The patch for Internet Explorer that Microsoft on Tuesday urged users to install as soon as possible was initially flawed, the company said Wednesday.
Several of the Internet Explorer updates initially provided via the Download Center were corrupted, Microsoft officials said, and couldn't be installed.
"The updates were corrupted, breaking the digital signatures," a member of the IE development team wrote on the browser's official blog on Tuesday. "We've identified the problem [and] removed the affected updates from the Download Center."
The broken signatures caused failures of both Systems Management Server (SMS) -- the enterprise management tool used to distribute new software and updates -- and individual Internet Explorer installations.
"If customers got the update from the Download Center in the first few hours after the 10 a.m. [PDT] release, then the update that was downloaded would not install," confirmed a Microsoft spokesperson Wednesday. "Microsoft immediately pulled the ability to get the updates from the Download Center, investigated the cause of the problem, and re-published the updates."
Only the update files posted on the Download Center -- which is where links in the individual security bulletins take users -- were affected, Microsoft said. "Automatic Update, Windows Update, Microsoft Update, and Windows Server Update Services (WSUS) were not affected," the company said in an explanation added to the MS05-038 bulletin Wednesday.
The glitch is an embarrassment for Microsoft. "I've never seen an update corrupted like this," said Mike Murray, the director of research at vulnerability management vendor nCircle. "We've had updates that were broken somehow or didn't work like they should, but not this."
Some users commenting on Microsoft's blog site took the company to task for the screw-up. Dominic White, a South African studying computer science at Rhodes University who has published papers on automated update technologies in general, and Microsoft's in particular, was one.
"What bothers me is the way this was described," wrote White. "'This only impacts users downloading via Download Center' [Microsoft said], but this is exactly what it would look like if someone had compromised the patches. Nobody seemed to think about the possibility of hacked patches and Microsoft didn’t have to say they weren’t hacked, just a bug.
"Frankly, patches are a sort of Holy Grail of malware distribution," White continued. "Imagine getting a piece of malware distributed via Microsoft Update. You would be able to infect thousands of machines and have administrator privileges. Digital signatures provide a way for us to know that the patches we are downloading are from who they say they are; if they are ignored the mechanism is pointless."
August's cumulative patch for Internet Explorer -- MS05-038 outlined three vulnerabilities, two of which were classified as "critical," Microsoft's highest warning -- was the third consecutive monthly IE patch, the fourth fix in the last five months, and the fifth in the last seven.
The most serious of the three bugs in IE is in how the browser processes JPEG image files, one of the most common formats used on Web sites. An attacker could exploit the vulnerability by including a malicious JPEG image on a Web site, then enticing users to that URL, or by attaching the JPEG to an e-mail and getting the recipient to open the file.
Other flaws identified by Microsoft on Tuesday included a new cross-domain scripting bug and one in how IE instantiates COM Objects that aren't intended to be used in the browser. The first was judged by Microsoft to be only a moderate threat, while the second was labeled "critical," like the JPEG flaw.
The JPEG bug is the one most users can relate to, said Oliver Friedrichs, the senior manager of Symantec’s security response team, on Wednesday. "That's because they've seen these kinds of image problems in browsers in the past," Friedrichs said.
"But the other two IE vulnerabilities are just as severe. Together, they make the IE bugs the top threats."
Friedrichs labeled MS05-038 as the most significant of Tuesday's six bulletins by virtue of the fact that its vulnerabilities affect Windows XP SP2, the most secure of Microsoft's Windows editions. "The other critical vulnerabilities really don't apply to XP SP2," noted Friedrichs. "For the most part, you're protected against the others if you're running SP2."