Microsoft pulls Windows 7 and Windows Server 2008 elements of Patch Tuesday

Microsoft has unexpectedly withdrawn a key element of its Patch Tuesday operating system refresh after discovering a flaw in an update for Windows 7 and Windows Server 2008.

Is Patch Tuesday a viable solution?
Is Patch Tuesday a viable solution?

The software giant says that the withdrawn patch was designed to overcome weaknesses of the SHA-1 hashing algorithm that exposes users to collision attacks, meaning that an attacker could create certificates with a replica digital signature, so allowing them to hack into Windows-driven devices.

In its original advisory, Microsoft said that Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1 did not require the update as SHA-2 signing and verification functionality is already included in these operating systems.

"These issues are well understood and the use of SHA-1 certificates for specific purposes that require resistance against these attacks has been discouraged," Microsoft said in its latest advisory.

According to security forum reports, shortly after the update was released, some users were forced to recover servers using CD-ROMs, and the company suggested that users should uninstall the update.

SCMagazineUK.com notes that the patch was released earlier in the month alongside seven other patches - three of which were for zero-day flaws requiring urgent attention and therefore rated critical.

One of these updates was a fix for the Sandworm vulnerability that allows Russian criminals to potentially spy on Windows-driven systems.
 
"Microsoft is investigating behaviour associated with the installation of this update, and will update this bulletin when more information becomes available. Microsoft recommends that customers uninstall this update. As an added precaution, Microsoft has removed the download links to the 2982791 security update," says the advisory.

This isn't the first time that Microsoft has been embarrassed by a Patch Tuesday update - in August reports suggested that an update was causing a BSoD (Blue Screen of Death) for some Windows users.

Rob Bamforth, a principal analyst with Quocirca, said that the latest withdrawal of an update by Microsoft suggests that the company may be rushing through its security patches too rapidly.

"There may be a need for two-pronged strategy with these updates, with a workaround initially being made available to counter any problems, and only issuing a patch when it has been thoroughly tested," he said, adding that this would allow large enterprises to deploy their software with a high degree of safety - and certain that any updates would not cause any problems.

"The pressure is clearly on Microsoft to solve its security patch issues, but if the prevention is worse than the cure, then Microsoft clearly needs to revisit the drawing board," he explained.

According to Bamforth, whilst large corporates may welcome a workaround fix followed by a full update some time later, it is also possible for SMEs to have a simple workflow process in place.

"The most common problem for SMEs is that, when the worst happens, no-one remembers how to solve the issue. SMEs can, for example, elect to have a buddy system with a nearby company of a similar size. That way, if their systems hit any problems, there is only a minimal chance they will be unable to solve the issue," he said.