Patch Tuesday Fixes Five Flaws, But Not IIS

Patch Tuesday

Microsoft today released five patches for Windows as part of September’s “Patch Tuesday” update roundup — all of them rated “critical” on the software giant’s four-tier rating scale.

But the newest installment of Microsoft’s (NASDAQ: MSFT) monthly Patch Tuesday updates won’t include a fix for a zero-day vulnerability that the company divulged last week. The security hole affects older versions of Internet Information Services’ FTP service.

The company has said that it’s working to release a patch for the vulnerability as soon as possible and has issued a Security Advisory that provides a workaround.

In similar cases, Microsoft often releases a patch as what it calls an “out-of-band” update, meaning that a patch is delivered to users as soon as it’s deemed finished rather than waiting for the next Patch Tuesday.

The company acknowledged this week that some attacks have now been seen on the Web that take advantage of the IIS bug, making an out-of-band release more likely.

“None of the issues patched this month have been exploited ‘in-the-wild’ prior to today’s update. But an issue that is seeing some ‘in-the-wild’ exploitation is the previously mentioned IIS FTP issue,” Steve Manzuik, a security researcher at Juniper Networks, said in an e-mail to

On the list for September, though, are critical patches for a hole in Windows’ JScript engine, for another in the Wireless LAN local auto-configuration service, and for two holes in the Windows Media Format runtime.

A successful attack on any of them could completely compromise a user’s system, Microsoft said.

The remaining updates in today’s Patch Tuesday are also rated critical. A fourth patch fixes three bugs in how Windows handles TCP/IP communications, while the final update patches a vulnerability in an ActiveX editing control.

“Due to the criticality of the patches and wide coverage of the operating system, this will be a busy day for IT administrators,” Wolfgang Kandek, CTO of security vendor Qualys, said in an e-mail to

However, none of today’s patches impact Windows 7, a possibility that one security firm had wondered aloud about last week.

In its advance notification to IT shops last Thursday of what to expect on today’s updates, the company had warned that four patches apply to Windows Vista.

From the brief explanation provided in the advance notice, security vendor Lumension wondered whether some of those Vista patches might also require patches to Windows 7. That didn’t happen, however.

“None of the updates being released this month affect Windows 7 or Windows Server 2008 R2,” a Microsoft spokesperson said in an e-mail to

News Around the Web