• United States



by Paul Kerstein

Microsoft Security Updates Aren’t Reaching Users

Nov 10, 20052 mins
CSO and CISOData and Information Security

Users of Microsoft Corp.’s Software Update Services (SUS) will have towait a little longer to obtain Microsoft’s latest security patch, thesoftware vendor said Wednesday. Microsoft issued a patch fixing threecritical graphics bugs in the Windows operating system Tuesday, but thecompany has been unable to deliver the software to users of its SUScorporate update service, Microsoft said Wednesday.

Microsoft Program Manager Bobbie Harder acknowledged the problemTuesday in a post to an SUS discussion forum written shortly afterMicrosoft issued theNovember security patch. Harder said that the SUS update would beavailable by approximately 5 p.m. Pacific Time Tuesday.

But by Wednesday, the software was still unavailable. “We’ve run acrossan issue affecting SUS 1.0 that we’re investigating whereby the updatecan’t be deployed.,” Microsoft said in a posting to its SecurityResponse Center Web log. ( “We hope to have a resolution soon on it,” the post added.

Microsoft’s other patch deployment tools, including Windows ServerUpdate Services (WSUS) are unaffected by the delay, Microsoft said.

SUS is a service designed to deliver patches for Microsoft products. Itis similar to the widely used Microsoft Windows Update, but is designedfor use within a corporate firewall. Microsoft plans to discontinue theservice in December 2006, and is actively encouraging SUS users toswitch to the newer WSUS.

Microsoft’s November security patch fixes a number of problems in theway most versions of Windows render Metafile images. The problems couldtheoretically be exploited to allow a user to shut down or even gaincontrol of an unpatched system by tricking a user into viewing amaliciously formatted Metafile image.

Windows Metafile is a graphics format used by some CAD (computer-aideddesign) applications. Files that use this format have either a .wfm or.emf extension.

Microsoft executives declined to comment on the SUS delay or to say when the updates were expected to begin working.

The unexplained delay did not sit well with some Microsoft customers.”Maybe Microsoft is gently encouraging us to upgrade to WSUS by makingour systems vulnerable longer if we use SUS,” one user wrote in an SUSdiscussion forum Wednesday.

By Robert McMillan – IDG News Service (San Francisco Bureau)