Microsoft has been putting off providing all the patches from last week's batch of 12 so that it can push out the fix pegged as the most dangerous to the most users possible, the company confirmed Tuesday.
The Redmond, Wash. developer has been delivering the patch for the vulnerability cited in security bulletin MS06-040 as Automatic Updates' highest priority, said Adrian Stone, a program manager at the Microsoft Security Research Center (MSRC), and letting the others slide until later.
"With Windows Update we have the ability to prioritize updates in order to ensure that we are providing the broadest customer distribution possible for a particular update or set of updates given the relative threat," Stone wrote on the MSRC's blog. "Prioritizing of the updates is done taking into account the threats identified with each individual release."
Last week, blog entries from the MSRC identified the MS06-040 patch as the one users should put at the top of their to-do lists. Security analysts across the board seconded the motion, with some urging users to patch before a likely worm appeared. Also last week, users who manually updated their PCs using Windows Update or Microsoft Update were greeted with an additional color-coded "Addresses a critical security problem" notation below the listing for the MS06-040 update. Both moves were firsts for Microsoft, as was its admission that it prioritizes patches provided by its update mechanisms. Microsoft's online description of those tools, for example, says nothing of prioritizing.
"The threat presented by the vulnerability addressed in MS06-040 prompted us to do everything possible to ensure that customers received the update with the highest possible priority," Stone continued. "If you have not seen the rest of this month's updates yet on your computer rest assured they are coming and this is perfectly normal."