Octobers security patch problems

[Keith Langmead]

I've seen several comments on here from various people having problems with
the latest round of security patches, but as yet I haven't seen anything to
indicate that MS are aware of any problems or if they are doing anything to
resolve them.

Does anyone know anything about this, and what is happening with it? With
the range and type of problems I've seen reported, I'm hesitant to install
the patches on our servers, in case we have the same problems.

Keith

 

[GA]

I think you will get a number of reported problems with every patch
Microsoft has ever released. Some patches seem to cause more problems for
more people. It often depends on certain specific configurations. For
example, if you have Windows 2000 SP2 with Office 97 and IE 6.0, you may
experience problem "X" but ONLY if you have that configuration.

It is not wise to just not install a patch because you are afraid it might
cause problems. Use a test system instead and make sure it will work for
your own situation before rolling it out to a production environment. As we
have seen recently, ignoring a patch could quickly invite a worm into your
network.

And as for your production servers, if you have a backout plan, installing
patches isn't so scary.

 

[JerryH]

Yes, there is a bug in the version of the update.exe file that is included
in the latest patch packages. This has been "unofficially" acknowledged by
Microsoft.

The problem relates to the method used to try to replace system files that
are in use without requiring a reboot. If the user who is installing the
patch has the debug right, the patch is able to be installed without a
reboot. By default, only Local System and members of the Administrators
group have the debug right. If a user without the debug right tries to
install one of these patches, update.exe sometimes fails when checking if
the right is effective and enters an infinite loop and can potentially
damage system files so that the computer cannot boot up properly.

Don't hold your breath waiting for an official acknowledgement. Do expect
the 10/15 patches to be reissued at some point, although it's anybody's
guess when this might happen.

While the problem can be avoided by giving everyone the debug right, this is
a dangerous practice, for reasons that should be obvious.

Another workaround is to extract the files from the patch packages, replace
the update.exe file with one from an earlier patch for the same operating
system (but not too much earlier - it should at least be from one with the
same SP version, eg. preSP5 for Windows 2000), and use that to install the
patch.

It is safer to implement the recommended workarounds for the critical
vulnerabilities until the patches are reissued. Disable the Messenger
service and set the security in the Intranet Zone to high, and you should be
safe from any exploits targeting these vulnerabilities.

 

[JerryH]

As a follow-up to my own post, Microsoft tonight reissued all the 10/15 OS
patches, as well as some previous patches. Lots of information to digest,
but it seems to verify everything I said earlier.

Yes, there is a bug in the version of the update.exe file that is included
in the latest patch packages. This has been "unofficially" acknowledged by
Microsoft.

<snip>