It's the first time the company hasn't gone through with its monthly Patch Tuesday release since September 2005. The security update was scheduled to be released Tuesday, March 13.
"There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges," said a Microsoft spokesman in an e-mailed response to InformationWeek. "Microsoft continues to investigate potential and existing vulnerabilities in an effort to help protect our customers. Creating security updates that effectively and comprehensively fix vulnerabilities is an extensive process involving a series of sequential steps. All updates need to meet testing standards in order to be released. This ensures that our customers can confidently install these updates in their environment."
Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, says he's surprised that Microsoft won't release any patches this month since there are nine known vulnerabilities affecting Microsoft Office and Explorer.
"It's kind of funny with all the outstanding bugs today, and they have nothing to offer," he says. "I would expect some help to come."
Ullrich says the most critical known bug is in Microsoft Word 2000 and Word XP. The bug, which is being exploited, allows hackers to remotely control infected machines. Ullrich notes that the vulnerability has been publicly known since Feb. 9. "I would have expected it to be fixed this month," he adds.
Dan Hubbard, VP of security research at Websense, agrees with Ullrich that the Word vulnerability, which is a buffer overflow problem, is the most serious of all the outstanding Microsoft bugs. He says they've seen the bug being exploited in small, isolated cases. As serious as the flaw is, security experts say it hasn't been a widespread problem. Last month, InformationWeek reported that hackers used the then-unknown vulnerability to launch an attack against two employees at the same company.
With this vulnerability, a user has to open a malicious Office file attachment, such as a Word document, in an e-mail. If the file is opened, a Trojan or bot is downloaded onto the victim's computer, leaving it open for remote access. The infected machine then could be used as a zombie, or part of a botnet, to send out spam or launch denial-of-service attacks.
"It's not a widespread threat, but it's no picnic for the people being targeted," says Hubbard.
Paul Henry, VP of technologies with Secure Computing, says he's guessing that Microsoft found a problem within the patches themselves and decided to hold off for the month.
"I'm always concerned. Unpatched vulnerabilities out there create issues, and the bad guys take advantage to create havoc in our networks," Henry says. "I'd rather have something than nothing. It's a matter of how broken it is. If it introduces a lesser vulnerability, I'd go ahead with the patch. I'd rather have it be my choice."
In its advanced notification alert, Microsoft announced that it will release two high-priority, non-security updates through Windows Update and Software Update Services, and four high priority non-security updates through Microsoft Update and Windows Server Update Services.
Last month, Microsoft patched 12 vulnerabilities. Six of them were critical.