With Daylight Savings Time patches being deployed and tested, corporate I.T. administrators can catch their breath next week as Microsoft scrubs its monthly Patch Tuesday release.
Despite eEye Digital Security's Zero-Day Tracker showing at least five zero-day software vulnerabilities are as yet unaddressed, Redmond said it has no plans to issue new software security updates in March.
Last moth, Microsoft released 12 updates that patched 20 security holes in its products. January saw four security bulletins that addressed 10 bugs. Redmond is reportedly developing fixes for vulnerabilities in Publisher 2007, Internet Explorer 7, and Windows Vista, but I.T. admins will have to wait until at least April to plug the security holes.
Security Researchers Puzzled
Microsoft has only skipped Patch Tuesday a few times since it launched the monthly security patch distribution cycle in 2003. Microsoft's last Patch Tuesday time out was September 2005. Security researchers are offering various responses to the news.
"We were not expecting this and we're not sure what to make of it," said Mikko H. Hypponen, chief research officer at F-Secure.
PI Dynamics Security Evangelist Michael Sutton, however, has some definite opinions. He said that, while there can be little doubt that coordinating a patch release takes a tremendous amount of planning and effort, it is cause for concern when an opportunity to release patches for unpatched vulnerabilities expires without action.
"You will find no fewer than a dozen vulnerabilities that have been reported to Microsoft," Sutton said, noting advisories posted by TippingPoint and eEye. "Many of the advisories are several months old, so it is difficult to accept that Microsoft has not had sufficient time to prepare an patch."
A Welcome Reprieve?
Meanwhile, Thomas Kristensen, CTO of Secunia, said he has the impression that many I.T. admins welcome the monthly patch reprieve. What's more, he said he is confident that Microsoft would have released patches on Tuesday if they were ready.
"Generally speaking, it just seems like Microsoft cleared their pipeline last month, which is good as all security fixes ought to go out as soon as possible after they have been through quality assurance testing," Kristensen said. From his perspective, malicious code writers probably won't gain any ground in next 30 days despite the unpatched bugs.
Microsoft still plans to release an updated version of its Windows Malicious Software Removal Tool on March 13, and also will release two high-priority, nonsecurity updates for Windows through the Windows Update and Software Update services and four high-priority, nonsecurity updates through Microsoft Update and Windows Server Update services.
Microsoft could not immediately be reached for comment on its decision not to issue security patches this month.