Microsoft issues critical security patches, but leaves zero-day flaws at risk

Windows users will have to wait another three weeks to patch two serious vulnerabilities with exploit code when Microsoft's regular patching schedule resumes.

(Image: file photo)

Microsoft has patched "critical" security vulnerabilities in its browsers, but has left at least two zero-day flaws with public exploit code.

The software giant released numerous patches late on Tuesday to fix flaws in Adobe Flash for customers using Internet Explorer on Windows 8.1 and later, as well as Edge for Windows 10.

The patches are available over Windows Update.

A handful of large companies were alerted to the incoming patches on Monday, but were told not to expect any more updates until next month's scheduled patch cycle, scheduled for March 14.

But the company failed to patch two flaws, which have publicly disclosed exploit code.

The first vulnerability relates to a Windows SMB bug, of which its proof-of-concept code was released just days prior to this month's scheduled Patch Tuesday. The other, released by Google earlier this week, relates to an Windows graphics library flaw, disclosed to Microsoft more than six months ago, according to the vulnerability report.

The patches land a week after the company's usually-timed Patch Tuesday, which the company delayed for the first time in its history.

But it's not know exactly what the root cause of the delay was.

ZDNet's Mary Jo Foley said sources familiar with the company's goings-on said problems with Microsoft's build system could be the cause of the delay.

A spokesperson for Microsoft would not comment further on the issue.