Patch delivery snafu snares no-patch December
By Paul Thurrott on Jul 3, 2007 9:49AM
COMMENTARY: The mysterious delivery of a critical security patch this week, the same week in which Microsoft announced it would have no critical security patch bundles, had the software maker scrambling yesterday to find out what happened.
It turns out a glitch in the company's Windows Update patch delivery mechanism caused the delivery of the erroneous patch, which fixes a problem with the FrontPage Server Extensions, a software add-on for Microsoft's Web server software.
The company issued a Microsoft Knowledge Base (KB) article describing the patch over a month ago, though the patch itself wasn't published to XP users until this week; Microsoft says the patch and KB article should have been published simultaneously, and for all affected systems.
The FrontPage Server Extensions fix is only critical for Windows 2000 with SharePoint Team Service 2003 install, and that patch apparently did go out to Windows 2000 users on November 11; the patch is rated "moderate" for most Windows XP systems (that is, XP systems without FrontPage Server Extensions installed).
In related news, a new Internet Explorer (IE) 6 vulnerability discovered by researchers recently could potentially put users' data at risk.
According to a security bulletin released earlier this week by a Danish security company called Secunia, this newly-discovered IE 6 vulnerability could grant hackers the ability to spoof Web sites by loading a genuine URL in IE's address bar but loading a different page.
If compromised correctly, hackers could emulate an e-Commerce site like eBay or Amazon.com and cause users to inadvertently enter sensitive information.
Microsoft says it is "aggressively investigating the public reports" about this vulnerability and it may issue a patch outside of its normal monthly patch packages if warranted. The next set of patch packages is due in the second week of January.
Copyright (c) 2004 MediaConnect