Last month, Microsoft took the unprecedented step of canceling Patch Tuesday, the company’s monthly release of security fixes for its large stable of software products. The move meant that customers had to wait 28 days to receive updates that fixed vulnerabilities that allowed hackers to completely hijack computers and networks.
The last-minute move was all the more unusual because Microsoft made it a few days after exploit code for a Windows 10 flaw was released into the wild. In the nine days that followed the cancellation, technical details for two more serious vulnerabilities—one in Windows and the other in the Edge and Internet Explorer browsers—were also disclosed. Microsoft’s security team almost certainly knew the latter two flaws would become public knowledge because Google’s Project Zero privately reported the vulnerabilities to Microsoft and the bugs were subject to Google’s long-standing 90-day disclosure deadline.
Microsoft finally patched the bugs when Patch Tuesday resumed earlier this week with a release that was unusually big by historical measures. That’s good, but customers had still been forced to wait 28 days to get the fixes. And, as already noted, details about at least three of them were already well-known. So far, Microsoft hasn’t explained why it canceled February’s releases except to say the situation was prompted by an unspecified “last-minute issue.” ZDNet writer Mary Jo Foley, meanwhile, said unnamed people speculate that the cancellation was the result of a “problem with Microsoft’s build system.”
When asked earlier this week for more details, company officials issued the following statement:
Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. We extensively test our updates prior to release and are confident that our systems are working as expected and the issue that delayed the February updates is resolved.
Of course, the statement could mean anything, from something as innocuous as a bug in one of the planned fixes to something as catastrophic as an outside party compromising the system Microsoft uses to develop software and distribute it to the world. As such, the statement really doesn’t count as meaningful explanation. Instead, it borrows from the same marketing playbook Microsoft used a few days before canceling Patch Tuesday, when the company was asked for security guidance on reports of a code-execution exploit. As Ars noted then, when marketers drive communications concerning a reported zero-day exploit, customers lose.
On Thursday, Microsoft said it had nothing more to say on the cancellation.
Patch Tuesday has occurred regularly for more than 13 years. During that time, it has never been canceled, although one former Microsoft security boss, in a now-deleted Tweet, reported there were one or more close calls. And in fairness to Microsoft, the cancellation may have been related to company’s recent move to make updates cumulative, meaning they’re tested for bugs only on systems that install the entire package. That might cause a problem with a single patch to scuttle the entire release.
But even if the cancellation was for the most banal of reasons, Microsoft’s silence is just wrong. If protecting customers truly is Microsoft’s top priority, company officials should explain exactly why they delayed critical bug fixes for four weeks. Canceling Patch Tuesday at the last minute is a major event that warrants an explanation. Microsoft needs more than hollow platitudes to restore trust.