Microsoft’s Delay Of This Month’s Security Patch Bundle Makes Little Sense

Microsoft announced that, because of one issue with a security patch, it has postponed until March all of the security patches that were supposed to land this month. The delay of the whole patch bundle doesn't seem to make much sense, and for now Microsoft is refusing to provide much information about the delay.

Patch Tuesday

Microsoft tends to patch its Windows operating system at the middle of each month, on a Tuesday. This update schedule has remained largely the same for so long that it caught the colloquial name “Patch Tuesday” more than a decade ago. That is, everyone would expect to get new security patches from Microsoft in the second week of the month, on a Tuesday.

Back in the fall of 2014, Google gave Microsoft 90 days to fix a Windows vulnerability. Microsoft delayed the fix for two days after Google eventually made it public so the patch for that vulnerability would also be part of its upcoming Patch Tuesday. That's how dedicated Microsoft was to keeping the Patch Tuesday schedule intact, even if those two extra days gave attackers a small window of opportunity to exploit the vulnerability.

The way Microsoft saw things, Google was responsible for making users vulnerable to the zero-day because it released the vulnerability two days before Patch Tuesday. Regardless of who bears the most blame for that specific situation, the point is that Microsoft has been unwavering about its decision to maintain Patch Tuesday tradition--until this month, that is.

February Update Delayed Till March

Microsoft released this comment on its TechNet blog, this week, to let everyone know that the expected February update won’t arrive this month:

“Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems,” said the company.

“This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today. After considering all options, we made the decision to delay this month’s updates. We apologize for any inconvenience caused by this change to the existing plan,” added the company.

It then also released the following update to its statement:

“We will deliver updates as part of the planned March Update Tuesday, March 14, 2017.”

On the face of it, the statements are quite curious. Microsoft was saying that because of a single issue with a patch, the whole package with all of the other security fixes will be delayed a whole month as well.

The issue here is not that one of Microsoft's patches was broken and it had to delay it. That is quite understandable and it likely happens every single month. The difference this time is that Microsoft has to delay an entire batch of security fixes because a single one is apparently broken.

We contacted Microsoft asking further questions about this, but the company refused to offer additional comments on the issue, referring us back to the official statement. Because Microsoft isn’t saying what exactly happened, we can only speculate.

Is The Patch Bundle Policy At Fault?

The main reason for the delay could be the fact that Windows 10 doesn’t deliver security patches separately, but in a “patch bundle.” Therefore, if there is an issue with a single patch, the whole bundle may have to be delayed.

The company recently started bundling security patches for Windows 7 and Windows 8.1, as well. This was quite a controversial move, because firstly, it allows Microsoft not to be as transparent with the type of updates it delivers. This is the type of non-transparent decision for which Microsoft has been criticized in the past as well.

Secondly, it could create exactly the same type of issue the company may be experiencing now. If all the updates are tied to each other in a bundle, instead of being more modular, then one issue with a patch could break the whole package.

Thirdly, this sort of delay also unnecessarily increases the security risk for users, because they don’t get the updates they need on time. Let’s say Microsoft notices that one notebook model from a certain manufacturer is having some issues with one patch in the bundle. Now, instead of just delaying the problematic patch until the issue is fixed, Microsoft has to delay the whole bundle for those users, leaving them exposed to potentially dozens of other security issues. (Every Patch Tuesday tends to bring dozens of security patches.)

What happened this time is similar to the given example, except it affects all Windows users. From a reliability point of view, it just seems to make much more sense to keep the patches modular. It’s easier to identify new issues with certain devices this way, and if one issue needs to be fixed, users won’t be denied dozens of other security fixes for weeks or months.

More Update Transparency From Microsoft Would Be Welcome

We believe this issue is important because it leaves so many users without fixes for potentially dozens of new vulnerabilities, for an entire month. Therefore, it would be good if Microsoft could offer some transparency into what happened when it releases its upcoming March patch bundle.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
15 comments
    Your comment
  • ethanolson
    I'm kinda relieved. My Server 2016 installs have been barking constantly about updates. Maybe I'll have a break for a bit.
    1
  • Math Geek
    considering they chose to "patch" win 10 with a full many GB iso file each and every time. a single problem would stop the whole thing from coming out. sucks but how they been doing it since win 10 came out.

    they are playing with individual patches like we were used to in the past with the insider builds and they said all should shift back to them after the next big public update in april. we shall see. we are seeing smaller updates as insiders at times, others are full isos still, so hopefully this trend will continue forever.

    was funny when they made the announcement to the insiders. they made it out like it was this new awesome idea they just came up with. no mention of the fact that this was how we got updates since windows has come out. wonder how much of a bonus some exec got for that brilliant idea he had!!!
    0
  • ah
    Since upgrade to Windows 10, I've had a lot of issues. Finally I decided to have a clean install 2 weeks ago. Now, my system cannot do a restore point, nor undo it. Technicians from ms support remotely access my computer trying to resolve the issue, after 2 hours they gave up. Now I'm having a paid technician come to my place this afternoon. Thank u very much:)
    1