Security fixes delayed as Microsoft postpones Patch Tuesday


A surprise announcement yesterday afternoon rattled Microsoft customers: Patch Tuesday is officially delayed for a month.

Microsoft is being close-mouthed. A curt, unsigned post on the Microsoft Security Resource Center  simply states: “UPDATE: 2/15/17: We will deliver updates as part of the planned March Update Tuesday, March 14, 2017.”

Microsoft started documenting its security patches with Security Bulletins , but the patches arrived at random. Steve Ballmer the Patch Tuesday protocol on Oct. 9, 2003, to “reduce the burden on IT administrators by adding a level of increased predictability and manageability.” Starting with , security patches were generally held until the second – sometimes third or fourth – Tuesday of the month.

The practice of releasing all security patches on Patch Tuesday has been the subject of some well-deserved criticism. See, for example, Christopher Budd’s Oct. 13, 2013, article in . Although out-of-band patches – security patches not released on the second Tuesday – are fairly common, the system has held. There’s never been a skipped Patch Tuesday that I can find, until now.

. No security patches for Internet Explorer (which was supposed to start getting this month), and no .Net security patches. No servicing stack updates, either.

Posters Bill C and The Surfing Pensioner on the have an additional observation: Microsoft Security Essentials updates were down for more than 24 hours. “No MSE update my end since Feb 13, 2017 5:20 PM UTC.”

There’s more: Apparently in anticipation of a Patch Tuesday that never happened, Microsoft pulled the two  it released last week, KB 2952664 (Windows 7) and KB 2976978 (Windows 8.1). KB 2952664 is in the Microsoft Update Catalog, and the KB 2976978 that is  in the Update Catalog is from July 2016.

Two poker hands lie face-up on the table

First, the I talked about earlier this month hasn’t been fixed. See the . It’s not a debilitating security hole – denial of service is the worst effect reported so far – but the exploit code is in the wild, and the hole should’ve been fixed this month.


Microsoft has long claimed that Windows PCs should be patched promptly, as soon as Patch Tuesday rolls around. I’ve long claimed that knee-jerk patching isn’t necessary for most folks, but that said, waiting a full month is a bit of a stretch. It’s odd that Microsoft has left two known security threats unpatched.

I’ve read reams of this month, but there’s been no official word. Those in the know aren’t talking. I’m speculating that the delivery mechanism for the patches has somehow broken down.

Whatever the outcome, we know this for sure: Far better to wait than to proceed with something half fast.

Discussion continues on the .