Microsoft Cancels September Patch Day Update

After announcing plans to release a single security bulletin, Microsoft now says a "quality issue" has forced the cancellation of the patch rollout.

There wont be a Patch Day this month after all.

Microsoft Corp. late Friday cancelled plans to roll out a solitary bulletin with patches for a Windows flaw, citing an unknown "quality issue."

The software giant announced on Thursday that a single "critical" bulletin would cover a wormable vulnerability.

During last-minute testing, however, researchers at Redmond flagged some problems with the update.

"Late in the testing process, Microsoft encountered a quality issue that necessitated … additional testing and development [of the update] before it is released," a Microsoft spokesperson told Ziff Davis Internet News.

"[We are] committed to only releasing high quality updates that fix the issues in question, and therefore we feel it is in the best interest of our customers to not release this update until it undergoes further testing," he said.

/zimages/2/28571.gifRead more here about the single Microsoft security bulletin originally planned for September.

The spokesperson said the companys monthly update release process involves a "significant testing focus" to ensure customers will receive updates that are of a high quality.

"Microsoft will not release an update until it meets those standards. Occasionally, the testing process and our strict focus on quality can result in a month where no security updates are released, as is the case [this month]," he said.

The spokesperson said the company still plans to release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.

/zimages/2/28571.gifFaulty updates have led to patch quality concerns for Microsoft before. Click here to read more.

Microsoft will also release one non-security, high-priority update for Windows on MU (Microsoft Update), WU (Windows Update), WSUS (Windows Server Update Services) and SUS (Software Update Services).

According to an Upcoming Advisories page maintained by security research outfit eEye Digital Security, there are several code execution flaws in Microsoft products that remain unpatched more than three months after Microsoft confirmed receipt of the reports.

eEye starts counting overdue days a full 60 days after a vulnerability has been "validated" by a software vendor, which means that Microsoft has been aware of one of the eEye-discovered vulnerabilities for more than five and a half months.

In all, eEye has reported nine vulnerabilities that have been validated by officials at the MSRC (Microsoft Security Response Center). Three of the nine flaws are more than two months overdue and all carry a "high severity" risk rating.

Customers at risk include users of the widely deployed Internet Explorer browser, the Microsoft Outlook and Outlook Express mail clients, and various versions of Windows.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.