We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft pulls bad Windows patch

Windows 2000 fix will be re-issued this week

Microsoft has pulled one of the 11 security updates it issued earlier this month because of "quality issues".

"Today, we pulled the update because we found it does not address the underlying issue effectively," said Jerry Bryant, group manager for the Microsoft Security Response Center (MSRC), said in a blog.

Microsoft has stopped distributing the update through its various update mechanisms, including Windows Update and the enterprise -grade Windows Server Update Services (WSUS). Bryant said that Microsoft plans to re-release the patch this week.

"It's interesting why they chose to pull the patch," said Andrew Storms, director of security operations at nCircle Network Security.

"If it doesn't fix the bug, does it have some kind of unexpected outcome? Otherwise, why simply pull it all together and leave a gap in coverage?"

The original MS10-025 update patched a single critical vulnerability in Windows 2000 Server's handling of network packets when running Windows Media Services.

MS10-025 was one of 11 security updates that Microsoft shipped April 13 to patch 25 bugs in Windows, Office and Exchange.

It was one of five updates marked 'critical', Microsoft's highest threat ranking.

Users who applied the update last week do not have to uninstall it, but Microsoft urged users to review the workarounds and additional defensive measures it outlined earlier to protect themselves until it reissues the patch.

The company also recommended that systems running Windows Media Services be protected by a firewall.

By Storms' recollection, this is the first time that the company has retracted an update without an immediately-available revamp of the fix. Microsoft was not immediately able to confirm that the move is a first.

"We have to give Microsoft credit for the transparency," said Storms, talking about the admission that the update didn't quash the bug.

"Honestly, they are a bit lucky [that] the event happened on a bug with little market share. If this were Windows 7 or Internet Explorer, I highly doubt they would pull the plug on the patch without having the new one ready to issue," he said.

As Storms alluded, Windows 2000 powers relatively few PCs.

According to the most recent data from web analytics company Net Applications, the 10-year-old Windows 2000 accounts for just 0.6 percent of all in-use operating systems, less than a hundredth the share of Windows XP.

Microsoft has re-issued patches in the past. In 2008, for example, the company re-released four different security updates for various reasons, including what it called "human issues" that forced it to reissue a fix for a Bluetooth bug in Windows XP.

The retraction means that IT administrators will need to redo work they did earlier this month when they rolled out the original MS10-025.

"You will need to reapply this bulletin to any machine that you have already patched in your April Patch Tuesday cycle," noted Jason Miller, data and security team manager for Shavlik Technologies.

Fabien Perigau, the researcher who reported the vulnerability to Microsoft last summer, and who was also credited with showing the company that the original patch didn't fix the flaw, did not respond to a request for comment left with his employer, Paris-based CERT-Lexsi.

See also: Windows 7 security: the complete guide


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

Hands-on with Sony's latest smartglasses

IDG UK Sites

Apple TV setup advice: Apple TV hacks to help you create the ultimate Apple TV hub in your home