Technical Hiccup Delays Microsoft PatchesBy Matt Hines | Print
Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame
An internal snafu delays the release of the software giant's latest round of security patches, which aimed to fix an array of critical flaws in Windows and Office.
Microsoft was unable to offer immediate access to its monthly collection of security patches as a result of a procedural issue in distributing the content to users Oct. 10.
While the company appears to have remedied the situation, at the time that the security fixes were first released the software giant was forced to inform users that they would not be able to get their hands on the patches via its automated distribution methods.
Company officials did not immediately provide further details of what may have caused the issue.
"Due to technical difficulties experienced on the Microsoft Update platform, security updates released today are not currently available via Microsoft Update, Automatic Updates, Windows Server Update Services or Windows Update v6," the company said in a message posted to its security bulletin Web site.
The post was later removed from the site, and there were no further reports of users having trouble consuming this month's patches.
The Redmond, Wash.-based company has thus far also avoided the need to re-release any of the security bulletins to address additional vulnerabilities, as it has been forced to in previous months, most recently in September 2006 when it struggled to close all the known loopholes in its Internet Explorer Web browser.
However, Microsoft was forced to sit on at least one patch, as it had reported earlier this month that it would be issuing 11 security bulletins, versus the 10 that subsequently arrived.
Company officials did not immediately respond to requests for further information on the Windows patch that was not shipped.
Among the 10 updates that were published, including fixes for six critical vulnerabilitiesthe company's most severe software flaw ratingMicrosoft addressed some 26 individual problems, with cumulative releases arriving for its popular PowerPoint, Excel and Office product.
The total number of patches places the October 2006 security release as the largest Microsoft has produced in the last 12 months.
The company's previous record was established when it addressed 23 individual problems in its release of 12 patches in August.
Among the most recent spate of fixes, the company addressed four zero-day threats, including a highly publicized Word vulnerability and the recently discovered Setslice "shell" vulnerability present in IE that could allow attackers to execute malicious code on systems whose users are viewing contents in the browser's "Web view" mode.
Security providers including on-demand specialist Qualys cited the severity of another October patch, rated by Microsoft as merely "important," that could allow for remote exploits attacking the server service in Windows, which provides support for file and print sharing.
Qualys said that organizations should pay "special attention" to the vulnerability and patch systems immediately, as the server service feature is turned on by default on Windows systems.
As a result of the software's giant's problems in getting its patches out via its automated distribution channels, officials at San Mateo, Calif.-based Qualys said that companies should consider new methods for acquiring future security bulletins to protect themselves from emerging attacks.
"Organizations may have to rethink their standard patch rollout procedures as Microsoft is experiencing some network issues and users are currently unable to automatically update these vulnerabilities," said Amol Sarwate, director of the company's Vulnerability Research Lab.
"Also, given the number of client-side vulnerabilities, Qualys continues to encourage organizations to update their internal security policies and provide ongoing tips and training for employees on ways in which to recognize and avoid exploits."
Calendar year 2006 has proven a milestone year for security vulnerabilities, with more than 5,450 flaws having already been reported by software makers, according to security researchers at Internet Security Systems, which was recently acquired by IBM for roughly $1.3 billion.
Based on the rate of flaws being reported publicly by software vendors, ISS estimates that there could be as many as 7,500 vulnerabilities discovered in 2006, compared to 5,195 security issues addressed during calendar year 2005.
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.