This month's Patch Tuesday arrives early, apparently by mistake

Microsoft's smooth-running update system hit a major snag today, when someone in Redmond apparently published the details of next week's security updates four days early. UPDATED with Microsoft statement.
Written by Ed Bott, Senior Contributing Editor

Microsoft’s security infrastructure normally operates on a schedule that a Swiss stationmaster would admire. This month the train jumped the rails.

Yesterday, as usual, the Microsoft Security TechCenter published its Advance Notification for September 2011. The post is a heads-up for IT professionals that next Tuesday’s monthly security updates will include five bulletins.

Today, someone jumped the gun and posted the details of those bulletins four days early.

Johannes Ulrich of the Internet Storm Center flagged the details of four of those patches in a post this morning. For a few minutes, the links on that page were live, although Microsoft appears to have quickly hit the Unpublish button. Larry Seltzer of PCMag.com Security Watch identified the fifth bulletin.

  • MS011-70 Vulnerability in WINS could allow elevation of privilege
  • MS011-71 Vulnerability in Windows could allow remote code execution (DLL Linking Vuln.)
  • MS011-72 Arbitrary code execution vulnerability in Excel
  • MS011-73 Code execution vulnerability in Microsoft Office
  • MS011-74 Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege

Some of the detailed bulletins were live for an unknown period of time. The MS011-70 bulletin, for example, included this executive summary:

This security update resolves a privately reported vulnerability in the Windows Internet Name Service (WINS). The vulnerability could allow elevation of privilege if a user received a specially crafted WINS replication packet on an affected system running the WINS service. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

This security update is rated Important for servers running supported editions of Windows Server 2003, Windows Server 2008 (except Itanium), and Windows Server 2008 R2 (except Itanium), on which WINS is installed. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by correcting the way WINS handles internal communication on the loopback address.

That link now returns a Page Not Found error.

The premature release is a major gaffe for Microsoft and could cause headaches for security professionals. The appearance of the security bulletin, which includes details about the vulnerabilities being fixed, is the starting gun of a race between bad guys trying to build exploits and IT pros scheduling patches to be applied on desktops and servers.

I’ve asked Microsoft for more information and will update this post when I hear from them.

Update, 9-Sep 1:40PM PDT: Microsoft has provided the following comment in response to this issue

Microsoft inadvertently displayed draft text of September’s bulletin summary, five bulletins, and a security advisory update intended for release on Tuesday, Sept. 13. The draft text was removed as soon as the issue was discovered. We are not aware of any customer impact and are monitoring the issue.

For information on the bulletins to be released on Sept. 13, please see Microsoft’s Advanced Notification.

-- Dave Forstrom, director, Trustworthy Computing, Microsoft

Editorial standards