No Windows Patch on Patch Tuesday as Microsoft Pulls the Patch   - 1,398 Views,

Indeed, as recently as last Thursday, Mike Reavey, a lead Security Program Manager with Microsoft, posted to the Microsoft Security Response Center (MSRC) blog that “This coming Tuesday, we’re planning to release one security bulletin, and its (sic) in Windows. The maximum severity rating for this is Critical, so please update systems as soon as possible. We don’t expect this update to cause a reboot and it can be deployed and detected with MBSA, Microsoft Update, and WSUS. Also, we’re going to release an updated version of the Malicious Software Removal Tool.”

However, later in the week Reavey posted that “we’ve had a little change in plans for next week and wanted to make you all aware of it. This afternoon we revised the information in the Advance Notification to reflect a change for next week’s release. Microsoft will not be issuing any new security updates on September 13th as part of the September monthly bulletin release cycle.”

Why did Microsoft pull the patch? Especially with it being rated “Critical”? According to Reavey, they found a quality issue with the patch, and so decided to delay its release.

Explained Reavey on the blog today, “While the decision to not ship the security update was a difficult one, it was encouraging to see that several customers, security researchers and even the press felt it was the right decision.”

Apparently not all customers and press feel that it was the right decision. Security Focus quotes several industry participants as being quite concerned about the turn of events.

“There’s knowledge of a flaw and, because (Microsoft) can’t meet the deadline of the next few days, they’re going to delay it a month. So from a security point of view, we have a hole that is known but not patched,” said one member of a security mailing list. “In my scheduled time with limited resources, I allocate a certain amount of time to patching systems. I may not want to do an out-of-band or ad-hoc deployment of a critical patch that is not related to a virus outbreak or worm. I understand the day may arise where 0-day worms are created. However, until such time I am going to stick to my schedule,” said another.

“Almost every other major software company is still able to produce a patch in a short time, but Microsoft takes six months or more,” observed Marc Maiffret of eEye Digital Security.

Still, as Bruce Schneier of Counterpane Internet Security points out, “This is the Catch-22 for software vendors. A badly written, badly tested patch would be worse than the attack. Microsoft has to get it right. The problem is that they also have to get it fast.”