Marcus Carey, a security researcher at Rapid7, agreed. "The light patch month in September will allow organizations to prepare for this, which is great as it has the potential to break things if applications are still using outdated certificates," said Carey, also in an email. "It almost seems as if Microsoft is intentionally giving organizations a light patch month so they can focus on updating their legacy certificates."
That's certainly possible, said Storms. "They could have made an administrative decision to delay other updates to give enterprises time [to work on their certificates]," he said.
Microsoft used that same tactic in March 2007, said Storms, when it issued no security bulletins because it wanted to give customers time to apply a Daylights Saving Time update to Windows that had been prompted by widespread changes in the U.S.
Next week's slate will be smaller than in past Septembers, Storms noted: In 2011, Microsoft shipped five updates that month, while in 2010 and 2009, the company issued 10 and five, respectively.
The October update to kill certificates with shorter -- and thus more vulnerable -- keys was triggered by the discovery of Flame, the sophisticated espionage tool discovered by Kaspersky Lab. Flame infiltrated networks, scouted out the digital landscape, and used a variety of modules to pilfer information. Among its tricks was one called the "Holy Grail" by researchers: It managed to spoof Windows Update, Microsoft's update service, to infect completely-patched Windows PCs.
Microsoft reacted by killing off some of its own certificates and beefing up Windows Update's security.
During its investigation into Flame, Microsoft decided to harden the Windows certificate infrastructure. The result was its decision to block access to certificates with keys shorter than 1,024 bits.
"I'd bet that they always wanted to do this," said Storm, "but historically, Microsoft wants to support all their customers, even those with much older systems that rely on shorter keys. Because of Flame, they had a good reason to make this move."
Next week's update, while light, was still interesting to Storms, who noted that Patch Tuesday will not fix any flaws in Internet Explorer (IE), making this the first month in the last four to omit the browser.
In July, Microsoft announced it was ditching IE's every-other-month schedule, and would ship patches when they were ready.