Microsoft pulls faulty patch

A CRITICAL PATCH for Windows 2000 Server running Windows Media Services is broken.

Microsoft pulled a patch for a hole in Windows 2000 Server running Windows Media Services. The flaw allows an attacker to take control of the system. The patch was released last Tuesday but for some reason it failed to work.

The critical vulnerability will remain unfixed until Microsoft re-releases a patch for it, the company said last Friday.

Writing in his blog,Jerry Bryant, group manager of response communications for the Microsoft Security Response Centre, said that shortly after the Vole released the update it received several reports that it did not protect against the vulnerability that had been reported.

"We pulled the update and notified customers. The main reason for pulling the update was to save a reboot for customers who had not yet installed it. The original issue was missed due to focusing on a variant of the original report early in the investigation," he said.

When the fixed patch is ready, Microsoft says it will notify customers via its Twitter account, @MSFTSecResponse, and since the update will go out as a major revision to the bulletin, there will be no advance notification mailer.

Bryant initially notified customers in a blog post last week that the security update for MS10-025 was being withdrawn. He pointed out at the time that there were no active attacks seeking to exploit the flaw.

Meanwhile punters should review the bulletin for mitigations and workarounds, and those with Internet-facing systems with Windows Media Services installed should evaluate and use firewall best practices to limit their overall exposure.

It is the second time in two months that Microsoft has cocked up a security patch. In February, a security update crashed some Windows systems because they were infected with a rootkit program. µ