Last month, Microsoft inexplicably skipped the whole patch cycle that would’ve likely delivered fixes for dozens of security flaws. The company has now released a massive patch bundle that fixes 134 vulnerabilities. Microsoft has remained silent on why it chose to delay the February update in the first place.
Skipping A Month's Worth Of Updates
Windows is a large operating system with hundreds of millions of lines of code, so it’s almost expected to have at least a few dozen vulnerabilities that are found and fixed every month. This is why it’s important to deliver those updates in a timely manner; otherwise, it just leaves more time for attackers to take advantage of them.
Sometimes, certain bugs are harder to fix because they affect how a critical component of the operating system functions. Fixing it could mean breaking many programs, which Microsoft likely tries to avoid as much as possible.
Therefore, sometimes it’s understandable when Microsoft takes more than three months to fix a bug, even if it was already made public and many attackers were free to exploit it. However, in this case, Microsoft didn’t just delay one patch, but at least several dozen, without any explanation.
We can only speculate on why it happened like this, because even now, Microsoft remains tight-lipped about it. The likely reason is Microsoft’s new update mechanism, called a “rollup model,” through which the company delivers many updates in a single file.
Microsoft’s argument in favor of this seems quite reasonable. The idea is that the company doesn’t want users to “pick and choose” their updates, even if some patches may be detrimental to their systems. It wants all the Windows versions out there to be less fragmented, which Microsoft says should lead to more reliable and more secure Windows systems.
However, this still doesn’t explain why Microsoft couldn’t have just taken out the patch that wasn’t ready out of the bundled file, and deliver the rest to users, instead of leaving them exposed to dozens of vulnerabilities for a whole month.
March Patch Tuesday
Because Microsoft delayed the February Patch Tuesday until March, it was expected that there would be many vulnerabilities that would now be fixed. The March Patch Tuesday consisted of 17 security bulletins, which included fixes for 134 vulnerabilities. Almost half of the security bulletins were “critical,” which implies remote code execution bugs. The other half was marked as “important.”
Microsoft has continued to do security bulletins that allow users to see what kind of vulnerabilities were patched. However, the company has said in the past that it will stop doing these bulletins in the near future, making its whole updating scheme even more opaque to users.
The Windows GDI security bulletin seems to be the highest-priority bulletin, as the vulnerabilities contained in it could allow attackers to hack users through a specially crafted web page or document. This zero-day flaw is also currently being exploited in the wild, so we’re already getting a sense that attackers enjoyed the extra time Microsoft allowed them with the skipping of February’s update rollup.
The next priority update was the one for Microsoft’s Server Message Block (SMB) protocol. A vulnerability in this protocol allows an attacker to take control of the client that connects to the servers.
The fact that the protocol had a dangerous vulnerability has been known since last month, and a proof of concept exploit was released back then, too. Microsoft likely couldn’t fix it in time without breaking too many systems, so it must have decided to release the patch this month. Windows enterprise customers had to rely on mitigations from third-party security vendors.
A series of vulnerabilities in both of Microsoft’s browsers could allow attackers to craft a special web page that would give them remote code execution on the users’ systems. A similar flaw was found in Office, and an attacker could gain remote code execution on a user’s machine through a specially crafted document.
Other remote code execution flaws were found in Microsoft’s Exchange, Hyper-V, and IIS server software. The Active Directory Federation Server also had a vulnerability that could allow attackers to read sensitive information about the target system.
There seems to have been plenty of critical vulnerabilities that affected both mainstream and enterprise users in this Patch Tuesday update, in part because some of them were denied a patch last month.
Because there are so many patches applied to Windows in one go, it will be interesting to see whether this has caused more issues with people’s computers than previous Patch Tuesday rollups. When fewer updates are applied, it’s easier for Microsoft to track down the cause than when there are more of them, each potentially affecting how another works.
