[U: Delayed Until March] Uh Oh! Microsoft Delays Patching Publicly-Released Windows Zero-Day Bug
[Update]: Microsoft has said that the updates to critical security flaws will now be released “as part of the planned March Update Tuesday,” on March 14, 2017 – a whole month after they were supposed to go live.
For the first time (ever?), Microsoft delays Patch Tuesday releases
Every month, Microsoft delivers fixes to security exploits along with other improvements. Following reports of a publicly known zero-day bug, today’s update was expected to be an important one. Redmond software giant, however, said in a blog post today that the company is delaying the release due to a last minute issue that couldn’t be fixed in time for Patch Tuesday releases.
Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today.
After considering all options, we made the decision to delay this month’s updates. We apologize for any inconvenience caused by this change to the existing plan.
Microsoft didn’t share any further details on what exactly the last minute issue is. It also isn’t immediately clear when the patches will be made available. We have contacted Microsoft and will update if the company shares any more details.
This appears to be the first time ever since Microsoft began to release security patches on the second Tuesday of each month that the company hasn’t managed to deliver updates at the scheduled time. Microsoft had modified its patching schedule last year. The company isn’t expected to publish security bulletins starting this month, replacing them with an online database called Security Updates Guide. In January, both the security bulletins and release notes in the Security Updates Guide were published.
Following January’s Patch Tuesday which consisted of only four bulletins, including one for Flash Player exploits, today’s release was expected to be a big one. The company was reported to fix a denial-of-service (DoS) flaw in Windows which has public exploit code. Earlier in February, a security researcher released a Windows Server zero-day exploit on GitHub after Microsoft failed to release a fix, delaying it until Patch Tuesday despite being warned three months ago.
The zero-day security vulnerability is now available in the wild, with even the scheduled February 14 update unable to bring a fix due to that unspecified bug. The public disclosure of zero-day had triggered a security advisory from the US-CERT Coordination Center (CERT/CC).