Microsoft plans to skip its monthly round of security patches scheduled for release next Tuesday, despite at least five zero-day vulnerabilities waiting to be fixed.
Redmond is working on patches for known vulnerabilities in Internet Explorer 7, Office 2007’s Publisher 2007 and Windows Vista OS, but is not ready to release any fix at the moment, according to the company.
In its monthly advance notification bulletin posted Friday, the company stated, “No new Microsoft Security Bulletins will be released on March 13, 2007.”
The second Tuesday of each month is Microsoft’s scheduled patch release day.
Breaking the Cycle
The rare break from the regular patch cycle could be designed to give weary IT managers a breather. Last month, Microsoft released 12 updates that fixed 20 vulnerabilities, and in January, the software giant issued four security bulletins and patched 10 bugs.
“Microsoft doesn’t want to slam IT managers,” Laura DiDio, an analyst with the Yankee Group, told TechNewsWorld. That is one of the reasons the company moved from weekly patches to monthly patches a few years ago, she noted. “They don’t want IT managers to be overwhelmed.”
In addition to a busy beginning of March, many IT staffers in the United States have become occupied with the switch to daylight saving time, which Congress moved forward three weeks this year in order to save energy. Many computer systems don’t have the change programmed in and require patching.
However, DiDio acknowledged that this is all conjecture, because Microsoft is remaining mum for now.
“Everyone would feel better about this if they said there are no patches because we have no security problems to fix,” said DiDio, “but we know that isn’t the case.”
The move marks the first time in 18 months that Microsoft has not issued at least one security update in a scheduled patch cycle. Since January 2003, only three months have been sans security fixes, she observed.
Although Redmond isn’t releasing security fixes on Tuesday, it will keep busy by moving ahead with an updated release of its Windows Malicious Software Removal Tool. The program detects and removes common malicious code placed on computers and is pushed out monthly.
“Microsoft continues to investigate potential and existing vulnerabilities in an effort to help protect our customers,” the company said in a statement.
There are five known zero-day holes in Microsoft products that are still out there that can be exploited by hackers, according to eEye Digital Security.
Nine bugs are still listed on the SANS Institute’s Internet Storm Center’s most recent “missing Microsoft patches” chart.