Technical Hiccup Delays Microsoft Patches

 
 
By Matt Hines  |  Posted 2006-10-11 Email Print this article Print
 
 
 
 
 
 
 

Updated: An internal snafu delays the release of the software giant's latest round of security patches, which aimed to fix an array of critical flaws in Windows and Office.

Microsoft was unable to offer immediate access to its monthly collection of security patches as a result of a procedural issue in distributing the content to users Oct. 10.

While the company appears to have remedied the situation, at the time that the security fixes were first released the software giant was forced to inform users that they would not be able to get their hands on the patches via its automated distribution methods.
A company spokesperson said the delay was caused by unspecified networking issues in Microsofts patch allocation systems, which have now been remedied, and that there were no problems with the security updates themselves.

"Due to technical difficulties experienced on the Microsoft Update platform, security updates released today are not currently available via Microsoft Update, Automatic Updates, Windows Server Update Services or Windows Update v6," the company said in a message posted to its security bulletin Web site.

The post was later removed from the site, and there were no further reports of users having trouble consuming this months patches.
The Redmond, Wash.-based company has thus far also avoided the need to re-release any of the security bulletins to address additional vulnerabilities, as it has been forced to in previous months, most recently in September 2006 when it struggled to close all the known loopholes in its Internet Explorer Web browser.

However, Microsoft was forced to sit on at least one patch, as it had reported earlier this month that it would be issuing 11 security bulletins, versus the 10 that subsequently arrived. Company spokespeople said that Microsoft found an issue in testing one of the planned Windows Updates that caused it to remove the patch from the release while the software maker puts it through additional testing. Microsoft plans to make the patch available in the next batch of security bulletins.

Among the 10 updates that were published, including fixes for six critical vulnerabilities—the companys most severe software flaw rating—Microsoft addressed some 26 individual problems, with cumulative releases arriving for its popular PowerPoint, Excel and Office product. Click here to read more about Microsofts recent patch attempts. The total number of patches places the October 2006 security release as the largest Microsoft has produced in the last 12 months. The companys previous record was established when it addressed 23 individual problems in its release of 12 patches in August.

Among the most recent spate of fixes, the company addressed four zero-day threats, including a highly publicized Word vulnerability and the recently discovered Setslice "shell" vulnerability present in IE that could allow attackers to execute malicious code on systems whose users are viewing contents in the browsers "Web view" mode.

Security providers including on-demand specialist Qualys cited the severity of another October patch, rated by Microsoft as merely "important," that could allow for remote exploits attacking the server service in Windows, which provides support for file and print sharing. Qualys said that organizations should pay "special attention" to the vulnerability and patch systems immediately, as the server service feature is turned on by default on Windows systems.

As a result of the softwares giants problems in getting its patches out via its automated distribution channels, officials at Redwood Shores, Calif.-based Qualys said that companies should consider new methods for acquiring future security bulletins to protect themselves from emerging attacks.

"Organizations may have to rethink their standard patch rollout procedures as Microsoft is experiencing some network issues and users are currently unable to automatically update these vulnerabilities," said Amol Sarwate, director of the companys Vulnerability Research Lab. "Also, given the number of client-side vulnerabilities, Qualys continues to encourage organizations to update their internal security policies and provide ongoing tips and training for employees on ways in which to recognize and avoid exploits."

Calendar year 2006 has proven a milestone year for security vulnerabilities, with more than 5,450 flaws having already been reported by software makers, according to security researchers at Internet Security Systems, which was recently acquired by IBM for roughly $1.3 billion. Based on the rate of flaws being reported publicly by software vendors, ISS estimates that there could be as many as 7,500 vulnerabilities discovered in 2006, compared to 5,195 security issues addressed during calendar year 2005.

Editors Note: This story was updated to include comments from Microsoft. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel