Microsoft Silently Rolls Out The Mega-Security Patch It Skipped In February

Last month, Microsoft inexplicably skipped the whole patch cycle that would’ve likely delivered fixes for dozens of security flaws. The company has now released a massive patch bundle that fixes 134 vulnerabilities. Microsoft has remained silent on why it chose to delay the February update in the first place.

Skipping A Month's Worth Of Updates

Windows is a large operating system with hundreds of millions of lines of code, so it’s almost expected to have at least a few dozen vulnerabilities that are found and fixed every month. This is why it’s important to deliver those updates in a timely manner; otherwise, it just leaves more time for attackers to take advantage of them.

Sometimes, certain bugs are harder to fix because they affect how a critical component of the operating system functions. Fixing it could mean breaking many programs, which Microsoft likely tries to avoid as much as possible.

Therefore, sometimes it’s understandable when Microsoft takes more than three months to fix a bug, even if it was already made public and many attackers were free to exploit it. However, in this case, Microsoft didn’t just delay one patch, but at least several dozen, without any explanation.

We can only speculate on why it happened like this, because even now, Microsoft remains tight-lipped about it. The likely reason is Microsoft’s new update mechanism, called a “rollup model,” through which the company delivers many updates in a single file.

Microsoft’s argument in favor of this seems quite reasonable. The idea is that the company doesn’t want users to “pick and choose” their updates, even if some patches may be detrimental to their systems. It wants all the Windows versions out there to be less fragmented, which Microsoft says should lead to more reliable and more secure Windows systems.

However, this still doesn’t explain why Microsoft couldn’t have just taken out the patch that wasn’t ready out of the bundled file, and deliver the rest to users, instead of leaving them exposed to dozens of vulnerabilities for a whole month.

March Patch Tuesday

Because Microsoft delayed the February Patch Tuesday until March, it was expected that there would be many vulnerabilities that would now be fixed. The March Patch Tuesday consisted of 17 security bulletins, which included fixes for 134 vulnerabilities. Almost half of the security bulletins were “critical,” which implies remote code execution bugs. The other half was marked as “important.”

Microsoft has continued to do security bulletins that allow users to see what kind of vulnerabilities were patched. However, the company has said in the past that it will stop doing these bulletins in the near future, making its whole updating scheme even more opaque to users.

The Windows GDI security bulletin seems to be the highest-priority bulletin, as the vulnerabilities contained in it could allow attackers to hack users through a specially crafted web page or document. This zero-day flaw is also currently being exploited in the wild, so we’re already getting a sense that attackers enjoyed the extra time Microsoft allowed them with the skipping of February’s update rollup.

The next priority update was the one for Microsoft’s Server Message Block (SMB) protocol. A vulnerability in this protocol allows an attacker to take control of the client that connects to the servers.

The fact that the protocol had a dangerous vulnerability has been known since last month, and a proof of concept exploit was released back then, too. Microsoft likely couldn’t fix it in time without breaking too many systems, so it must have decided to release the patch this month. Windows enterprise customers had to rely on mitigations from third-party security vendors.

A series of vulnerabilities in both of Microsoft’s browsers could allow attackers to craft a special web page that would give them remote code execution on the users’ systems. A similar flaw was found in Office, and an attacker could gain remote code execution on a user’s machine through a specially crafted document.

Other remote code execution flaws were found in Microsoft’s Exchange, Hyper-V, and IIS server software. The Active Directory Federation Server also had a vulnerability that could allow attackers to read sensitive information about the target system.

There seems to have been plenty of critical vulnerabilities that affected both mainstream and enterprise users in this Patch Tuesday update, in part because some of them were denied a patch last month.

Because there are so many patches applied to Windows in one go, it will be interesting to see whether this has caused more issues with people’s computers than previous Patch Tuesday rollups. When fewer updates are applied, it’s easier for Microsoft to track down the cause than when there are more of them, each potentially affecting how another works.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • tamalero
    Plot twist, some of the vulnerabilities that were found, were related to backdoors for CIA. Thus they had to patch the known ones and make new ones :P
    Reply
  • WhyAreYou
    Thanks microsoft, I guess
    Reply
  • 1800Allen
    By silently you mean through the same means and notifications as a regular patch Tuesday?
    Reply
  • kep55
    Big deal. I haven't been able to run Windows Update since last August on any of my Win7 machines. And before you say upgrade to Win10, I've tried and none of the downloads or installs worked.
    Reply
  • alextheblue
    19429988 said:
    By silently you mean through the same means and notifications as a regular patch Tuesday?
    Beat me to it! LMAO. Like they did something different when they released this patch vs any other patch. Also: They skipped a month... all my clocks jumped forward an hour! Coincidence?? The end is upon us!

    19431276 said:
    Big deal. I haven't been able to run Windows Update since last August on any of my Win7 machines. And before you say upgrade to Win10, I've tried and none of the downloads or installs worked.
    Take one of them to a shop. I'm sure someone can figure out what is broken/corrupt on your machines that is causing these issues. If you wanted to try something first, MS actually has an update troubleshooter too you might want to check out. Just do a Bing search for "windows update troubleshooter" and it should pop up with a suggestion box link to a download.
    Reply
  • shrapnel_indie
    19431762 said:
    19429988 said:
    By silently you mean through the same means and notifications as a regular patch Tuesday?
    Beat me to it! LMAO. Like they did something different when they released this patch vs any other patch. Also: They skipped a month... all my clocks jumped forward an hour! Coincidence?? The end is upon us!

    19431276 said:
    Big deal. I haven't been able to run Windows Update since last August on any of my Win7 machines. And before you say upgrade to Win10, I've tried and none of the downloads or installs worked.
    Take one of them to a shop. I'm sure someone can figure out what is broken/corrupt on your machines that is causing these issues. If you wanted to try something first, MS actually has an update troubleshooter too you might want to check out. Just do a Bing search for "windows update troubleshooter" and it should pop up with a suggestion box link to a download.

    You can't forget that MS played with the update system on older OSes like Win7, 8, and 8.1... making it harder to find and get the needed patches when and where available... by hook or by crook, they'll force everyone to get Win10... or force them to move to Mac or Linux.... if they don't willingly upgrade.

    This update package thing too... is another slap in the face of users and IT. Take all the bundle or else none of it, because "we" (Microsoft) know better than anyone else what you need and/or want in an operating system. Great way to force new unwanted integrated "features" on us all... for they'll hold us all hostage to unfixed vulnerabilities if we don't.)
    Reply
  • spotify95
    I haven't been able to update my Windows 7 machines via Windows Update either, for a long time. I've just switched off WU since then. Hasn't affected the usability of my machines.
    Reply
  • kep55
    19431276 said:
    Big deal. I haven't been able to run Windows Update since last August on any of my Win7 machines. And before you say upgrade to Win10, I've tried and none of the downloads or installs worked.
    Take one of them to a shop. I'm sure someone can figure out what is broken/corrupt on your machines that is causing these issues. If you wanted to try something first, MS actually has an update troubleshooter too you might want to check out. Just do a Bing search for "windows update troubleshooter" and it should pop up with a suggestion box link to a download.
    On all three machines? One of which is still set up OEM style? PUH-LEEZ. There's something wrong with the update process. Maybe they can detect I was part of the Insider program and know I slammed every build I tried.

    Reply