Microsoft announced on Thursday that it will not release any security updates next week as a part of its monthly patch cycle.This is the first time in 18 months that Microsoft has decided to hold off on releasing any patches on the second Tuesday of the month.
A company spokesperson said that while Microsoft is working on fixes for several known flaws, it needed more time to develop patches that passed its quality control process.
“Microsoft continues to investigate potential and existing vulnerabilities in an effort to help protect our customers. Creating security updates that effectively and comprehensively fix vulnerabilities is an extensive process involving a series of sequential steps," said the spokesperson. "All updates need to meet testing standards in order to be released. This ensures that our customers can confidently install these updates in their environment.”
Many IT administrators will take this month’s reprieve as an opportunity to play catch up, said Eric Shultze, chief security architect at Shavlik Technologies.
Last month Microsoft released 12 security bulletins. Stacked up with daylight-saving configuration duties and a spate of recent Quicktime and Firefox fixes, this month was already brewing to be a busy one for overworked technologists.
“It’s a welcome change from last month,” said Schultze. “People are still trying to get caught up from that and trying to keep up with daylight-saving time changes. So it’s a nice breather.”
He did warn administrators not to get too complacent, though.
“It also means that you might get a double-whammy next month,” he said. “Microsoft has a very good test program for the security patches, and if the patches don’t meet their standards then they’ll pull them. So it is probable that Microsoft had a handful of patches ready, but the testing didn’t prove out. So those patches are going to be held back to be fixed and retested to go along with the ones scheduled for next month anyway. Next month could be really bad,” Schultze said.
Currently eEye Digital Security lists seven known zero-day vulnerabilities for Microsoft products which remain unpatched. However, most security experts don’t begrudge Microsoft the extra time needed to fix these known flaws.
“I don’t see anything so pressing that I’m saying ‘Where is it?’” said Russ Cooper, senior information security analyst at Cybertrust. “We don’t have any customers currently that are being exploited by something for which there is no patch.”