February updates will be bundled up with March’s patches and released together next month. It apologised for the inconvenience caused by the “last minute issue” and decision to postpone the launch, made after all other options had been considered.
“Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems,” said Microsoft. “This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates.”
Microsoft has not publicly detailed the issue that’s held up Patch Tuesday. However, ZDNet reports it’s related to problems in the company’s internal patch building system, preventing the updates from being packaged for release.
Aside from frustrating system administrators, the month-long delay could put computers at risk of attack. February’s update was expected to include an awaited fix for a serious Windows bug. Present in all supported versions of the operating system, the vulnerability was originally assigned a severity rating of 10.0 – the highest possible – by researchers at CERT. It has since been downgraded to 7.8.
The attack exploits a flaw in Windows’ SMB file-sharing protocol to allow outside users to crash computers and potentially execute arbitrary code. It is known to be in active use in the wild, making the quick release of a fix a priority to keep customers protected.
Contrary to this requirement, Microsoft has been accused of ignoring the issue and providing confusing mitigation advice. In one of its notices, issued by a third-party PR firm, the company claimed using Windows 10 could keep users safe. All versions of the operating system are affected equally by the exploit.
The researcher who discovered the issue told Ars Technica that Microsoft intended to release a patch in December. That was delayed until February and now March. With no word from the company on what’s gone wrong, affected systems will be at risk for several more weeks.
