The company released the fixed version of the patch recommending that businesses update their systems to run it as soon as possible. "Microsoft re-released this bulletin to announce the reoffering of the 2843638 update for Active Directory Federation Services 2.0 on Windows Server 2008 and Windows Server 2008 R2," read the update.
"For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service."
The update was originally released last week as a part of Microsoft's regular Patch Tuesday. But Microsoft pulled the update days later, following reports it was blocking users from searching their email inboxes. The pull was doubly complex as many companies had already installed the patch, but Microsoft said the new patch will still work for those who installed the original.
"Customers who already installed the original updates will be reoffered the 2843638 update and are encouraged to apply it at the earliest opportunity. Note that when the installation is complete, customers will see only the 2843638 update in the list of installed updates," said the Microsoft update.
The pull had caused concern within the security community that criminals may use the downtime to exploit the server vulnerability. Independent security expert Graham Cluley has said it is unlikely that criminals will have had time to target the vulnerability.
"As the vulnerability it was attempting to fix had only been privately reported, and was not believed to be being exploited in the wild, it's possible that the fix had actually turned into a bigger problem than the one it was attempting to solve – on Windows Server 2008 systems at least. The good news is that Microsoft has now reissued MS13-066 and appears to be confident that it has done a better job this time," he said.
Cluley added that the patch is not the first dodgy one released by Microsoft, calling for the firm to be more careful when releasing security fixes.
"This isn't the first time that Microsoft has been forced to re-release a security patch after problems were found in the original version, and it surely won't be the last. I'm sure the company is hopeful, however, that it can keep such incidents to a minimum because of the disruption and downtime that buggy security patches can cause its customers," he said.
For a look at all the security fixes in the Microsoft latest Patch Tuesday, read V3's roundup here.
No comments:
Post a Comment