Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft Mistakenly Details September Security Bulletins Early

If Patch Tuesday is a party, this would be the IT security version of pre-gaming.

On Aug. 9, Microsoft accidentally released information on the five security updates it is planning to release tomorrow as part of this month’s Patch Tuesday. The information, which has since been taken down, represents a rare procedural slip-up in the company’s Patch process. Normally, Microsoft publishes an advanced notification the Thursday before Patch Tuesday – the second Tuesday of every month – and then posts no further information until the Patch Tuesday updates are released.

If Patch Tuesday is a party, this would be the IT security version of pre-gaming.

On Aug. 9, Microsoft accidentally released information on the five security updates it is planning to release tomorrow as part of this month’s Patch Tuesday. The information, which has since been taken down, represents a rare procedural slip-up in the company’s Patch process. Normally, Microsoft publishes an advanced notification the Thursday before Patch Tuesday – the second Tuesday of every month – and then posts no further information until the Patch Tuesday updates are released.

This time though, information about the following security updates was posted live on the Web the day after the advanced notification:

• MS011-070 Vulnerability in WINS could allow elevation of privilege

• MS011-071 Vulnerability in Windows could allow remote code execution (DLL Linking Vuln.)

• MS011-072 Arbitrary code execution vulnerability in Excel

• MS011-073 Code execution vulnerability in Microsoft Office

• MS011-074 Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege

Typically, attackers try to reverse engineer the patches after the release, leading some people to dub the day after Patch Tuesday as “Exploit Wednesday.” However, since the patches themselves were not released, the impact of Microsoft’s gaffe may be minimal.

In a statement, David Forstrom, director of Trustworthy Computing at Microsoft, said the draft text of the month’s bulletin summary was posted inadvertently, and was removed “as soon as the issue was discovered.” “We are not aware of any customer impact and we are monitoring the issue,” he said.

The updates are slated to fix 15 separate vulnerabilities, and all are rated “Important”. The patches are scheduled to be released at 10 a.m. PDT Sept. 13.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet