I wanted to give customers an update on the status of MS10-025. First, I want to reiterate that this issue affects only Windows 2000 Servers in a non-default configuration: Windows Media Services needs to be installed. Customers who do not have Windows Media Services installed are not affected and were not offered this update.

Shortly after we released the update we received several reports that it did not protect against the vulnerability reported to us. At that time, we pulled the update and notified customers. The main reason for pulling the update was to save a reboot for customers who had not yet installed it. The original issue was missed due to focusing on a variant of the original report early in the investigation. We are addressing this issue and plan to re-release the update next week.

Once we are sure of the exact day the update will be ready for re-release, we will post that information to our Twitter account: @MSFTSecResponse. This will go out as a major revision to the bulletin so there will be no advance notification mailer going out but those who have subscribed to our comprehensive notification service will receive an email when it is released. Subscribe here.

In the meantime, we continue to encourage customers who have Windows Media Services installed on Windows 2000 Server to review the mitigations and workarounds in the bulletin and to apply firewall best practices to reduce exposure.

Thanks,

Jerry Bryant
Group Manager, Response Communications

*This posting is provided "AS IS" with no warranties, and confers no rights*