Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Microsoft Postpones February Security Updates to March 14

Microsoft has informed customers that the February security updates, which the company delayed due to unspecified issues, will only be released next month as part of the planned Update Tuesday.

Microsoft has informed customers that the February security updates, which the company delayed due to unspecified issues, will only be released next month as part of the planned Update Tuesday.

The February 2017 security updates should have been released on Tuesday, but the company told users that the patches had to be delayed “due to a last minute issue that could impact some customers.”

Microsoft shared an update on Wednesday, saying that the February patches will be merged with the ones scheduled for release on March 14.

Johannes B. Ullrich, dean of research at the SANS Technology Institute, believes this is “probably overall the least disruptive solution at this point.”

Since Microsoft decided to postpone the release of the security fixes by a full month, it is likely that none of the vulnerabilities they were supposed to address are critical, although many are concerned about an unpatched denial-of-service (DoS) flaw in Windows caused by how SMB traffic is handled.

It’s still unclear what the last minute issue is, but many believe it could have something to do with cumulative updates. Although, some experts speculated that there may have been a different problem.

“Before the cumulative update model, a single patch could be pulled from the release without impacting the entire Patch Tuesday release. Now, speculation as to if this was an issue with one of the cumulative updates that caused this delay is not entirely unfounded, but thinking about this, if it were one update that was broken Microsoft could release everything else,” said Chris Goettl, product manager with Ivanti. “The fact is Microsoft didn¹t release anything, which sounds more like an infrastructure issue.”

In addition to the SMB-related vulnerability, the next security updates could patch a medium-severity information disclosure flaw discovered by Google Project Zero researchers. The weakness, tracked as CVE-2017-0038, was reported to Microsoft on November 16 and its details were disclosed on Wednesday after the 90 day deadline.

Microsoft will no longer publish security bulletins, replacing them with an online database called Security Updates Guide.

Related: Microsoft Releases Only Four Bulletins on January 2017 Update Tuesday

Related: Microsoft Patches Several Publicly Disclosed Flaws

Related: Microsoft Patches Windows Zero-Day Exploited by Russian Hackers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.