Article

Microsoft about-face: No patches this Tuesday

Bill Brenner

There will be no security patches from Microsoft this Tuesday.

A day after saying it would release one security bulletin for Windows, the software giant put on the brakes Friday afternoon. The company determined that more tweaking and testing is needed before it can roll out the fix.

"Late in the testing process, Microsoft encountered a quality issue that necessitated the update to go through additional testing and development before it is released," a company spokesman said in an e-mail. "Microsoft is committed to only releasing high-quality updates that fix the issues in question, and therefore we feel it is in the best interest of our customers to not release this update until it undergoes further testing."

However, users can still expect an updated version of Microsoft's malicious software removal tool Tuesday, as well as one non-security, high-priority update for Windows.

The news will likely come as a blessing for many IT shops, who experienced a brutal couple of weeks after last month's patch release. On Aug. 9, Microsoft released

Requires Free Membership to View

six security updates -- three for critical flaws in Internet Explorer and services embedded in Windows. Then Zotob and other malcode exploited one of those flaws in the worst attack so far this year.

Still, additional security holes have come to light since the August patch release, and unless Microsoft releases an out-of-cycle security update, those flaws may not be fixed until at least October.

Days after the Zotob attacks, vulnerability researchers warned of a new security hole in Internet Explorer. The French Security Incident Response Team (FrSIRT) said exploit code was available for a memory corruption error in the browser that occurs "when instantiating the 'Msdds.dll' (Microsoft Design Tools Diagram Surface) object as an ActiveX control, which could be exploited by an attacker to take complete control of an affected system via a specially crafted Web page."

On Aug. 30, another flaw in the browser was reported by Silver Spring, Md.-based Security Tracker and independent researcher Tom Ferris. Their advisories warned that attackers could use specially crafted HTML coding that, when loaded by the target user, "will cause the target user's browser to crash or potentially execute arbitrary code."

Meanwhile, security experts have warned of a Windows flaw attackers could use to hide certain information. "The weakness is caused due to an error in the Registry Editor Utility (regedt32.exe) when handling long string names," Danish security firm Secunia said in an advisory. "Successful exploitation makes it possible for malware to hide strings in the 'Run' registry key." Secunia confirmed the weakness in a fully updated Windows XP SP2 system and said it has also been reported in Windows 2000. The firm recommended users ensure their systems have updated antivirus and spyware detection software installed.

This article originally appeared at SearchSecurity.com.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: