Microsoft released MS17-005 to patch critical flaws in Adobe Flash Player, but that\u2019s it. Microsoft didn\u2019t release the fix for the two zero-day exploits disclosed this month.After the company said patches would be delayed in February, it clarified that security updates would instead be released on Patch Tuesday in March. Yet InfoWorld\u2019s Woody Leonhard reported that Microsoft emailed its largest customers on Monday with a heads-up about the Flash patches for Internet Explorer and Edge.Don\u2019t expect Microsoft to release any out-of-band patches for the Windows exploit code that\u2019s in the wild, since the email from Microsoft told its big, important customers, \u201cNo other security updates are scheduled for release until the next scheduled monthly update release on March 14, 2017.\u201d2 flaws leave Windows users vulnerableWindows users are left vulnerable to two different sets of publicly released exploit code.On February 2, US-CERT released an advisory about a Windows SMB bug. The vulnerability note stated, \u201cMicrosoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service on a vulnerable system.\u201dThe bug was discovered by security researcher Laurent Gaffi\u00e9, aka PythonResponder.\u00a0Microsoft allegedly had a patch ready to go three months ago, but it kept pushing the fix back.Gaffi\u00e9 told The Register he \u201csubmitted the bug to Microsoft on Sept. 25, 2016, and that Microsoft had a patch ready for its December patch cycle. The company pushed the fix back to February, he explained, because it made more sense to them to released several SMB fixes at once rather than a single one in December.\u201dSince Microsoft has previously \u201csat on vulnerabilities that he\u2019s reported,\u201d Gaffi\u00e9 decided to release proof-of-concept exploit code at the beginning of February. Then Microsoft canceled Patch Tuesday for first time ever.By releasing only a fix for Adobe Flash Player, Microsoft also chose to leave customers vulnerable to the Windows graphic library flaw that was disclosed by Google\u2019s Project Zero team member Mateusz Jurczyk.He first notified Microsoft last year, and the company attempted to resolve the issues with MS16-074, which was released in June 2016. However, Jurczyk discovered Microsoft did not patch all the flaws in the GDI library. An attacker could still steal information from memory, so he notified Microsoft again in November 2016.He wrote, \u201cIt is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker.\u201d The pixels \u201cmay include sensitive information, such as private user data or information about the virtual address space.\u201dJurczyk \u201cconfirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file.\u201dPer Project Zero's disclosure policy, 90 days passed and Microsoft failed to patch, so the details of the vulnerability were publicly disclosed.Microsoft has not given any in-depth explanation for what problems caused the February Patch Tuesday delay.