Update: There will be no Microsoft patches for the month of February.  The ones that were scheduled for this month will now be released on March 14 (next regular Patch Tuesday).

Microsoft announced, a few months ago, that beginning in February the security bulletins and summaries to which we had grown accustomed were going away as of February 2017. Since then, many have been anticipating this month’s Patch Tuesday with a little apprehension. The culmination of that anxiety turned out to be a bit anti-climactic, at least for this date. The second Tuesday is here but the patches aren’t; the company issued a brief statement that reads:

Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today.

After considering all options, we made the decision to delay this month’s updates. We apologize for any inconvenience caused by this change to the existing plan.

There’s no indication as to the nature of the last-minute issue nor the duration of the delay, so all we can do is wait and see.  Some who plan their calendars around the patch release undoubtedly will be inconvenienced. Others may have view this as an unexpected gift since yesterday was, after all, the holiday of hearts and flowers. Ironically, I posted on Facebook last night a tongue-in-cheek “Whose idea was it to put Patch Tuesday on Valentine’s Day?”  

The self-centered side of me wants to believe someone in the MSRC saw my post, although with the laments about how sick I am with a nasty cold, and took pity on me. Then there’s the pessimistic side that grumbles that now I can’t check it off my lengthy “to do” list and wonders if I’ll be the victim of some unpatched exploit in the interim.  The practical side – the one I try to nurture – acknowledges that this was just a stroke of luck for which I should be and am grateful.

The inquisitive side just wonders what’s going on. This is the first time, in the many years I’ve been covering Patch Tuesday releases for various publications, that I’ve seen an announcement like this. Oh, the patch release – normally scheduled for 10 a.m. Pacific Time – has been late a few times, sometimes by only a few minutes and occasionally longer – but I haven’t seen an announcement like this that raises more questions than it answers.

Does this last-minute issue affect all of the patches that were scheduled for release today? Not infrequently, we’ve seen a number missing in the sequence of patches, indicating that one had been pulled for more work.  The recent move toward “roll-up” patches that incorporate all the fixes for a given operating system rather than individual updates that address only a few vulnerabilities means you can’t just pull one flawed patch and release the rest.

Given the reference to the “best possible experience for customers,” is it possible that complaints regarding the demise of the old security bulletin format have caused a rethinking of that decision?  But surely that wouldn’t be a reason to delay the release of critical patches – bulletins could be added after the fact.

Was it discovered that one or more of the patches have some catastrophic side effect, like the “endless reboot loop” that plagued one of the Windows 10 updates not so long ago?  Anyone who has been doing this for any period of time knows that when it comes to security fixes, sometimes the cure can be worse than the problem it addresses. It certainly would make sense for Microsoft to want to avoid a fiasco that renders a significant number of systems unusable and customers disgruntled.

We can speculate to the extent of our imaginations – and I confess that I have an active one – but the bottom line is that we have very little real information at this point. Perhaps the patches will be released later today. Perhaps not. Stay tuned for more news on this month’s patches when we have it.

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.