Microsoft has been forced to pull its Patch Tuesday security update due to an unspecified last-minute problem, meaning organizations are still waiting for a fix to a zero-day denial of service bug.
A brief update from Microsoft had the following:
“Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today.
After considering all options, we made the decision to delay this month’s updates. We apologize for any inconvenience caused by this change to the existing plan.”
The problem is compounded because Microsoft has now changed the way it releases updates, meaning individual patches are no longer available. So if there is an issue with one fix then it holds all the others up too.
That’s particularly bad news this month as there’s a vulnerability waiting to be fixed for which exploit code is publicly available.
The Microsoft Windows SMB Tree Connect Response denial of service vulnerability was announced at the beginning of February.
It’s a memory corruption bug in the handling of SMB traffic, which could allow a remote, unauthenticated attacker to cause a denial of service on a vulnerable system by crashing Windows.
However, there was no such issue for Adobe, which released three security updates.
Of these, the most important is for Adobe Flash: APSB17-04 fixes 13 critical vulnerabilities across Windows, Mac, Linux and Chrome OS systems.
“If left un-patched this allows attackers to take complete control of the system,” explained Qualys director of vulnerability labs, Amol Sarwate. “An attacker would host malicious flash content and the vulnerability will trigger when victim views the content.”
The other two updates are for Adobe Digital Editions (APSB17-05) and Adobe Campaign (APSB17-06) and have a priority rating of 3, which Sarwate said implies they’ve not been a target for attackers.