Tuesday, August 09, 2005

Update: Mysterious Glitch in critical IE patch download availability

Hmmmm. Considering that the exploit for the IE vulnerability (MS05-038) showed up on the same day as the patch was released, AND it mysteriously is yanked during the course of the day, kind of makes you scratch your head, huh?

Joris Evers writes in the C|Net News Security Blog:

Shortly after releasing its security patches for August, Microsoft pulled the "critical" fixes for Internet Explorer from its Download Center Web site. An error in the updates for several Windows versions made it impossible for users to install them, a Microsoft representative said.

"Several of the Internet Explorer updates provided only to the Download Center were corrupted, breaking the digital signature and preventing them from installing," the representative said in an instant message conversation Tuesday.

The IE patches will be reposted to the Download Center as soon as they have been fixed. Meanwhile the patches are still available through Microsoft Update and Windows Update as well as the Automatic Updates feature in Windows, the representative said.

Most consumers get their Microsoft patches through Automatic Updates or Windows Update, not the Download Center. However, Download Center is used by IT professionals. The links to the patches in Microsoft's technical security bulletins go to the Download Center. On Tuesday afternoon following the link to the IE patch in bulletin MS05-038 resulted in an message stating that the requested download was not available.

Steven Bink is one of those IT pros who noticed the problem. Bink publishes the Bink.nu Microsoft enthusiast Web site and runs IT Solutions BV, an IT consultancy company in Amsterdam. "Of course I was one of the first to download the patches," he said in an instant message conversation. Bink received an error message that the digital signature of the patch was not valid.

Update: Blue Boar pointed me at the Microsoft Security Response Center Blog, which explains that:

Not long after we released this morning, we found out that many of the digital signatures on some of the IE updates for MS05-038 were corrupted and were preventing install. This only impacts those downloading from the Download Center, not Windows Update, Microsoft Update, SUS, or WSUS. At least now we know what the problem is and it should be fixed soon.

As Blue Boar also pointed out to me, this doesn't really explain the root cause of the problem...

Also, some really good notes over on the ISC Daily Handler's Diary on today's fun.

posted by Fergie @ 8/09/2005 05:48:00 PM

0 Comments:

Post a Comment

<< Home