Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Microsoft reissues Patch Tuesday fixes to address install glitches

Share

Microsoft was forced to, again, address bugs in its monthly Patch Tuesday security update – this time, reissuing four security bulletins for customers.

The software giant announced that the new patches were available last Thursday on its blog, just two days after it released its scheduled Patch Tuesday update for buggy products.

New patches were made available for four security bulletins: MS13-067, MS13-072, MS13-073 and MS13-074, which addressed bugs in a host of Microsoft Office products, including Excel and SharePoint Server. Non-security updates were also re-released for Microsoft PowerPoint 2010, KB2553145 and PowerPoint Viewer 2010, KB2553351.

According to the company, customers complained about updates attempting to reinstall numerous times on their machines. In other instances, patches weren't made available to customers.

“Since the shipment of the September 2013 security bulletin release, we have received reports of updates being offered for installation multiple times, or certain cases where updates were not offered via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM),” the blog post said. “We have investigated the issue, established the cause, and we have released new updates that will cease the unnecessary re-targeting of the updates or the correct offering of these updates.”

In a Monday blog post, security researcher Graham Cluley wrote that the reoccurring issues with Patch Tuesday releases was highly concerning given the number of users that rely on the fixes.

Just last month, Microsoft pulled a patch that addresses three vulnerabilities in Exchange Server. In that incident, the Patch Tuesday fix was scrapped after Microsoft became aware that installing it caused problems.

“Following so soon after last month's buggy security update, one has to wonder what's going wrong at Microsoft Quality Control,” Cluley wrote. “The company can't afford to keep messing up like this. The risk is that millions of users around the world will begin to question Microsoft's ability to properly patch security vulnerabilities, and lose trust in the firm.”

Microsoft did catch one bug in its Patch Tuesday update before dispatching the release. The company had originally planned to release 14 fixes, but only shipped 13 last week, leaving out one patch that would have addressed an issue in its .NET software framework, which could allow denial-of-service.

SCMagazine.com reached out to Microsoft about the reissued updates, but did not immediately hear from the company.

UPDATE: In an email to SCMagazine.com on Monday evening, a Microsoft spokesperson commented on another non-security update that was pulled from its Patch Tuesday release last week. The fix for Outlook 2013 was removed after the company "investigated reports of some difficulties" with the update.

In the email, Dustin Childs, group manager of Microsoft Trustworthy Computing, also said that Microsoft was "actively looking at where improvements can be made with the goal of reducing implantation issues" for customers.

“The quality of security updates is critical to our customers, and it is a high priority for us too," Childs wrote, later adding that Microsoft will "remain transparent with our customers about security threats, protections and update issue resolution."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.