Microsoft's Latest Critical Fixes Include Buggy Windows Patch - InformationWeek
06:17 PM

Microsoft's Latest Critical Fixes Include Buggy Windows Patch

Microsoft says customers reported a wide variety of strange behaviors after installing one of three patches released last week. It's the second time in three months Microsoft released a buggy patch for problems it deemed "critical."

For the second time in three months, Microsoft has released a buggy patch for problems it had deemed to be "critical."

Messages on Microsoft's newsgroups about problems began accumulating as early as Wednesday Oct. 12, within 24 hours of the patches' debut. Late Friday, Microsoft acknowledged the buggy patch in one of its infrequent security advisories, and said that customers had reported a wide variety of strange behaviors after installing one of the three critical patches released that week.

In a more detailed Knowledgebase document on its support site, Microsoft noted that the problems affect users who have changed the default permission settings of the COM+ catalog, which are files located in the %windir%\registration folder. Users who have modified the COM+ settings reported all kinds of oddities, ranging from the Windows Firewall not starting to users seeing a blank screen after installing the patch.

"Yes we are aware of some of the information floating around about problems after installing the MS05-051 update on Windows 2000 systems," wrote Mike Reavey of the Microsoft Security Response Center on the MSRC's blog.

Actually, the problems affect more than Windows 2000. By Microsoft's own accounting, the strange behaviors can occur on Windows 2000 Server, Windows XP, or Windows Server 2003.

To fix the problems produced by the patch, users must restore the default permissions to the COM+ catalog. Microsoft spelled out how to do this, and offered a pair of commands for the Cacls.exe command line utility to automate the restoration.

The buggy patch was not only one of several critical fixes deployed last week by Microsoft in its scheduled release for October, but was deemed the most dire by several security analysts. They believed that one of the four vulnerabilities plugged by the patch could be easily exploited by hackers, especially on Windows 2000 machines, and would might result in a worm within days.

So far, however, no exploit has been known to surface publicly, although several have been created and disseminated by commercial vulnerability and exploit researchers to their customers.

While Microsoft stressed that only a small number of users were directly affected by the flawed fix -- Reavey wrote "this situation is fairly limited in the number of customers who have reported it" -- the news of another problematic patch may stop some from installing it.

That could spell trouble, reported Netcraft, a U.K.-based Web performance vendor. Almost 1 in every 5 Fortune 100 companies serve their corporate Web sites from Windows 2000 systems, noted Netcraft.

Earlier last week, talk of exploits caused Stephen Toulouse, who heads the MSRC, to recommend that users of older OSes, Windows 2000 in particular, were especially vulnerable, and needed to patch pronto.

"If you are running the older versions of the operating systems, like Windows 2000, we strongly urge you to deploy the critical updates for that platform, like MS05-051, as soon as possible!"

According to AssetMetrix, a Canadian-based asset monitoring software developer, nearly half of U.S. business still run Windows 2000-powered PCs.

The problems with the MS05-051 bulletin are the second such episode in the past three months. In August, Microsoft released a corrupted patch for Internet Explorer, and had to re-issue the fixes.

Also last week, talk surfaced among users on Microsoft's newsgroups that another critical patch, MS05-052, a cumulative fix for Internet Explorer, was causing trouble. Microsoft said it was investigating those claims, but so far has produced no advisory or additional information.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
2017 State of IT Report
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends for 2018
As we enter a new year of technology planning, find out about the hot technologies organizations are using to advance their businesses and where the experts say IT is heading.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll