Skip to main content

Microsoft’s Delay Of This Month’s Security Patch Bundle Makes Little Sense

Microsoft announced that, because of one issue with a security patch, it has postponed until March all of the security patches that were supposed to land this month. The delay of the whole patch bundle doesn't seem to make much sense, and for now Microsoft is refusing to provide much information about the delay.

Patch Tuesday

Microsoft tends to patch its Windows operating system at the middle of each month, on a Tuesday. This update schedule has remained largely the same for so long that it caught the colloquial name “Patch Tuesday” more than a decade ago. That is, everyone would expect to get new security patches from Microsoft in the second week of the month, on a Tuesday.

Back in the fall of 2014, Google gave Microsoft 90 days to fix a Windows vulnerability. Microsoft delayed the fix for two days after Google eventually made it public so the patch for that vulnerability would also be part of its upcoming Patch Tuesday. That's how dedicated Microsoft was to keeping the Patch Tuesday schedule intact, even if those two extra days gave attackers a small window of opportunity to exploit the vulnerability.

The way Microsoft saw things, Google was responsible for making users vulnerable to the zero-day because it released the vulnerability two days before Patch Tuesday. Regardless of who bears the most blame for that specific situation, the point is that Microsoft has been unwavering about its decision to maintain Patch Tuesday tradition--until this month, that is.

February Update Delayed Till March

Microsoft released this comment on its TechNet blog, this week, to let everyone know that the expected February update won’t arrive this month:

“Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems,” said the company.“This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today. After considering all options, we made the decision to delay this month’s updates. We apologize for any inconvenience caused by this change to the existing plan,” added the company.

It then also released the following update to its statement:

“We will deliver updates as part of the planned March Update Tuesday, March 14, 2017.”

On the face of it, the statements are quite curious. Microsoft was saying that because of a single issue with a patch, the whole package with all of the other security fixes will be delayed a whole month as well.

The issue here is not that one of Microsoft's patches was broken and it had to delay it. That is quite understandable and it likely happens every single month. The difference this time is that Microsoft has to delay an entire batch of security fixes because a single one is apparently broken.

We contacted Microsoft asking further questions about this, but the company refused to offer additional comments on the issue, referring us back to the official statement. Because Microsoft isn’t saying what exactly happened, we can only speculate.

Is The Patch Bundle Policy At Fault?

The main reason for the delay could be the fact that Windows 10 doesn’t deliver security patches separately, but in a “patch bundle.” Therefore, if there is an issue with a single patch, the whole bundle may have to be delayed.

The company recently started bundling security patches for Windows 7 and Windows 8.1, as well. This was quite a controversial move, because firstly, it allows Microsoft not to be as transparent with the type of updates it delivers. This is the type of non-transparent decision for which Microsoft has been criticized in the past as well.

Secondly, it could create exactly the same type of issue the company may be experiencing now. If all the updates are tied to each other in a bundle, instead of being more modular, then one issue with a patch could break the whole package.

Thirdly, this sort of delay also unnecessarily increases the security risk for users, because they don’t get the updates they need on time. Let’s say Microsoft notices that one notebook model from a certain manufacturer is having some issues with one patch in the bundle. Now, instead of just delaying the problematic patch until the issue is fixed, Microsoft has to delay the whole bundle for those users, leaving them exposed to potentially dozens of other security issues. (Every Patch Tuesday tends to bring dozens of security patches.)

What happened this time is similar to the given example, except it affects all Windows users. From a reliability point of view, it just seems to make much more sense to keep the patches modular. It’s easier to identify new issues with certain devices this way, and if one issue needs to be fixed, users won’t be denied dozens of other security fixes for weeks or months.

More Update Transparency From Microsoft Would Be Welcome

We believe this issue is important because it leaves so many users without fixes for potentially dozens of new vulnerabilities, for an entire month. Therefore, it would be good if Microsoft could offer some transparency into what happened when it releases its upcoming March patch bundle.

  • ethanolson
    I'm kinda relieved. My Server 2016 installs have been barking constantly about updates. Maybe I'll have a break for a bit.
    Reply
  • Math Geek
    considering they chose to "patch" win 10 with a full many GB iso file each and every time. a single problem would stop the whole thing from coming out. sucks but how they been doing it since win 10 came out.

    they are playing with individual patches like we were used to in the past with the insider builds and they said all should shift back to them after the next big public update in april. we shall see. we are seeing smaller updates as insiders at times, others are full isos still, so hopefully this trend will continue forever.

    was funny when they made the announcement to the insiders. they made it out like it was this new awesome idea they just came up with. no mention of the fact that this was how we got updates since windows has come out. wonder how much of a bonus some exec got for that brilliant idea he had!!!
    Reply
  • ah
    Since upgrade to Windows 10, I've had a lot of issues. Finally I decided to have a clean install 2 weeks ago. Now, my system cannot do a restore point, nor undo it. Technicians from ms support remotely access my computer trying to resolve the issue, after 2 hours they gave up. Now I'm having a paid technician come to my place this afternoon. Thank u very much:)
    Reply
  • alextheblue
    A lot of very vocal people (including some journalists) are practically flipping out over this. Personally, I don't think it's a big enough deal to warrant more than a raised eyebrow.
    Reply
  • tomhreader
    Once I install a windows operating system, I freeze it as it is, I put a firewall on it and block all updates, shutdown all services calling to microsoft and make a disk image backup. If something breaks, in 5 minutes I have the system back as it was when I installed it.
    Reply
  • JamesSneed
    There is a lot of hoopla for not knowing. Could this just be they did all there regression testing with this patch, found an issue, and realized when they back it out it could have other implications? Now they don't have time to retest, so they are pulling everything?
    Reply
  • 2Be_or_Not2Be
    19310588 said:
    Once I install a windows operating system, I freeze it as it is, I put a firewall on it and block all updates, shutdown all services calling to microsoft and make a disk image backup. If something breaks, in 5 minutes I have the system back as it was when I installed it.

    That's a bad practice. That means you can get compromised by every exploit that happens after you've "frozen" your image. You may not even know you've been compromised with how deeply & quietly some malware can operate. Blocking all updates is a terrible idea for any OS, and should never be endorsed or recommended.

    The only way you could justify never updating at all is the PC is never connected to any network or the Internet, and it can't be accessed externally.
    Reply
  • tomhreader
    19311279 said:
    19310588 said:
    Once I install a windows operating system, I freeze it as it is, I put a firewall on it and block all updates, shutdown all services calling to microsoft and make a disk image backup. If something breaks, in 5 minutes I have the system back as it was when I installed it.

    That's a bad practice. That means you can get compromised by every exploit that happens after you've "frozen" your image. You may not even know you've been compromised with how deeply & quietly some malware can operate. Blocking all updates is a terrible idea for any OS, and should never be endorsed or recommended.

    The only way you could justify never updating at all is the PC is never connected to any network or the Internet, and it can't be accessed externally.

    Never had (at least until now) any problems. As I said I use a firewall, only entry point in my system is the browser, which I regularly update and protect it with malwarebyte anti-exploit.
    Reply
  • Windows 10 is just a train wreck. Windows 7 Update was never broken until they purposely slowed down update servers. In my opinion Windows 10 won't live long. OS is too buggy, unpredictable, and often causes compatibility issues with new updates or things simply break. By 2020 shareholders will have something to say about it.
    Reply
  • 2Be_or_Not2Be
    19311648 said:
    19311279 said:
    19310588 said:
    Once I install a windows operating system, I freeze it as it is, I put a firewall on it and block all updates, shutdown all services calling to microsoft and make a disk image backup. If something breaks, in 5 minutes I have the system back as it was when I installed it.

    That's a bad practice. That means you can get compromised by every exploit that happens after you've "frozen" your image. You may not even know you've been compromised with how deeply & quietly some malware can operate. Blocking all updates is a terrible idea for any OS, and should never be endorsed or recommended.

    The only way you could justify never updating at all is the PC is never connected to any network or the Internet, and it can't be accessed externally.

    Never had (at least until now) any problems. As I said I use a firewall, only entry point in my system is the browser, which I regularly update and protect it with malwarebyte anti-exploit.

    I understand the intent, but your vulnerability to exploits increases every day you ignore security patches. That's because new exploits are created all the time, and that means the number of things to which you are vulnerable increases consequentially if you're not patching.

    A firewall won't stop malware that hits you through ad networks, nor will it stop anything that might hit you through downloads or social networks. Malwarebytes can detect quite the number of bad stuff, but often that's only AFTER you were affected. You could have keyloggers or other things that have disabled your protection & are merrily running in the background, recording and transmitting all of your passwords. All because it got into your system through a browser exploit that wasn't patched or an unpatched system vulnerability attacked through a file download.

    I can understand being wary of automatic patches & trying to understand what is going on before installing some patches, but never patching is a terrible idea and should NEVER be encouraged.
    Reply