Microsoft pulls faulty patch, plans re-release

Critical patch that affects Windows 2000 Server running Windows Media Services didn't work, so Microsoft pulled it and plans to release a fixed version sometime next week.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

April 23, 2010 12:35 p.m. PT

2 min read

A critical vulnerability affecting Microsoft Windows 2000 Server running Windows Media Services will remain unfixed until Microsoft re-releases a patch for it, the company said on Friday.

A patch for the hole, which could allow an attacker to take control of a system, was released during Patch Tuesday last week. However, Microsoft pulled the patch this week because it failed to work.

"Shortly after we released the update we received several reports that it did not protect against the vulnerability reported to us. At that time, we pulled the update and notified customers," Jerry Bryant, group manager of response communications for the Microsoft Security Response Center, wrote in a blog post on Friday afternoon. "The main reason for pulling the update was to save a reboot for customers who had not yet installed it. The original issue was missed due to focusing on a variant of the original report early in the investigation. We are addressing this issue and plan to re-release the update next week."

When the fixed patch is ready, Microsoft says it will notify customers via its Twitter account @MSFTSecResponse and since the update will go out as a major revision to the bulletin, there will be no advance notification mailer, although subscribers to the company's comprehensive notification service will receive an e-mail, Bryant said.

Asked earlier on Friday for details on why the patch did not work and what day it will be available, a representative said in a statement: "We cannot give a specific day yet, but we are planning to re-release the update next week. That is our first priority right now. After that, we will be able to investigate the issue further."

Bryant initially notified customers in a blog post on Wednesday that the security update for MS10-025 was being withdrawn.

"We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week," he wrote. "Customers should review the bulletin for mitigations and workarounds, and those with Internet-facing systems with Windows Media Services installed should evaluate and use firewall best practices to limit their overall exposure."

This is the second time in about two months that the software giant has had issues with a security patch it released. In February, a security update crashed some Windows systems because they were infected with a rootkit program that made changes to the operating-system kernel.

Other companies have problems of their own with updates. Earlier this week, a buggy McAfee antivirus update caused tens of thousands of Windows XP computers to crash or repeatedly reboot. McAfee issued a public apology to customers for the problem late Thursday.

Updated at 2:18 p.m. PDT with new information on how Microsoft will notify customers that the patch is ready.