Each month, there is a clearly defined process Microsoft uses to release security patches to fix flaws in Windows and its other products. On a Thursday, Microsoft releases an advance notification, listing the software affected by the upcoming patches and the type of threat fixed, such as “elevation of privilege” or “remote code execution.” But no specific details are released until the following Tuesday, the second Tuesday of each month, when the full security bulletins and accompanying patches are made public.

But this month, the process went awry. The vague advance notification went out as scheduled yesterday. But today, the full security bulletins went live, four days before their scheduled release.

We were able to view two of the five security bulletins before Microsoft unpublished them. Given that the security bulletins were unpublished within an hour of their release, give or take, and that they were dated “Tuesday, September 13, 2011” during the brief time they were live, it seems pretty clear someone at Redmond screwed up.

It could be risky if the information on the security flaws are widely distributed several days before the patches. Normally, the patch code wouldn’t be released until Tuesday, but we’ve asked Microsoft this morning whether the actual patches will be released today instead. We’ll provide an update if we hear back.

The Patch Tuesday process itself has led to the notion of “Exploit Wednesday.” Once the patch code is live, the hypothesis goes, hackers can compare patched systems to unpatched systems and develop attacks for use against businesses that don’t deploy their patches right away. Whether this actually happens much or at all isn't so clear, and this case is different because the patch code apparently isn’t out yet. One security vendor tells us today's mistake probably won't lead to any attacks, but the security bulletins that were temporarily on Microsoft’s website did provide plenty of information.

Security bulletin MS11-070, one of the bulletins that Microsoft hastily deleted from its website, concerns “a privately reported vulnerability in the Windows Internet Name Service,” which “could allow elevation of privilege if a user received a specially crafted WINS replication packet on an affected system running the WINS service,” according to the now-deleted bulletin.

“An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability,” Microsoft further says, perhaps explaining why this security bulletin was rated “important,” rather than “critical,” the most severe rating.

The vulnerability affects numerous versions of Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2.

The other security bulletin we were able to view was MS11-071, regarding a publicly disclosed vulnerability in Windows.

“The vulnerability could allow remote code execution if a user opens a legitimate rich text format file (.rtf), text file (.txt), or Word document (.doc) that is located in the same network directory as a specially crafted dynamic link library (DLL) file,” Microsoft wrote in the now-deleted bulletin. “An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

This vulnerability was also rated important and affects Windows XP, Vista and Windows 7 as well as Windows Server 2003, Server 2008, and Server 2008 R2.

Despite the mistaken early release, there may be little reason to worry. Wolfgang Kandek, CTO at security vendor Qualys, tells Ars “While the information is interesting and certainly helpful for us (it makes life somewhat easier for our QA lab), I don't believe there is any heightened security risk with the early exposure. If the patches (i.e., the binaries) themselves had been revealed then indeed it would give attackers a 4-day head start.”

Overall, this month's Patch Tuesday includes five patches, fixing 15 flaws. Patch Tuesday regulars Windows and Office are both going to receive patches, and this month also includes fixes for SharePoint 2007 and 2010. Unusually, not one of the flaws has received a critical rating; all are ranked as important. One of the five will need a reboot.

The list with very few details can still be found on Microsoft’s advance notification page, as is normal. And the Internet Storm Center has posted a recap of the patches, although if you follow the links in the post you will see they now lead to “page not found” errors. As it happens, the Internet Storm Center believes this month’s patches are more serious than Microsoft lets on. The group rates three of the five as critical, including MS11-071.

Update: Microsoft contacted us with the following statement, attributed to Trustworthy Computing director Dave Forstrom: “Microsoft inadvertently displayed draft text of September’s bulletin summary, five bulletins, and a security advisory update intended for release on Tuesday, Sept. 13. The draft text was removed as soon as the issue was discovered. We are not aware of any customer impact and are monitoring the issue.”