Microsoft Forced to Release Surprise Flash Fix After Delaying Patch Tuesday Releases Last Week
Microsoft delayed its scheduled Patch Tuesday releases last week due to an unspecified “last minute issue”. The company was expected to patch a zero-day security flaw and another critical vulnerability with its February security updates. Last night, Microsoft released a surprise out-of-band security update fixing several flaws. However, the company still failed to patch the two zero-day flaws that have been publicly disclosed.
Microsoft issues surprise Flash fixes, leaves zero-days at risk
Redmond software maker attracted some negative press and consumer backlash last week when it delayed a patch due to some unspecified reasons. Following this, Google publicly disclosed the exploit code of a zero-day flaw, noting that it had waited for 90 days for Microsoft to release the patch. Ahead of Google, another security researcher had also released exploit code of a separate flaw citing the same reasons that Microsoft had failed to patch the flaw despite being warned over 3 months ago.
Following this pressure, in a surprise out-of-band release, the company released patches to several security flaws in Adobe Flash for its customers using Internet Explorer and Edge browser. However, it still hasn’t offered any patches for the publicly available zero-days.
Security Update for Adobe Flash Player (4010250): This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.
This month’s Patch Tuesday was the first time when the company had to delay sending security patches. However, we have seen at least 3 different reports in the last few months where security researchers have complained about Microsoft being slow with releasing the patches, waiting for over 3 months to release the patches.
It is unknown why the company chose to release this security patch outside of its scheduled Patch Tuesday releases. Microsoft hasn’t patched the two publicly available flaws, and it is unclear whether the company will offer more of these out-of-band patches before the next Patch Tuesday that falls on March 14 to fix the rest of these flaws.