News
News
10/17/2005
06:17 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft's Latest Critical Fixes Include Buggy Windows Patch

Microsoft says customers reported a wide variety of strange behaviors after installing one of three patches released last week. It's the second time in three months Microsoft released a buggy patch for problems it deemed "critical."

For the second time in three months, Microsoft has released a buggy patch for problems it had deemed to be "critical."

Messages on Microsoft's newsgroups about problems began accumulating as early as Wednesday Oct. 12, within 24 hours of the patches' debut. Late Friday, Microsoft acknowledged the buggy patch in one of its infrequent security advisories, and said that customers had reported a wide variety of strange behaviors after installing one of the three critical patches released that week.

In a more detailed Knowledgebase document on its support site, Microsoft noted that the problems affect users who have changed the default permission settings of the COM+ catalog, which are files located in the %windir%\registration folder. Users who have modified the COM+ settings reported all kinds of oddities, ranging from the Windows Firewall not starting to users seeing a blank screen after installing the patch.

"Yes we are aware of some of the information floating around about problems after installing the MS05-051 update on Windows 2000 systems," wrote Mike Reavey of the Microsoft Security Response Center on the MSRC's blog.

Actually, the problems affect more than Windows 2000. By Microsoft's own accounting, the strange behaviors can occur on Windows 2000 Server, Windows XP, or Windows Server 2003.

To fix the problems produced by the patch, users must restore the default permissions to the COM+ catalog. Microsoft spelled out how to do this, and offered a pair of commands for the Cacls.exe command line utility to automate the restoration.

The buggy patch was not only one of several critical fixes deployed last week by Microsoft in its scheduled release for October, but was deemed the most dire by several security analysts. They believed that one of the four vulnerabilities plugged by the patch could be easily exploited by hackers, especially on Windows 2000 machines, and would might result in a worm within days.

So far, however, no exploit has been known to surface publicly, although several have been created and disseminated by commercial vulnerability and exploit researchers to their customers.

While Microsoft stressed that only a small number of users were directly affected by the flawed fix -- Reavey wrote "this situation is fairly limited in the number of customers who have reported it" -- the news of another problematic patch may stop some from installing it.

That could spell trouble, reported Netcraft, a U.K.-based Web performance vendor. Almost 1 in every 5 Fortune 100 companies serve their corporate Web sites from Windows 2000 systems, noted Netcraft.

Earlier last week, talk of exploits caused Stephen Toulouse, who heads the MSRC, to recommend that users of older OSes, Windows 2000 in particular, were especially vulnerable, and needed to patch pronto.

"If you are running the older versions of the operating systems, like Windows 2000, we strongly urge you to deploy the critical updates for that platform, like MS05-051, as soon as possible!"

According to AssetMetrix, a Canadian-based asset monitoring software developer, nearly half of U.S. business still run Windows 2000-powered PCs.

The problems with the MS05-051 bulletin are the second such episode in the past three months. In August, Microsoft released a corrupted patch for Internet Explorer, and had to re-issue the fixes.

Also last week, talk surfaced among users on Microsoft's newsgroups that another critical patch, MS05-052, a cumulative fix for Internet Explorer, was causing trouble. Microsoft said it was investigating those claims, but so far has produced no advisory or additional information.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.