Delayed patch ends Microsoft's patch-free month early

A glitch in Microsoft's Windows Update automated patching service caused a security fix that was released last month to be delivered to computer users on Tuesday, the same day Microsoft proclaimed December would be a patch-free month.

The software patch fixes a serious vulnerability in a set of Web site management tools called FrontPage Server Extensions, which are part of Microsoft's Windows 2000, Windows XP and Office XP software, according to Microsoft Security Bulletin MS03-051 released Nov. 11. Exploiting the flaw could allow an attacker to gain control over a user's PC, Microsoft said.

Due to a flaw in the Windows Update system, the patch that was released at the same time as the bulletin wasn't delivered until now, Microsoft said in a brief statement.

"Microsoft ... has corrected an error in Windows Update that prevented MS03-051 from reaching certain Windows XP customers via Windows Update or Automatic Update technologies," the Redmond, Washington, company said.

Microsoft said it was not aware of any hackers having exploited the vulnerability and encouraged users to install the patch as prompted by the Windows Update service.

Russ Cooper, surgeon general of TruSecure and moderator of the NTBugtraq security mailing list, said he wished there had been a worm or a high-profile attack that took advantage of this particular flaw.

"Too bad that did not happen because we would lose all the people that work on Windows Update development and instead have people who are capable," he said. "I have sent out numerous e-mails with the title 'Windows Update is a dog.' It is a terrible delivery mechanism."

Microsoft also notes that this security issue was rated "moderate" for most Windows XP systems, while it was rated "critical" for systems running Windows 2000 and Office XP with SharePoint Team Services 2002 enabled.

In Microsoft's rating system for security issues, vulnerabilities that could allow a malicious Internet worm to spread without any action required on the part of the user are rated critical. Issues that will not lead to the spread of a worm without any action taken by the user, but could still expose user data or threaten system resources, are rated important. Vulnerabilities that are very complicated to exploit, or hard to exploit because they are blocked by the default settings on a PC are considered moderate threats.