As I noted in my post Thursday, Microsoft released its usual advanced notification of security bulletins and associated patches scheduled for release next Tuesday, September 13. The advance notifications are intentionally not too specific, lest they give the Bad Guys tips on exploitable flaws they haven’t yet discovered for themselves. The details of the vulnerabilities fixed, as well as the actual patches, are released on the second Tuesday of each month. It’s a well-defined process that has been running for several years.
This month, however, something went wrong, and the actual security bulletins were made available on the Web yesterday (Friday). Microsoft realized the error fairly quickly; the bulletins were pulled offline in about an hour. The bulletins were dated September 13, the scheduled release date, so it seems likely that this was some sort of administrative snafu. Some people, notably the on-the-ball team at the SANS Internet Storm Center, were able to get copies of the bulletins and present a preliminary analysis. (Incidentally, the ISC analysis rates the the vulnerabilities involved as more severe than Microsoft does, giving three of the five bulletins a Critical rating for client machines.) The ISC analysis also has CVE numbers for the underlying vulnerabilities. At this point, though, the links to Microsoft Knowledge Base articles and to the Security Bulletins all return “Page Not Found” errors.
The incident is undoubtedly somewhat embarrassing for Microsoft, but I don’t think there is very much added risk. There has always been a suspicion that the Bad Guys jumped on the Security Bulletins as soon as they were released, in order to assemble exploits usable against those who were slow in patching. It is hard to know to what extent this is, or might be, true; however, analysis of the actual patches (i.e., the code) has always seemed the most likely method for this attack. In this case, as far as I know, none of the actual patches was released.
Still, it is probably prudent to avoid any extra delay in applying this month’s patches, once they are available “for real” on Tuesday, Having a look over the summary table in the ISC analysis wouldn’t be a bad idea, either.
(Thanks to ‘Googleator’ who gave us a heads up on this in a comment on the preview post.)