Tomorrow will not be “Patch Tuesday” after all, Microsoft announced late Friday, just a day after it said it would release just one patch, but a critical one.
“Late in the testing process, Microsoft encountered a quality issue that necessitated the update to go through additional testing and development before it is released,” the company said on its TechNet Web site. Microsoft did not say what the quality issue is. The patch was to fix an unidentified flaw in Windows.
Potential Quality Issues
“It’s a safe bet that the patch as is either does not entirely fix the vulnerability or causes some other system instability,” Ed Moyle, president of SecurityCurve, told TechNewsWorld.
Microsoft, Moyle added, is doing the right thing in not releasing the patch.
“There’s a trend toward reverse engineering patches to see what a vendor’s fixed. Knowingly putting out an incomplete patch or a patch with detrimental side effects is dangerous: Either one tips your hand and allows anybody who goes looking to uncover other problems,” he said.
“It’s much better to get it right the first time, even if it means updating an already-published timetable.”
Pat on the Back
Moyle gives Microsoft, often criticized for its security woes, credit for its handling of this issue.
“I think the fact that they haven’t released the patch says something positive about their release process rather than something negative. There are always going to be people lining up to take their whack at the Microsoft pinata, but in my opinion, it’s nice to know that they are testing this stuff, that they are making risk/benefit decisions in deciding to put the patch out or not, and that in the game of secure product vs. PR, secure product wins,” he said.
Microsoft will still release an updated malicious software removal tool.
Some have questioned the wisdom of “Patch Tuesday” — the second Tuesday of every month — which Microsoft has designated for releasing security fixes. Critics say it gives hackers a heads-up on flaws they can exploit before patches are put in place. On the other hand, IT departments like being able to schedule updates.
“It’s a balancing act between leaving the platform vulnerable and allowing customers to plan deployment of patches strategically. Make the patch cycle too short or not have a cycle, and you reduce the planning aspect; make the cycle too long, and you start leaving critical systems open to attack,” Moyle said.