The company became aware of the problem after several customers who applied the patch, released Monday, complained that their updated Windows 2000 system wouldn't run, said Iain Mulholland, program manager for the Microsoft Security Response Centre.
"We would have probably caught it if we had a longer testing period," he said. But he stressed that because an attacker had already used the vulnerability to compromise a customer's system, Microsoft had rushed to send the patch out.
The original flaw fixed by the patch occurs in Windows 2000 systems running Microsoft's Internet Information Service Server 5.0. The flaw allows an attacker to punch through the security of an unpatched system and take control of the computer. Tuesday night, the U.S. Army acknowledged that the computer that had been compromised a week before had been a public military server.
The problematic patch is not the first black eye that Microsoft has received in fixing a bug. Nearly two years ago, the software giant had to release a fix for its Exchange groupware server three times to get the update right.
This time around the flawed fix doesn't seem so dire. The software conflict only affects Microsoft customers who receive Premiere support and applied quick-fix engineering patches to Windows 2000 Service Pack 2 between December 2001 and February 2002, Mulholland said. Computers running Windows 2000 Service Pack 3 should not have any issues, he added.
In an updated advisory, Microsoft spells out how to check if a Windows 2000 system may have a problem with the patch. The revised advisory can be found on Microsoft's site.
Customers who do have an issue should contact Microsoft Product Support, Mulholland said.
