Microsoft CEO Satya Narayana Nadella
Microsoft says it "discovered a last-minute issue that could impact some customers" Reuters

Microsoft has made the difficult decision to delay fixing critical security bugs on its Windows operating systems, delaying its next security update by almost a month, which puts millions of users at risk.

This is the first time since its monthly 'Patch Tuesday' security update programme launched in 2003 that an automatic Windows Update has been delayed. The skipped update, scheduled for 14 February, is now promised for 14 March, which also happens to be a Tuesday.

"Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. This month, we discovered a last-minute issue that could impact some customers and was not resolved in time for our planned updates today," Microsoft wrote in a TechNet blog post on 14 February.

What is Microsoft's Patch Tuesday?

Patch Tuesday is a regular monthly update that takes place on the second Tuesday of every month. Microsoft automatically applies crucial patches to Windows machines in order to fix serious problems with the operating system and prevent cybercriminals from using established security vulnerabilities to steal consumer data and perform other nefarious activities.

The Patch Tuesday programme was introduced in October 2003 to make it cheaper for Microsoft to distribute security patches, by combining them all into one monthly update.

"After considering all options, we made the decision to delay this month's updates. We apologise for any inconvenience caused by this change to the existing plan."

Windows Updates are crucial in their absence

Users have developed a love-hate relationship with Windows Updates, in particular when it comes to Windows 10, but there is no doubting they are crucial for keeping systems secure.

The delayed 14 February patch was meant to fix a nasty Windows SMB memory corruption bug that enables an unauthenticated, remote attackers to launch a Denial of Service (DoS) attack and crash vulnerable computers and servers running Windows 8.1, Windows 10, Windows Server 2012 R2 and Windows Server 2016. The exploit code for this security flaw is publicly available, meaning that anyone can use it at any time.

The patch update was also supposed to sort out a Windows 10 Mobile security flaw that exposes users' photos so that attackers can easily take photos, scroll through the device owner's photo library and delete images at will without unlocking the smartphone.

Tech site ZDNet says internal Microsoft sources told it on condition of anonymity that a problem with Microsoft's patch build system is the reason for the delay, but Microsoft is refusing to comment officially.

IBTimes UK has contacted Microsoft about this issue, asking about the potential risks to consumers and if there is any advice for users until the next Patch Tuesday rolls around on 14 March.