Microsoft pulls April patch
Retracts fix for Windows 2000 bug after finding 'quality issues;' to reissue patch next week
Computerworld - Microsoft this week pulled one of the 11 security updates it issued earlier in the month, citing "quality issues" for the retraction.
Elsewhere, the company acknowledged that the original patch didn't do its job. "Today, we pulled the update because we found it does not address the underlying issue effectively," said Jerry Bryant, group manager for the Microsoft Security Response Center (MSRC), in a post to the team's blog Wednesday.
Microsoft has stopped distributing the update through its various update mechanisms, including Windows Update and the enterprise-grade Windows Server Update Services (WSUS). Bryant said that Microsoft plans to re-release the patch next week.
"It's interesting why they chose to pull the patch," said Andrew Storms, director of security operations at nCircle Network Security, in an instant message. "If it doesn't fix the bug, does it have some kind of unexpected outcome? Otherwise, why simply pull it all together and leave a gap in coverage?"
Another researcher assumed that the Microsoft retracted the update because the fix didn't work, not that there were side effects. "They've been pretty transparent, so I think this one didn't close the vulnerability, and that it was still open to exploitation," said Jason Miller, data and security team manager for Roseville, Minn.-based Shavlik Technologies.
The original MS10-025 update patched a single critical vulnerability in Windows 2000 Server's handling of network packets when running Windows Media Services.
MS10-025 was one of 11 security updates that Microsoft shipped April 13 to patch 25 bugs in Windows, Office and Exchange. It was one of five updates marked "critical," Microsoft's highest threat ranking.
Users who applied the update last week do not have to uninstall it, but Microsoft urged users to review the workarounds and additional defensive measures it outlined earlier to protect themselves until it reissues the patch. The company also recommended that systems running Windows Media Services be protected by a firewall.
By Storms' and Miller's recollections, this is the first time that the company has retracted an update without an immediately-available revamp of the fix. Microsoft was not immediately able to confirm that the move is a first.
"We have to give Microsoft credit for the transparency," said Storms, talking about the admission that the update didn't quash the bug. "Honestly, they are a bit lucky [that] the event happened on a bug with little market share. If this were Windows 7 or Internet Explorer, I highly doubt they would pull the plug on the patch without having the new one ready to issue," he said.
As Storms alluded, Windows 2000 powers relatively few PCs. According to the most recent data from Web analytics company NetApplications, the 10-year-old Windows 2000 accounts for just 0.6% of all in-use operating systems, less than a hundredth the share of Windows XP.
"The silver lining here is that if this had been an Internet Explorer bulletin, this [retraction] would have been much scarier," said Miller.
Microsoft has reissued patches in the past. In 2008, for example, the company re-released four different security updates for various reasons, including what it called "human issues" that forced it to reissue a fix for a Bluetooth bug in Windows XP.
The retraction means that IT administrators will need to redo work they did earlier this month when they rolled out the original MS10-025, said Miller. "For Microsoft, I think this rang the QA [quality assurance] alarm," he continued. "They'll probably go back and investigate, and ask 'What did we miss here?'" QA has been a hot topic this week because of the flawed antivirus update from security vendor McAfee that crippled thousands of Windows XP computers. McAfee has been blasted by users for letting the buggy update slip through testing.
A message left with Fabien Perigau, the researcher who reported the vulnerability to Microsoft last summer, and who was also credited with showing the company that the original patch didn't fix the flaw, did not respond to a request for comment left with his employer, Paris-based CERT-Lexsi.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts