A Microsoft branded bulletin is offering bogus security updates.

A bane of Microsoft Windows users is the constant patching of the operating system to deal with security vulnerabilities. These frequent events are irritating, not only because they disrupt productivity since they often require a system reboot after they’re installed, but a user never knows how Windows will perform after it’s patched.

More often than not, a patch won’t disrupt the operation of a system, but once users have been burned by one of these updates, they’re forever on tenterhooks when they install them. A case in point: the recent flap over the “black screen of death” falsely attributed to November’s “Patch Tuesday.” Although reports of the glitch were incorrect, the reason they were given immediate credibility was that many Windows users have experienced behavioral problems after installing patches in the past so it was perfectly believable that the latest patches might have created unforeseen headaches for users.

It turns out, though, that the constant patching of Windows is not only an irritant to users, but an opportunity for Black Hats, as the bogus security bulletin making the inbox rounds last week illustrates. The bulletin looked like this:

“Dear Microsoft Customer,

“Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista and Microsoft Windows 7.

“Please notice, that was one update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

“Since public distribution of this Update through the official website http://www.miciosoft.com would have resulted in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

“As your computer is set to receive notifications when new updates are available, you have received this notice.

“In order to start the update, please follow the step-by-step instructions:
1. Run the file, that you would have received along with this message KB958644-ENU
2. Carefully follow all the instructions you see on the screen.

“If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

“We apologize for any inconvenience this back order may be causing you.”

The bulletin is purported to be from Steve Lipner, who is Microsoft’s Director of Security Assurance. Lipner is a prominent figure in Microsoft’s Security Lifecycle Process Development program and is considered by some to be one of the main reasons for a noticeable decrease in discovered vulnerabilities in the company’s products.

One need not have the powers of observation of a Sherlock Holmes to see there isn’t something quite right with the so-called bulletin.

Although the English in the alert is pretty good for someone who is a non-native speaker, it’s fractured enough to raise suspicions.

Not only is Millennium misspelled, but since that version of Windows has been unsupported since 2006, it’s unlikely that Microsoft would be updating the software.

Anyone familiar with Microsoft’s patching procedure knows the company doesn’t attach executable files to emails sent to its users.

Finally, Microsoft never apologizes for any inconvenience any of its patches may cause a user.

Nevertheless, those red flags might be overlooked by less experienced Windows users or those who scan their emails for gist rather than grit.

When a user runs the executable file attached to the bulletin, it downloads a Delphi executable with a custom packer. The executable is a knockoff of one circulating in the wild in October 2008. Apparently it isn’t a very good knockoff either because, according to one security expert, it crashes when it tries to run.

Attempts to exploit Microsoft’s updating process isn’t anything new. This summer a raft of spam bulletins appeared under the guise of updating Outlook and Outlook Express, as well as offering a tool for scanning computers for the Conficker worm. The phony bulletins contained attachments that, if double-clicked, installed Trojans on the machines at which they were targeted.

No matter who appears to have sent an email message to you, security experts warn, it’s never a good idea to open attachments or follow links from inside  a message.