Microsoft announced that, because of one issue with a security patch, it has postponed until March all of the security patches that were supposed to land this month. The delay of the whole patch bundle doesn't seem to make much sense, and for now Microsoft is refusing to provide much information about the delay.
Microsoft tends to patch its Windows operating system at the middle of each month, on a Tuesday. This update schedule has remained largely the same for so long that it caught the colloquial name “Patch Tuesday” more than a decade ago. That is, everyone would expect to get new security patches from Microsoft in the second week of the month, on a Tuesday.
Back in the fall of 2014, Google gave Microsoft 90 days to fix a Windows vulnerability. Microsoft delayed the fix for two days after Google eventually made it public so the patch for that vulnerability would also be part of its upcoming Patch Tuesday. That's how dedicated Microsoft was to keeping the Patch Tuesday schedule intact, even if those two extra days gave attackers a small window of opportunity to exploit the vulnerability.
The way Microsoft saw things, Google was responsible for making users vulnerable to the zero-day because it released the vulnerability two days before Patch Tuesday. Regardless of who bears the most blame for that specific situation, the point is that Microsoft has been unwavering about its decision to maintain Patch Tuesday tradition--until this month, that is.
February Update Delayed Till March
Microsoft released this comment on its TechNet blog, this week, to let everyone know that the expected February update won’t arrive this month:
“Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems,” said the company.
“This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today. After considering all options, we made the decision to delay this month’s updates. We apologize for any inconvenience caused by this change to the existing plan,” added the company.
It then also released the following update to its statement:
“We will deliver updates as part of the planned March Update Tuesday, March 14, 2017.”
On the face of it, the statements are quite curious. Microsoft was saying that because of a single issue with a patch, the whole package with all of the other security fixes will be delayed a whole month as well.
The issue here is not that one of Microsoft's patches was broken and it had to delay it. That is quite understandable and it likely happens every single month. The difference this time is that Microsoft has to delay an entire batch of security fixes because a single one is apparently broken.
We contacted Microsoft asking further questions about this, but the company refused to offer additional comments on the issue, referring us back to the official statement. Because Microsoft isn’t saying what exactly happened, we can only speculate.
Is The Patch Bundle Policy At Fault?
The main reason for the delay could be the fact that Windows 10 doesn’t deliver security patches separately, but in a “patch bundle.” Therefore, if there is an issue with a single patch, the whole bundle may have to be delayed.
The company recently started bundling security patches for Windows 7 and Windows 8.1, as well. This was quite a controversial move, because firstly, it allows Microsoft not to be as transparent with the type of updates it delivers. This is the type of non-transparent decision for which Microsoft has been criticized in the past as well.
Secondly, it could create exactly the same type of issue the company may be experiencing now. If all the updates are tied to each other in a bundle, instead of being more modular, then one issue with a patch could break the whole package.
Thirdly, this sort of delay also unnecessarily increases the security risk for users, because they don’t get the updates they need on time. Let’s say Microsoft notices that one notebook model from a certain manufacturer is having some issues with one patch in the bundle. Now, instead of just delaying the problematic patch until the issue is fixed, Microsoft has to delay the whole bundle for those users, leaving them exposed to potentially dozens of other security issues. (Every Patch Tuesday tends to bring dozens of security patches.)
What happened this time is similar to the given example, except it affects all Windows users. From a reliability point of view, it just seems to make much more sense to keep the patches modular. It’s easier to identify new issues with certain devices this way, and if one issue needs to be fixed, users won’t be denied dozens of other security fixes for weeks or months.
More Update Transparency From Microsoft Would Be Welcome
We believe this issue is important because it leaves so many users without fixes for potentially dozens of new vulnerabilities, for an entire month. Therefore, it would be good if Microsoft could offer some transparency into what happened when it releases its upcoming March patch bundle.