IT administrators who expected a fresh bouquet of security patches on February Patch Tuesday were left empty handed, and wonder if the cited technical issue is related to its new rollup model.
Microsoft unexpectedly delayed the release of its regular monthly security bulletin for Windows operating systems on Tuesday, due to a "last-minute issue that could impact some customers and was not resolved in time for our planned updates today," the company said in a terse blog post.
Amol Sarwate, director of vulnerability labs for Qualys in Redwood City, Calif., said this was the first Patch Tuesday postponement he could recall in nearly two decades. The reason for the delayed patch hasn't been revealed, but changes to Microsoft's rollup model, which bundles multiple security updates into a single file, has made patching Windows systems a more complicated affair.
"There were some people who were concerned that, if we cannot install one patch individually, and then something goes wrong with one patch, we cannot uninstall just that patch," Sarwate said. "Now that the patches are bundled, I don't know if the issues are in one patch or in multiple patches. But, as a result, everything had to be delayed."
Microsoft needs to quickly provide an update on when the patches will arrive so that administrators can prepare, Sarwate said.
"In the security space, a lot of people have their weeks planned for Patch Tuesday. Organizations put that day aside."
[Editor's note: Microsoft updated its blog on February 15 to say it would release the February security bulletins on the next Patch Tuesday on March 14.]
The February Patch Tuesday postponement follows a relatively light January Patch Tuesday, which had four bulletins.
SMB exploit remains unpatched
Many Windows admins expected Microsoft to close a zero-day vulnerability in the Server Message Block (SMB) network file sharing protocol. An attacker who exploits this flaw could crash systems running Windows 8.1, Windows 10, Windows Server 2012 R2 and Windows Server 2016.
An attacker could send a malicious link that, if clicked, would trigger a denial of service and cause unpatched Windows systems to crash, although attackers would not be able to gain control of the server, Sarwate said.
The CERT Coordination Center initially graded the SMB vulnerability with a severity of 10 -- the maximum score -- but later downgraded it to a 7.8.
Delay affects decisions for IT workers
Harjit Dhaliwal, a senior systems administrator at University of Vermont, handles patches for approximately 5,000 Windows Client and Windows Server systems. He learned about the Patch Tuesday delay from a bulletin on the SANS Institute Internet Storm Center site.
The zero-day SMB exploit was a topic of discussion among IT personnel at the university, who deliberated whether they should issue a manual fix for the exploit or wait for Microsoft to patch the flaw, Dhaliwal said. Because Microsoft has not indicated when the patches will arrive, he is unsure how his department will proceed.
"If we do a manual workaround, we have to consider what applications and other things might break," Dhaliwal said.
Microsoft's delay might not affect many organizations that typically wait a week -- or several weeks -- after Patch Tuesday to push out fixes. Dhaliwal's workplace is particularly aggressive, though, and issues Windows patches 24 hours after Microsoft releases them.
"Servers are generally the ones that get patched very quickly because we feel server security is very critical, especially when you have endpoints trying to connect to them or have important software applications that run on them," said Dhaliwal.
While the delay affects his workload, Dhaliwal was heartened by Microsoft's decision to run the patches through additional tests.
"We've seen patches released and, soon after, people discover bugs, whether it's crashes with the kernel or black screens or some third-party product [that] doesn't work," he said. "So it's fine with me if it takes a day or two to pull the patches and fine-tune them."
Dan Cagen is the associate site editor for SearchWindowsServer. Write to him at [email protected]. SearchWindowsServer site editor Tom Walat contributed to this report.
Implement managed service accounts to reduce exposure
What to do with bad security updates
Windows Server 2016 networking gets a boost