Also of interest, said Storms, was what wasn't released this week.
For the second consecutive month, Microsoft pulled an update from the list it had released just five days before. This cycle it dropped an update that was to have patched Windows 2000 SP4 and all versions of Windows Server 2003. Last week, Storms speculated that the patch targets may indicate a vulnerability in a service run only on servers. "If that is in fact the case," he said, "then the fix is probably much more complicated and the vulnerability impacts more core code. That means Microsoft would expend much more quality assurance around it, which might explain the delay."
Although Microsoft did not notify users of its decision to yank a bulletin -- something it's done in the past, either by posting on the Microsoft Security Response Center blog or by revising the advance notification alert -- Symantec knew one was going to be spiked. In an alert issued last week to customers of its DeepSight threat network, Symantec said only six updates would be released this week.
Symantec declined to say how it knew of the decision, or whether it was given prior notice by Microsoft. Cross also had no comment when asked if IBM's X-Force knew beforehand that the seventh update had been withdrawn.
In a statement attributed to Mark Miller, director of security response communications at Microsoft, and forwarded to Computerworld by the company's public relations team, Microsoft said its policy is not to revise the advance notification when minor changes are involved. "When significant changes are made to the release, Microsoft will normally notify customers through a re-release of the [advanced notification] and all accompanying communications," Miller said.
Microsoft's monthly updates are available via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).