News

Delayed Microsoft Security Updates Now Planned for March Arrival

• By Kurt Mackie
• 02/16/2017

Microsoft quietly updated a Feb. 14 announcement explaining the delay of its February security updates to state that the updates will now be arriving on March 14, or the next "update Tuesday."

No details were provided. The original announcement now includes the following one-sentence addendum: "UPDATE: 2/15/17: We will deliver updates as part of the planned March Update Tuesday, March 14, 2017."

In addition to deferring Window security updates this month, no Office security updates have arrived.

"Update Tuesday" is Microsoft's official phase for the event popularly known as "patch Tuesday." Patch Tuesday events occur on the second Tuesday of every month, and have been ongoing for years, like clockwork. The patch Tuesday release process originally started back in October of 2003, according to Wikipedia's account.

Microsoft's patch deferral this month is a historic event of sorts. The last time such a delay occurred was almost 10 years ago, according to Chris Goettl, a product manager with Ivanti (formerly known as "Shavlik).

"March 2007 was the last time no Security Bulletins were released," Goettl stated via e-mail today, in response to a question. "I do not recall a significant issue like we are seeing here, however. I believe there were many SP releases that month."

In the absence of an official explanation from Microsoft, rumor has it that Microsoft had problems with its build system used for updates, or at least that's what unnamed "sources" told veteran Microsoft reporter Mary Jo Foley. Goettl commented that "this [explanation] fits with our suspicions as well."

With the delay in getting security updates, experts are pointing to a couple of outstanding issues. First, there remains an unpatched zero-day SMB Windows flaw, which was publicized earlier this month by U.S.-CERT, and was supposed to get a patch this month. As a workaround, US-CERT had recommended blocking outbound SMB connections from a local network to the wide area network.

Next, there's the issue of the Adobe Flash Player, which has been built into Windows since Windows 8. Microsoft ensures it gets patched, at least in the Windows operating system. Presumably, the February patch deferral means it isn't getting those updates this month.

Adobe released updates to Flash Player on Feb. 14 for Windows, Mac and Linux desktop runtimes, as well as for the Microsoft Edge and Internet Explorer browsers, plus the Google Chrome browser. However, keeping Flash properly patched is an involved affair, according to Goettl.

"So when an Adobe Flash update releases, there are many updates that need to be applied before you are considered safe," Goettl explained. "There is Flash Player (MSI), Flash for IE (Active X), Flash for Chrome (PPAPI), and Flash for Firefox (NPAPI). Until you have updated all versions, you are still exposed to the vulnerabilities through each of those user experiences and most systems will typically have 2 to 3 of them installed."

IT pros should keep awareness of potential Flash issues, identify its use in an organization and maybe even take backups of users' machines as a precaution, suggested Spencer Dunford, general manager at SmartDeploy. He also suggested using Chrome or Firefox browsers as a possible approach.

"Most Flash content is consumed by a web browser," Dunford explained via e-mail today. "Edge and Internet Explorer use the Windows 10 inbox install of Flash, making them harder to patch in this scenario. Use third-party browsers such as Chrome or Firefox that have the ability to update independently."

Incidentally, this month, Microsoft had planned to revert back to delivering Internet Explorer security patches separately from its "security-only quality updates" in its update Tuesday releases. That move was being done to address the bulkiness of IE updates for some organizations, Microsoft had explained back in January.