Users of Microsoft's SUS (Software Update Services) will have to wait a little longer to obtain the company's latest security patch, the software vendor said yesterday. Microsoft issued a patch fixing three critical graphics bugs in the Windows operating system on Tuesday, but the company has been unable to deliver the software to users of its SUS corporate update service, Microsoft said yesterday.
Microsoft Program Manager Bobbie Harder acknowledged the problem this week in a post to an SUS discussion forum written shortly after Microsoft issued the November security patch. Harder said that the SUS update would be available by approximately 5pm Pacific Time on Tuesday.
But by Wednesday, the software was still unavailable. "We’ve run across an issue affecting SUS 1.0 that we’re investigating whereby the update can't be deployed.," Microsoft said in a posting to its Security Response Center weblog. "We hope to have a resolution soon on it," the post added.
Microsoft's other patch deployment tools, including WSUS (Windows Server Update Services) are unaffected by the delay, Microsoft said.
SUS is a service designed to deliver patches for Microsoft products. It is similar to the widely used Microsoft Windows Update, but is designed for use within a corporate firewall. Microsoft plans to discontinue the service in December 2006, and is actively encouraging SUS users to switch to the newer WSUS.
Microsoft's November security patch fixes a number of problems in the way most versions of Windows render Metafile images. The problems could theoretically be exploited to allow a user to shut down or even gain control of an unpatched system by tricking a user into viewing a maliciously formatted Metafile image.
Windows Metafile is a graphics format used by some CAD (computer-aided design) applications. Files that use this format have either a .wfm or .emf extension.
Microsoft executives declined to comment on the SUS delay or to say when the updates were expected to begin working.
The unexplained delay did not sit well with some Microsoft customers. "Maybe Microsoft is gently encouraging us to upgrade to WSUS by making our systems vulnerable longer if we use SUS," one user wrote in an SUS discussion forum on Wednesday.