Someone over at Microsoft is a little trigger-happy on the “publish” button, it seems. The software giant published the details of the bulletins for the upcoming Patch Tuesday release four days early.
Expected to go live Sept. 13, the details of the five bulletins fixing 15 vulnerabilities appeared for a brief period on Microsoft’s Security Advisory site on Sept. 9. The page was yanked within the hour. Even though the bulletins were live, the actual patches were not.
The bulletins were identified by Johannes Ullrich, the “handler on duty” at the SANS Institute’s Internet Storm Center. Microsoft will release patches addressing a WINS vulnerability, a DLL linking flaw, a code execution bug in Excel and in the whole Microsoft Office suite. Vulnerabilities in SharePoint were also closed.
With information of the vulnerabilities leaked, it may be risky to not release the patches as cyber-attackers now know what to target. It is not yet known whether Microsoft will make the patches available early to protect customers. It may not be necessary since the bulletins don’t specify exactly how to exploit the bug.
For example, the Windows Internet Name Service (WINS) vulnerability in Windows Server 2003, 2008 and 2008 R2, “could allow elevation of privilege if a user received a specially crafted WINS replication packet on an affected system,” Microsoft said in the bulletin before it was removed. The DLL vulnerability is a well-known security flaw that Microsoft has been addressing for the past few months where legitimate files located in the same directory as a specially crafted dynamic link library file could result in privilege escalation.
Ullrich analyzed the various bulletins and suggested the severity of September’s patches are being under-reported. While Microsoft had rated all the patches as “important, Ullrich said at least three of them should be rated “critical.”