A glitch in the software that most midsize and large businesses use to update their Microsoft applications and operating systems has some administrators scrambling a day before Patch Tuesday.
If the problem in Windows Server Update Services (WSUS) is not fixed, administrators will not be able to download and deploy the vulnerability patches and other nonsecurity updates Microsoft has planned for Tuesday, said Andrew Storms, director of security operations at security tools vendor nCircle Inc. "It appears that anybody who synced WSUS [with Microsoft's Windows Update servers] today or yesterday is essentially DOA," he said. The default WSUS setting is to sync daily.
WSUS users began reporting the error this morning when they first accessed the WSUS console. According to those reports, the error read, "The WSUS administration console has encountered an unexpected error."
"WSUS was working without any problems before the weekend, nothing has changed on the server," said a user identified as Drobb on a forum hosted by a third-party site dedicated to the update management software.
"Any time I try to access the product list, through Products and Classification under Options or through a new update view, [WSUS] errors out," added Dirkle, another user on the same thread. "There is a message on the main screen that 5 new products have been added in the last 30 days. Could it be a possible issue with one of the new products they added to WSUS?"
Storms agreed that was the most likely explanation. "The crux of the problem looks like it's connected to a product code-named Nitrogen," he said. In the product database used by WSUS, however, the code name is enclosed in double quotes, the mistake that generated the error. "That's SQL Server 101," Storm said. "How that ever got through Microsoft's [quality assurance testing] is a real worry."
Microsoft did not respond to a request for comment.
The SANS Institute's Internet Storm Center, which also noted that it had received accounts of the WSUS error, pointed out that at least one administrator had posted a work-around that deleted the extraneous quotation marks. The fix, however, requires the user to issue several lengthy commands in Microsoft's free-to-download SQL Server Management Studio Express.
"This is a security issue," Storms said. "Without WSUS, [administrators] won't be able to deploy the patches tomorrow. I'm a little surprised that [the Microsoft Security Response Center] hasn't said something about this."