Security Experts:

Microsoft Postpones February Security Updates to March 14

Microsoft has informed customers that the February security updates, which the company delayed due to unspecified issues, will only be released next month as part of the planned Update Tuesday.

The February 2017 security updates should have been released on Tuesday, but the company told users that the patches had to be delayed “due to a last minute issue that could impact some customers.”

Microsoft shared an update on Wednesday, saying that the February patches will be merged with the ones scheduled for release on March 14.

Johannes B. Ullrich, dean of research at the SANS Technology Institute, believes this is “probably overall the least disruptive solution at this point.”

Since Microsoft decided to postpone the release of the security fixes by a full month, it is likely that none of the vulnerabilities they were supposed to address are critical, although many are concerned about an unpatched denial-of-service (DoS) flaw in Windows caused by how SMB traffic is handled.

It’s still unclear what the last minute issue is, but many believe it could have something to do with cumulative updates. Although, some experts speculated that there may have been a different problem.

“Before the cumulative update model, a single patch could be pulled from the release without impacting the entire Patch Tuesday release. Now, speculation as to if this was an issue with one of the cumulative updates that caused this delay is not entirely unfounded, but thinking about this, if it were one update that was broken Microsoft could release everything else,” said Chris Goettl, product manager with Ivanti. “The fact is Microsoft didn¹t release anything, which sounds more like an infrastructure issue.”

In addition to the SMB-related vulnerability, the next security updates could patch a medium-severity information disclosure flaw discovered by Google Project Zero researchers. The weakness, tracked as CVE-2017-0038, was reported to Microsoft on November 16 and its details were disclosed on Wednesday after the 90 day deadline.

Microsoft will no longer publish security bulletins, replacing them with an online database called Security Updates Guide.

Related: Microsoft Releases Only Four Bulletins on January 2017 Update Tuesday

Related: Microsoft Patches Several Publicly Disclosed Flaws

Related: Microsoft Patches Windows Zero-Day Exploited by Russian Hackers

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.