Microsoft admits posting flawed update

Computerworld - Microsoft Corp. rereleased one of its Aug. 11 security updates yesterday, explaining that it had posted an incomplete version to its own download center last week.

The admission was the third time in the past two months that Microsoft has had to reissue a security-related update.

Users who manually downloaded MS08-051 since Aug. 12 to patch Office 2003 should obtain the second version as soon as possible, Microsoft said. People who obtained the update via Windows Update or through their company's Windows Server Update Services (WSUS) server, or who updated other versions of Office, do not need to reinstall MS08-051.

That update patched three vulnerabilities in PowerPoint, the presentation maker included with Microsoft Office, including one that Microsoft labeled "critical," its highest ranking. MS08-051 was one of 11 security bulletins released last week that patched 26 bugs, the most Microsoft has tackled in a single month for the past year and a half.

According to the revised bulletin published Thursday, the PowerPoint 2003 patches originally posted to Microsoft's Download Center were the wrong versions. "While these versions did protect against the vulnerabilities discussed in the bulletin, they lacked other important security and reliability updates," Microsoft said in the revamped MS08-051.

The company said it had posted the correct versions to Windows Update and Office Update from the start. "This only affected the packages on the Microsoft Download Center; Microsoft Update and Office Update contained and were distributing the correct versions of the binaries and did not need to be updated."

Anyone who updated PowerPoint in Office 2003 Service Pack 2 or Office 2003 SP3 by grabbing the update from elsewhere -- in other words, directly from Microsoft's download site -- must reinstall the second edition of the patches, either by downloading the revised bits from Download Center or through Windows Update/Office Update.

Microsoft gave a third option to users unable to immediately replace the flawed patches. "If you choose to not reinstall the update, you must manually set the registry key in order to block PowerPoint file types as a workaround," Microsoft advised.

Second tries of security updates have become commonplace of late for the software maker. In June, Microsoft, citing unspecified "human issues," was forced to rerelease a fix for a flaw in Windows' implementation of Bluetooth, the short-range wireless protocol. And just last week, it reissued a July patch for a bug that had prevented some network administrators from using the WSUS patch management tool to deploy security updates.

Microsoft was unavailable for comment.

Read more about security in Computerworld's Security Knowledge Center.