A rare mistake by Microsoft’s security team resulted in the company’s September software patches to be released to the public days early.
Microsoft said on Thursday that it would issue five bulletins in the September edition of Patch Tuesday, September 14. In an unexpected move, however, the company released the bulletins, days ahead of schedule.
Links to the bulletins, MS11-070 to MS11-074, were dated September 13. They were quickly taken down after Microsoft staff realized the error. But not before they were captured by alert parties.
The SANS Internet Storm Center was among a handful of Websites to publish details gleaned from the brief lapse, including links to the 16 vulnerabilities patched by the five updates and Microsoft Knowledgebase articles on the updates. Links to both the updates and the corresponding knowledgebase articles were removed shortly after the mistake was discovered.
Microsoft did not immediately respond to a request for comment from Threatpost. It is unclear how the lapse happened given the company’s well established system for releasing security updates. In a blog post on Thursday, Pete Voss, the Senior Response Communications Manager for Microsoft’s Trustworthy Computing Group said the firm was making a change to the URL pattern it uses on security bulletins in order to facilitate localization of the bulletins into various languages. Its unclear what role, if any, that change may have played.
The accidental early release of the bulletins is unlikely to impact Microsoft customers in the short term. However, malicious hackers commonly reverese engineer Microsoft patches to determine the location of exploitable vulnerabilities. They use that information to create new attacks that will work against unpatched systems. The early release of the bulletins gives exploit writers an early start on that process and could close the gap between patch and in-the-wild exploits targeting the patched vulnerabilities, security experts warn.