Patch-Delivery Snafu Snares No-Patch December

Joshua · 12-11-2003, 10:54 AM

The mysterious delivery of a critical security patch this week, the
same week in which Microsoft announced it wouldn't deliver any
critical-security-patch bundles, had the company scrambling yesterday
to find out what happened: A glitch in the company's Windows Update
patch-delivery mechanism was responsible for the delivery of the
erroneous patch, which fixes a problem with the Microsoft FrontPage
Server Extensions, a software add-on for Microsoft's Web server
software. The company issued a Microsoft Knowledge Base article
describing the patch more than a month ago, although it didn't publish
the patch to Windows XP users until this week. Microsoft says it
should have published the patch and Knowledge Base article
simultaneously and for all affected systems.
The FrontPage Server Extensions fix is critical only for XP and
Windows 2000 systems that have Windows SharePoint Services (WSS) 2003
installed, and Microsoft apparently distributed the patch to Win2K
users on November 11. The patch is rated "moderate" for most XP
systems (i.e., XP systems without FrontPage Server Extensions
installed, which is most of them).
In related news, a new Microsoft Internet Explorer (IE) 6.0
vulnerability that researchers recently discovered could potentially
put users' data at risk. According to a security bulletin released
earlier this week by the Danish security company Secunia, this newly
discovered IE 6.0 vulnerability could let intruders spoof Web sites by
loading a different page when users enter a genuine URL in IE's
address bar. If the vulnerability is compromised correctly, attackers
could emulate an e-commerce site such as Amazon.com or eBay and cause
users to inadvertently enter sensitive information. Microsoft says
it's "aggressively investigating the public reports" about this
vulnerability and, if warranted, might issue a patch outside of its
regular monthly patch packages. The next set of patch packages is due
in the second week of January.

12-11-2003, 10:54 AM	#1
Joshua Rear Admiral Upper Half Join Date: Jan 2001 Location: Long Island, NY Posts: 3,390	Patch-Delivery Snafu Snares No-Patch December The mysterious delivery of a critical security patch this week, the same week in which Microsoft announced it wouldn't deliver any critical-security-patch bundles, had the company scrambling yesterday to find out what happened: A glitch in the company's Windows Update patch-delivery mechanism was responsible for the delivery of the erroneous patch, which fixes a problem with the Microsoft FrontPage Server Extensions, a software add-on for Microsoft's Web server software. The company issued a Microsoft Knowledge Base article describing the patch more than a month ago, although it didn't publish the patch to Windows XP users until this week. Microsoft says it should have published the patch and Knowledge Base article simultaneously and for all affected systems. The FrontPage Server Extensions fix is critical only for XP and Windows 2000 systems that have Windows SharePoint Services (WSS) 2003 installed, and Microsoft apparently distributed the patch to Win2K users on November 11. The patch is rated "moderate" for most XP systems (i.e., XP systems without FrontPage Server Extensions installed, which is most of them). In related news, a new Microsoft Internet Explorer (IE) 6.0 vulnerability that researchers recently discovered could potentially put users' data at risk. According to a security bulletin released earlier this week by the Danish security company Secunia, this newly discovered IE 6.0 vulnerability could let intruders spoof Web sites by loading a different page when users enter a genuine URL in IE's address bar. If the vulnerability is compromised correctly, attackers could emulate an e-commerce site such as Amazon.com or eBay and cause users to inadvertently enter sensitive information. Microsoft says it's "aggressively investigating the public reports" about this vulnerability and, if warranted, might issue a patch outside of its regular monthly patch packages. The next set of patch packages is due in the second week of January. __________________ The Apexer formerly known as SnotRocket. "Like I **ing said, "Ok, so I hear it may be a repost. Blah But I had never seen it, so..." ** you Canta." -Jenny 12/4/2003

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

User Name
Password
Remember Me?