Security Experts:

Microsoft Mistakenly Details September Security Bulletins Early

If Patch Tuesday is a party, this would be the IT security version of pre-gaming.

On Aug. 9, Microsoft accidentally released information on the five security updates it is planning to release tomorrow as part of this month’s Patch Tuesday. The information, which has since been taken down, represents a rare procedural slip-up in the company’s Patch process. Normally, Microsoft publishes an advanced notification the Thursday before Patch Tuesday – the second Tuesday of every month – and then posts no further information until the Patch Tuesday updates are released.

This time though, information about the following security updates was posted live on the Web the day after the advanced notification:

• MS011-070 Vulnerability in WINS could allow elevation of privilege

• MS011-071 Vulnerability in Windows could allow remote code execution (DLL Linking Vuln.)

• MS011-072 Arbitrary code execution vulnerability in Excel

• MS011-073 Code execution vulnerability in Microsoft Office

• MS011-074 Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege

Typically, attackers try to reverse engineer the patches after the release, leading some people to dub the day after Patch Tuesday as “Exploit Wednesday.” However, since the patches themselves were not released, the impact of Microsoft’s gaffe may be minimal.

In a statement, David Forstrom, director of Trustworthy Computing at Microsoft, said the draft text of the month’s bulletin summary was posted inadvertently, and was removed “as soon as the issue was discovered.” “We are not aware of any customer impact and we are monitoring the issue,” he said.

The updates are slated to fix 15 separate vulnerabilities, and all are rated “Important”. The patches are scheduled to be released at 10 a.m. PDT Sept. 13.