Patch Tuesday: Delayed Update Arrives As Microsoft Signals End Of Windows Vista

Welcome back. Delayed Patch Tuesday arrives for March and it is a whooper, with 139 vulnerability fixes

Microsoft has resumed normal service after it delayed February’s ‘Patch Tuesday’ cybersecurity bulletin due to an unspecified issue with one of the patches.

The March Patch Tuesday update is a big one, as Microsoft delivered 18 bulletins that patch more than 130 flaws, and confirmed it intends to end support of Microsoft Vista (first released back in 2007) in April this year.


Update Changes

It should be noted that Microsoft is currently in the process of changing the delivery of its security updates. The February update would have been the first to be communicated via a new online portal, rather than the traditional bulletins it has published for the past 12 years.

The new format is designed so admins can get customised updates for the products and services they use rather than a generic bulletin.

Users will be able to sort updates via a Common Vulnerabilities and Exposure (CVE) identifier, knowledge base number or article ID number. Admins can also filter out vulnerabilities for products they don’t use.

A monthly summary will be available within the portal and Microsoft has stressed that customers will be notified of any out-of-cycle updates. Customers will also be able to sign up for automatic notifications.

But after delaying the February release, Microsoft has resorted to its traditional update delivery, for now.


Expert Take

“It is also noteworthy that Microsoft continued to publish their updates as Security Bulletins this month, despite announcing their intentions to discontinue them in favour of their Security Updates Guide from January,” noted Greg Wiseman, Rapid7’s Senior Security Researcher.

“This month’s Patch Tuesday updates are particularly important due to the delayed release of February’s planned fixes,” he added. “Included are three separate vulnerabilities that were disclosed by external vendors over the past several weeks (with exploit code publicly available) which are now being patched.”

“We knew that the Microsoft’s Valentine’s gift to cancel Patch Tuesday on February 14th was only going to be a temporary stay and, sure enough, Patch Tuesday is back and bigger than ever for March,” blogged Karl Sigler, Threat Intelligence Manager at Trustwave.

“Over all there are 18 bulletins patching a massive 139 unique CVEs,” wrote Sigler. “These bulletins are split right down the middle with nine rated as Critical and nine rated as Important. Among the Critical bulletins are remote code execution (RCE) vulnerabilities in the Internet Explorer, Edge browser and Adobe Flash. The Critical list also includes RCE vulnerabilities in the Windows PDF Library, Microsoft Uniscribe.”

According to Amol Sarwate, director of vulnerability research at Qualys, the highest priority overall goes to the Windows GDI bulletin MS17-013 which could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document.

“Overall, its going to be very busy for IT departments of all sizes due to the large number of desktop and server patches,” blogged Sarwate. “But most people will be pleasantly surprised that Microsoft kept the older way of clubbing KB articles into security bulletins – at least for March.”

Vista Support

Meanwhile one of Microsoft’s least favoured operating systems, Vista, is being retired this year, and it has just over 30 days of life before official support will end.

When it was launched back in 2007, Vista was initially hated by many users who were disappointed by the new OS after the hugely popular Windows XP operating system.

But Vista eventually turned out to be a very stable operating system, but ove the years it has seen a dwindling market share.

Now Microsoft has revealed that after ten years of support, this official security lifeline will end on 11 April 2017.

Quiz: Are you a security pro?