The mysterious delivery of a critical security patch this week, the same week in which Microsoft announced it wouldn't deliver any critical-security-patch bundles, had the company scrambling yesterday to find out what happened: A glitch in the company's Windows Update patch-delivery mechanism was responsible for the delivery of the erroneous patch, which fixes a problem with the Microsoft FrontPage Server Extensions, a software add-on for Microsoft's Web server software. The company issued a Microsoft Knowledge Base article describing the patch more than a month ago, although it didn't publish the patch to Windows XP users until this week. Microsoft says it should have published the patch and Knowledge Base article simultaneously and for all affected systems.
The FrontPage Server Extensions fix is critical only for XP and Windows 2000 systems that have Windows SharePoint Services (WSS) 2003 installed, and Microsoft apparently distributed the patch to Win2K users on November 11. The patch is rated "moderate" for most XP systems (i.e., XP systems without FrontPage Server Extensions installed, which is most of them).
In related news, a new Microsoft Internet Explorer (IE) 6.0 vulnerability that researchers recently discovered could potentially put users' data at risk. According to a security bulletin released earlier this week by the Danish security company Secunia, this newly discovered IE 6.0 vulnerability could let intruders spoof Web sites by loading a different page when users enter a genuine URL in IE's address bar. If the vulnerability is compromised correctly, attackers could emulate an e-commerce site such as Amazon.com or eBay and cause users to inadvertently enter sensitive information. Microsoft says it's "aggressively investigating the public reports" about this vulnerability and, if warranted, might issue a patch outside of its regular monthly patch packages. The next set of patch packages is due in the second week of January.