Microsoft alerted systems administrators this week that the company won't issue its monthly critical security patch package in December, a sort of happy holidays gift. But lest anyone get too excited by the implications of this announcement, be aware that Microsoft products currently contain several known security vulnerabilities, and the reason the company isn't issuing a patch package has more to do with timing than anything else. This situation leads to some obvious questions about Microsoft's decision to release monthly patch packages, the first of which appeared in October. What happens when Microsoft internally finalizes security patches just after the date on which patches are supposed to be issued to the public?
"In response to extensive customer feedback, Microsoft is implementing changes in the way security bulletins are released," the company announced earlier this year. "These changes will help enhance the manageability and predictability of the patch-management process for customers. Security bulletins will normally be released on the second calendar Tuesday of every month." However, on the TechNet Web site this week, the company noted: "Microsoft had no security bulletins to release December 9, 2003, as part of its monthly release cycle for December. If the need arises for emergency patches, they will be issued outside the monthly releases."
And the need will likely arise. In addition to the Microsoft Internet Explorer (IE) vulnerabilities that security researchers discovered in late November, Microsoft is investigating the possibility that intruders could use information in an earlier security patch to unleash a Slammer-style attack on Windows. And the company hinted that some fixes are in the works but didn't make the December 9 cutoff date. "We have made a commitment to release \[monthly patch packages\] when we're ready, when we have quality patches," Iain Mulholland, a program manager in Microsoft's Security Business Unit, said. "There is simply nothing that has passed the bar yet from a quality perspective for release in \[the\] December \[package\]."