Microsoft Pulls Windows 2000 Server Patch, Plans Replacement7:14 PM EST Fri. Apr. 23, 2010
An out-of-band patch likely will be forthcoming next week after Microsoft yanked a security patch for Windows 2000 Server on Wednesday that it deemed ineffective at adequately addressing a security vulnerability.
The update, MS10-025, only affects Windows 2000 Server customers who installed Windows Media Services, according to a Microsoft blog.
"We pulled the update because we found it does not address the underlying issue effectively. We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week," said Jerry Bryant, Microsoft group manager for response communications in a blog post.
Security experts say that users will almost definitely have to apply, or re-apply, an out of band patch in the near future.
"You will need to reapply this bulletin to any machine that you have already patched in your April patch Tuesday cycle," said Jason Miller, data and security team manager for Shavlik Technologies, in a statement.
Bryant advised users to review the original bulletin for workarounds until a patch could be deployed, while suggesting that affected users running Windows Media Services use best firewall practices to reduce their risk of possible attack -- now that the patch doesn't actually work.
There is some good news, however, in that thus far no one has seen exploit code loose in the wild.
"The good news is that Microsoft has not been seeing any attacks on this vulnerability," Miller said. "And, the bulletin itself applies to a very small number of targets (in a typical organization). If the vulnerability does concern you or your organization, Microsoft has posted workarounds on the bulletin page to help mitigate the risk of this vulnerability."