This month's Patch Tuesday arrives early, apparently by mistake

This month's Patch Tuesday arrives early, apparently by mistake

Summary: Microsoft's smooth-running update system hit a major snag today, when someone in Redmond apparently published the details of next week's security updates four days early. UPDATED with Microsoft statement.

SHARE:
TOPICS: Microsoft, Security
28

Microsoft’s security infrastructure normally operates on a schedule that a Swiss stationmaster would admire. This month the train jumped the rails.

Yesterday, as usual, the Microsoft Security TechCenter published its Advance Notification for September 2011. The post is a heads-up for IT professionals that next Tuesday’s monthly security updates will include five bulletins.

Today, someone jumped the gun and posted the details of those bulletins four days early.

Johannes Ulrich of the Internet Storm Center flagged the details of four of those patches in a post this morning. For a few minutes, the links on that page were live, although Microsoft appears to have quickly hit the Unpublish button. Larry Seltzer of PCMag.com Security Watch identified the fifth bulletin.

  • MS011-70 Vulnerability in WINS could allow elevation of privilege
  • MS011-71 Vulnerability in Windows could allow remote code execution (DLL Linking Vuln.)
  • MS011-72 Arbitrary code execution vulnerability in Excel
  • MS011-73 Code execution vulnerability in Microsoft Office
  • MS011-74 Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege

Some of the detailed bulletins were live for an unknown period of time. The MS011-70 bulletin, for example, included this executive summary:

This security update resolves a privately reported vulnerability in the Windows Internet Name Service (WINS). The vulnerability could allow elevation of privilege if a user received a specially crafted WINS replication packet on an affected system running the WINS service. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

This security update is rated Important for servers running supported editions of Windows Server 2003, Windows Server 2008 (except Itanium), and Windows Server 2008 R2 (except Itanium), on which WINS is installed. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by correcting the way WINS handles internal communication on the loopback address.

That link now returns a Page Not Found error.

The premature release is a major gaffe for Microsoft and could cause headaches for security professionals. The appearance of the security bulletin, which includes details about the vulnerabilities being fixed, is the starting gun of a race between bad guys trying to build exploits and IT pros scheduling patches to be applied on desktops and servers.

I’ve asked Microsoft for more information and will update this post when I hear from them.

Update, 9-Sep 1:40PM PDT: Microsoft has provided the following comment in response to this issue

Microsoft inadvertently displayed draft text of September’s bulletin summary, five bulletins, and a security advisory update intended for release on Tuesday, Sept. 13. The draft text was removed as soon as the issue was discovered. We are not aware of any customer impact and are monitoring the issue.

For information on the bulletins to be released on Sept. 13, please see Microsoft’s Advanced Notification.

-- Dave Forstrom, director, Trustworthy Computing, Microsoft

Topics: Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • RE: This month's Patch Tuesday arrives early, apparently by mistake

    ...Ooops.
    The one and only, Cylon Centurion
  • RE: This month's Patch Tuesday arrives early, apparently by mistake

    The suspense is tolerable...
    SCCMSTL
  • Not only oops...

    I'm guessing that these updates will have to be released as soon as later today, just to ensure the bad guys don't get a working zero-day exploit put together before the normal Tuesday release.
    jrf2027@...
    • RE: This month's Patch Tuesday arrives early, apparently by mistake

      @jrf2027@... Generally black-hats use the actual patch to create an exploit, not the documentation.
      Spikey_Mike
  • RE: This month's Patch Tuesday arrives early, apparently by mistake

    Really? That big a deal? I think not. Not EVERYTHING that happens in the news is a MAJOR deal. It was just a slip. Don't make it into more than it is.
    QA_In_Vegas
  • RE: This month's Patch Tuesday arrives early, apparently by mistake

    Hardly a story. Everyone knows the patches come out the second Tuesday of the month and they release the advisories early anyway.
    LoverockDavidson_-24231404894599612871915491754222
  • I guess the Microsoft guys...

    I guess the Microsoft guys were out drinking with the Apple people who keep leaving prototype products at the bar!
    mmeade@...
  • OMG - a disaster!!

    Media people like riot, blood, alarmism and hysteria.
    IT-Profs stay cool, tink mature and rational.
    Really?
    mousebooster
    • RE: This month's Patch Tuesday arrives early, apparently by mistake

      @mousebooster<br><br>NOT!!!!<br><br>Only the ones with Internet exposed machines with without patches from 2 years ago.<br>OR<br>Systems browsing the web with unpatched plug-ins/ActiveX<br>OR<br>IIS 5 unpatched<br>OR<br>Open Relays<br>OR...................
      dunn@...
    • Message has been deleted.

      dunn@...
  • Sometimes, stuff just happens

    I expect that the Security Bulletins are drafted during the testing process of the Updates and as soon as the Advance Notice is published, the release information is being worked on in the background.

    I wonder if the inadvertent publication was related to the new URL pattern for bulletins.
    Corrine | SecurityGarden
  • after a load of competitor bashing, what about

    a comment on how cr*p the Microsoft's cloud-based services are????
    http://www.thinq.co.uk/2011/9/9/microsoft-falls-offline/
    deaf_e_kate
    • It's already being covered here on ZDNet

      @deaf_e_kate

      On the front page, even. Here, let me hhelp you:

      http://www.zdnet.com/blog/btl/microsofts-office-365-outages-pile-up-growing-pains-or-uptime-issues/57680

      If you followed me on Twitter, you would see I had posted a link to that story as well.

      Have a nice day.
      Ed Bott
      • RE: This month's Patch Tuesday arrives early, apparently by mistake

        @Ed Bott : you mean you never comment when someone else has???? just picking up on your hypocrasy
        deaf_e_kate
    • This is not the topic...

      @deaf_e_kate could you stay at least tangentially on the topic? This article is about Patch Tuesday updates and advisories, and not at all related to cloud services. And aside from a funny comment about Apple, no mention of any competitors nor bashing in the article or comments. Come on, get a grownup name and stop being a troll! Go over to http://www.zdnet.com/blog/networking/microsofts-online-services-briefly-go-dark/1437?tag=nl.e589 to discuss cloud stuff!
      randysmith@...
      • RE: This month's Patch Tuesday arrives early, apparently by mistake

        @randysmith@... you must be new here. Ed trashes MS's competition when they have a fault, but when MS have one, he is either decidedly silent (see above) or at best he comments as a matter of fact without any criticism of MS. So i'm not trolling, just pulling Ed up for his usual hypocracy.
        deaf_e_kate
  • RE: This month's Patch Tuesday arrives early, apparently by mistake

    Yawn
    digital838
  • RE: This month's Patch Tuesday arrives early, apparently by mistake

    whoops! i hate it when that happens and i also leave prototype-secret phones in bars! better get my resume polished...
    js@...
  • RE: This month's Patch Tuesday arrives early, apparently by mistake

    The real question is why does Microsoft leave known vulnerabilities to fester if they have the fixes. Why not publish fixes as soon as they are perfected, and stop this
    monthly update Tuesday nonsense?
    NBSF
    • You don't work in IT, do you?

      @NBSF

      This issue has been hashed out many times before.
      Ed Bott