'

Microsoft admits MS10-025 patch didn't fix vulnerability

Microsoft has yanked the security updates shipped in the MS10-025 bulletin after realizing the patch did not fix the underlying security vulnerability.

Microsoft has yanked the security updates shipped in the MS10-025 bulletin after realizing the patch did not fix the underlying security vulnerability.

The withdrawal of the bulletin means that affected Windows 2000 Server users should immediately consider applying mitigations and workarounds to avoid malicious hacker attacks.

The company did not explain why the bulletin was shipped with an inadequate patch.  A brief blog post from Microsoft's Jerry Bryant offered the following:

follow Ryan  Naraine on twitter
Today we pulled the update because we found it does not address the underlying issue effectively. We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week.

The issue only affects Windows 2000 Server customers who have installed Windows Media Services (a non-default configuration).

Bryant urged affected users  with internet facing systems with Windows Media Services installed to evaluate and use firewall best practices to limit their overall exposure.

The MS10-025 bulletin is rated "critical" because attackers could launchi remote code execution if an attacker sent a specially crafted transport information packet to a Microsoft Windows 2000 Server system running Windows Media Services.