Microsoft about-face: No patches this Tuesday

The software giant scraps plans to release a security fix for Windows, saying more testing is needed.

There will be no security patches from Microsoft this Tuesday.

A day after saying it would release one security bulletin for Windows, the software giant put on the brakes Friday afternoon. The company determined that more tweaking and testing is needed before it can roll out the fix.

"Late in the testing process, Microsoft encountered a quality issue that necessitated the update to go through additional testing and development before it is released," a company spokesman said in an e-mail. "Microsoft is committed to only releasing high-quality updates that fix the issues in question, and therefore we feel it is in the best interest of our customers to not release this update until it undergoes further testing."

However, users can still expect an updated version of Microsoft's malicious software removal tool Tuesday, as well as one non-security, high-priority update for Windows.

The news will likely come as a blessing for many IT shops, who experienced a brutal couple of weeks after last month's patch release. On Aug. 9, Microsoft released six security updates -- three for critical flaws in Internet Explorer and services embedded in Windows. Then Zotob and other malcode exploited one of those flaws in the worst attack so far this year.

Still, additional security holes have come to light since the August patch release, and unless Microsoft releases an out-of-cycle security update, those flaws may not be fixed until at least October.

Days after the Zotob attacks, vulnerability researchers warned of a new security hole in Internet Explorer. The French Security Incident Response Team (FrSIRT) said exploit code was available for a memory corruption error in the browser that occurs "when instantiating the 'Msdds.dll' (Microsoft Design Tools Diagram Surface) object as an ActiveX control, which could be exploited by an attacker to take complete control of an affected system via a specially crafted Web page."

On Aug. 30, another flaw in the browser was reported by Silver Spring, Md.-based Security Tracker and independent researcher Tom Ferris. Their advisories warned that attackers could use specially crafted HTML coding that, when loaded by the target user, "will cause the target user's browser to crash or potentially execute arbitrary code."

Meanwhile, security experts have warned of a Windows flaw attackers could use to hide certain information. "The weakness is caused due to an error in the Registry Editor Utility (regedt32.exe) when handling long string names," Danish security firm Secunia said in an advisory. "Successful exploitation makes it possible for malware to hide strings in the 'Run' registry key." Secunia confirmed the weakness in a fully updated Windows XP SP2 system and said it has also been reported in Windows 2000. The firm recommended users ensure their systems have updated antivirus and spyware detection software installed.

This article originally appeared at SearchSecurity.com.

Dig deeper on Windows Server and Network Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close