Microsoft’s latest series of patches is brewing trouble for some customers.
While the MS06-015 patch was designed to fix a flaw in Windows Explorer, it is also causing plenty of problems for people who use Hewlett-Packard printers, scanners and digital cameras. Those who use Sunbelt Software’s Kerio Personal Firewall are also experiencing difficulties as the patch causes issues with Windows’ performance.
It may seem that these types of conflicts between security patches and third-party software are common, but it’s really a testament to Microsoft that we don’t see more conflicts like this considering the thousands of applications that run on Windows, according to Alan Shimel, chief strategy officer at StillSecure.
“The breakdown in patch deployments, like we’re seeing with HP as well as with other vendors like Siebel, reinforces why it is imperative for companies to conduct their own testing before blindly rolling out patches,” Shimel remarked.
There are many “symptoms” to the problem, as Microsoft calls them in its update. Customers may not be able to access special folders, like My Documents or My Pictures. Microsoft Office applications may stop responding when you attempt to save or open Office files in the My Documents folder. Typing an address into the Internet Explorer’s address bar has no effect, nor does right-clicking on a file and selecting “Send To.”
Other symptoms include an inability to open Office files from the My Documents folder in Office. Customers who open a file through an application’s File/Open menu will find that the program stops responding. Clicking on the plus sign beside a folder in Windows Explorer has no effect, and some third-party applications stop responding when opening or saving data in the My Documents folder.
“I’m sure it’s a pain for HP customers to go through this breakdown in patching processes and they may even feel that patching causes more headaches than not patching in the first place,” Shimel noted. “However, Microsoft has made some big strides in security the past couple of years and the industry shouldn’t jump down its throat just because there are a few ‘not-so-smooth’ examples in the market.”
The Root of the Problem
The problem is that the MS06-015 security update package installs a new library, VERCLSID.EXE, which validates shell extensions before they are instantiated by the Windows Shell or Windows Explorer. On some computers, VERCLSID.EXE stops responding.
The solution is a listing decision. The MS06-015 security update includes a “white list.” VERCLSID.EXE will not scan any extension that appears on this list. Customers would log on to the computer with administrator privileges to add the programs to the white list.
Testing, Testing, Testing
These instances provide a great lesson in the importance of conducting quality assurance testing before applying patches, Shimel said. Perhaps more throbbing for enterprise businesses is the breakdown in Siebel software that one of the fixes within the last round of Microsoft patches caused. The specific fix changed the way Internet Explorer handles Active-X controls, causing the failure in Siebel client software.
“Companies should absolutely test patches for compatibility before releasing them. Most large corporations do test before rolling out patches, but the reason the HP patch is such a big deal is because their software is primarily aimed at consumers who aren’t as as knowledgeable about security,” Shimel said. “Individual consumers, in most cases, do not have the know-how or personnel to test the patches before deploying them. They rely on Microsoft to do the testing for them and when there’s a breakdown in the process it causes a wave of problems.”